tailieunhanh - Firewall Log Review and Analysis

Firewall Log Review and Analysis After the decision has been made to log events from your firewall, the next step is determining what you should be looking for in the logs and how you should properly perform log analysis | Firewall Log Review and Analysis After the decision has been made to log events from your firewall the next step is determining what you should be looking for in the logs and how you should properly perform log analysis. The most important thing to remember is that firewall logs are virtually worthless if no one ever looks at the logs. Logging is merely a means to an end namely knowing what is going on with your firewalls so that you can respond accordingly. Review of the logs should not be reserved for only when an incident has occurred. It should be a part of the weekly if not daily tasks that the firewall administrators perform. To help reduce the time and effort required to review the logs many of the enterprise security incident management products provide tools and utilities that assist the firewall administrator in separating the wheat from the chaff allowing the firewall administrator to spend less time reviewing the logs while still providing the information necessary to help identify situations before they become a problem. Another aspect of reviewing the logs that should not be overlooked is the need to define a log archive and normalization policy. Too many organizations do not store their firewall logs long enough to adhere to regulations some of which such as Sarbanes-Oxley are generally accepted to require seven years of log data to be stored . This creates situations where data from the logs may be necessary but the logs themselves have been destroyed. In conjunction with this it is important to normalize your log data. Normalization just means converting your logs into a standard format that allows for easier review and correlation of data from different data sources such as different firewall vendors . What to Look for in Firewall Logs After you have collected the firewall logs and begun the process of analyzing the logs determine the data that you should be looking for in the logs. With that said it is important to remember not to fall into the .