Best practice for logging

Unanswered Question
Jun 26th, 2010

Hi All,

I would like to know if there is any best practice document for Firewall logging. This would include

1. What level of logging is ideal

2. If a log is stored in a logging server, how long is it best to store the logs and retain the logs by a backup tape etc.

This can include for various industries like IT, Banking etc.

Any document pertaining to these would be helpful. Thanks in advance.

Regards,

Manoj

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (2 ratings)
Loading.
Ganesh Hariharan Sun, 06/27/2010 - 22:53

Hi All,

I would like to know if there is any best practice document for Firewall logging. This would include

1. What level of logging is ideal

2. If a log is stored in a logging server, how long is it best to store the logs and retain the logs by a backup tape etc.

This can include for various industries like IT, Banking etc.

Any document pertaining to these would be helpful. Thanks in advance.

Regards,

Manoj

Manoj,

Check out the below link for best practice for logging and prerequiste in cisco devices.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#logbest

http://www.ciscopartner.biz/en/US/docs/security/asa/asa82/configuration/guide/monitor_syslog.html#wp1110908

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

Panos Kampanakis Wed, 07/07/2010 - 10:51

1. Level 3, 4(error, warnings) is the ideal. Levels 5-7 (notification, informational, debug) generate more logs and should be used in case you want to troubleshoot.

2. You should keep as long as possible depending on your policies. Most companies keep the logs for about 6-12 monhts, but it really depends on the company. If your log load is not too much you can keep them for even more.

I hope it helps.

PK

dvithoulkas Thu, 07/15/2010 - 03:25

For a firewall it is better to have informational if you have a solution like MARS.

For the logging retention it depends on the country laws and the company policies.

I think 6 months is the least you should have.

Actions

This Discussion