tailieunhanh - Logging and Log-Analysis Tools

Most firewalls can log events related to traffic that has been permitted or denied. Unfortunately, the sheer volume of data from even a moderately sized environment can quickly become unmanageable. | Logging and Log-Analysis Tools Most firewalls can log events related to traffic that has been permitted or denied. Unfortunately the sheer volume of data from even a moderately sized environment can quickly become unmanageable. Most firewalls use one of two types of logging methods Syslog Implemented by most firewalls and uses a relatively simple UDP-based although the Cisco Secure PIX Firewall also supports TCP client server logging method. Open Platform for Security Log Export Application Programming Interface OPSEC LEA API Implemented by Check Point for Firewall-1 OPSEC LEA is an API-based logging format similar in function to syslog. Syslog requires a server and a client component. The client typically runs on the firewall itself the server is installed on a Windows Linux or UNIX host. Syslog server functionality on Linux and UNIX is built in to the operating system. For Windows hosts however you must install a third-party syslog server. A popular Windows-based syslog server is the Kiwi Syslog Daemon available at http . Kiwi Syslog allows not only for the logging of events from the firewall but also provides advanced functionality such as implementing hashing on the logs for chain of custody and legal reasons event filtering and event notification via e-mail and pager for specified events. Syslog uses a combination of facilities and severities to identify the source and type of message that is being generated. Although there are 24 total facilities most firewalls are configured to use facilities localO to local7. Message severity consists of the following severity levels Emergency 0 System is unusable. Alert 1 Action must be taken immediately. Critical 2 Critical conditions. Error 3 Error conditions. Warning 4 Warning conditions. Notice 5 Normal but significant conditions. Informational 6 Informational messages. Debug 7 Debug-level messages. In most cases you should log debug-level severity messages only for the purposes of troubleshooting. A