Determining the events to log

Gathering unnecessary logs creates more information to process when logs are analyzed, thereby complicating the analysis. On the other hand, not collecting any logs means missing out on a crucial source of information that would help to detect incidents and search for compromised areas.

R56 | SNS | Determine the events to log
Below is a non-exhaustive list of recommended events to collect via syslog among all the events that the SNS firewall offers in its administration interface. The assumed use case is an appliance used as a firewall/IPsec VPN with IDS and IPS disabled:
  • Events relating to the filter policy, such as rejected packets, etc.,

  • Network connections,

  • Events relating to IPsec VPN tunnels, such as the setup and destruction of tunnels, etc.,

  • Authentication events, e.g., aborted, successful or failed attempts,

  • Administration events that the serverd daemon generated, e.g., administrator connections, changes to the configuration,

  • Statistics;

  • System events,

  • Alarms.

The Advanced (connection log and filtering log) level is not suitable for TCP, UDP and SCTP traffic as connections (set up for TCP) on these protocols will already be traced by default in connection logs.