Best practice for logging

Unanswered Question
Jun 26th, 2010

Hi All,

I would like to know if there is any best practice document for Firewall logging. This would include

1. What level of logging is ideal

2. If a log is stored in a logging server, how long is it best to store the logs and retain the logs by a backup tape etc.

This can include for various industries like IT, Banking etc.

Any document pertaining to these would be helpful. Thanks in advance.

Regards,

Manoj

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Kevin Redmon Wed, 06/30/2010 - 05:51

Manoj,

The only link that I could find on Cisco's Logging Best Practices is here:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#logbest

Note - this link refers to an IOS device but many of the guidelines transfer nicely to the ASA/PIX/FWSM. The two items at this link that I feel are quite important are synchronizing the time between all of your network devices (possibly via NTP) and leverage the timestamp feature on your syslogs ('logging timestamp' in the firewall realm).

In general, depending on your main goal for logging (troubleshooting, network access logs, etc.), regardless of industry, you will inevitably need to determine the appropriate logging level for that purpose and your network. Even within a particular logging level, you will inevitably find syslogs that are NOT useful to you while finding other syslogs in lower logging levels that ARE useful.

You can customize your logging experience on the ASA/PIX/FWSM by enabling/disabling certain syslogs, escalate those syslogs that are more important (to you) than the default logging level, and create logging lists.  Also, don't forget that logging locally on the device via the "buffered" keyword will be useful for immediate troubleshooting while remote logging for historical purposes may be useful to correlate network access (ie which host went where and when).  With this being said, you will most likely have a different logging level depending on the logging destination.  The

I've provided a link below for the various 'logging' commands for ASA although many of these commands are the same on other firewall platforms:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html

Here is also a list of the current log messages available on ASA 8.2:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html

As for how long you decide to keep the logging backups, that will depend on your company's security policy and/or local laws and regulations.

Hope this helps,

Kevin

Actions

This Discussion