Currently we forward nearly all of the firewall's logs to our syslog server, but the amount of irrelevant minutiae is over-whelming the syslog server.
Is there a best-practice for what information should be forwarded to syslog? I don't want to miss anything important but I ready want to eliminate the un-important.
Honestly that is a 'it depends' answer as every one has a different set of requirements and thing sthey alert on. We also send everything to our SIEM but so that it can be correlated with other logs and events. While some traffic may look beging, it could actually be malicious.
I know its not a great answer, but we scalled out SIEM to handel everything at only 60% capacity.
As @OtakarKlier mentioned this isn't something you could really make a best-practice on, as nobody has the same requirements. Personally, I like having all of the logs we can get into the SIEM and find it cheaper to just upgrade the device to function under the required load.
However, if your SIEM isn't able to handle that load you'll need to actually go through and determine the most important logs for your organization that you want to forward to your SIEM. That could mean that you only forward traffic for external access rules, or maybe access to your server infrastructure. That all depends on what your organizational needs are.
@fmurray , FYI.
I have just about everything going to syslog, including Global Protect. this is our corp policy and to do with legal stuff.
we have logrotate that zips files up and deletes them after a required ammount of time.
the information is quite overwhelming but with various scripts you can pull out the information you require.
very rarely use it for traffic reports but every month reports are run for GlobalProtect activity.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!