Best practice for logging

Unanswered Question
Jun 26th, 2010
User Badges:

Hi All,


I would like to know if there is any best practice document for Firewall logging. This would include


1. What level of logging is ideal

2. If a log is stored in a logging server, how long is it best to store the logs and retain the logs by a backup tape etc.


This can include for various industries like IT, Banking etc.


Any document pertaining to these would be helpful. Thanks in advance.


Regards,

Manoj

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kevin Redmon Wed, 06/30/2010 - 05:51
User Badges:
  • Cisco Employee,

Manoj,


The only link that I could find on Cisco's Logging Best Practices is here:


http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#logbest


Note - this link refers to an IOS device but many of the guidelines transfer nicely to the ASA/PIX/FWSM. The two items at this link that I feel are quite important are synchronizing the time between all of your network devices (possibly via NTP) and leverage the timestamp feature on your syslogs ('logging timestamp' in the firewall realm).


In general, depending on your main goal for logging (troubleshooting, network access logs, etc.), regardless of industry, you will inevitably need to determine the appropriate logging level for that purpose and your network. Even within a particular logging level, you will inevitably find syslogs that are NOT useful to you while finding other syslogs in lower logging levels that ARE useful.


You can customize your logging experience on the ASA/PIX/FWSM by enabling/disabling certain syslogs, escalate those syslogs that are more important (to you) than the default logging level, and create logging lists.  Also, don't forget that logging locally on the device via the "buffered" keyword will be useful for immediate troubleshooting while remote logging for historical purposes may be useful to correlate network access (ie which host went where and when).  With this being said, you will most likely have a different logging level depending on the logging destination.  The


I've provided a link below for the various 'logging' commands for ASA although many of these commands are the same on other firewall platforms:


http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html


Here is also a list of the current log messages available on ASA 8.2:


http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html


As for how long you decide to keep the logging backups, that will depend on your company's security policy and/or local laws and regulations.


Hope this helps,

Kevin

Sameer Chaukar Wed, 03/08/2017 - 02:43
User Badges:

Thanks Kevin for sharing the ASA command reference for Logging this will help focus on getting the required(important) logs to our syslog server instead of all logs.we are facing capacity problem on the Syslog server because of the number of messages per hr.

  

Actions

This Discussion