Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

logging on PIX firewalls

Status
Not open for further replies.
rgbaldree

rgbaldree

IS-IT--Management
Jun 10, 2005
4
US
As a security guy I want the highest level of logging on the firewall but out network engineering team says that CISCO does not recommend going to level 6, we are currently at level 3, anyone have pix logging at level 6, f os,any performance issues versus level 3?

Thanks
Rick Baldree
 
Sort by date Sort by votes
At a high level of logging like level 6 your syslog server will be receiving bucket loads of logs and the firewall will most likely take a performance hit due to continually having to send out this traffic. You just don't need it!

Generally I will log at level 3 and ONLY up the level if I am investigating a particular problem. The real issue with level 6 logging is that you have so many lines to sift through and process that it just becomes self defeating.

Going off topic slightly, I have similar issues with Firewall-1 which logs per rule and when too many rules are being logged the logs files grow too big and ends up switching every few hours. You just don't need all that logging unless you are looking for something specific.

Of course, this is just my opinion based on my experience.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
I apprecaite your insight, the problem is we are outsourcing our firewall monitoring adn the company says in order to monitor effectively it must be set to 6, but we are concerned about the performance on the firewalls.

Thanks Again,
Rick
 
Upvote 0 Downvote
Hello,

It really depends on your needs. If you have it set at 6, do you notice a degredation in performance of the PIX? If you have a third party monitoring the logs, I'm sure they have some way of scanning the logs for various attacks, etc., so that's not a problem. If you don't have any problems with performance then I don't see a problem with it.

Rod
 
Upvote 0 Downvote
I would have to agree with Rod. Try it and monitor the situation. If a third party company is monitoring the logs then it's up to them to sort through thousands of lines of syslog output every day. Good luck to 'em. However, this must be with the caveat that IF you notice a knock on effect on the firewalls performance then you can reduce the logging level.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************
 
Upvote 0 Downvote
We did that for the same reason once. The monitoring company probably uses it for traffic stats. We didn't see an issue resulting from that logging level.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
294
Sameer258
Sameer258
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
92
PauS0n
PauS0n
mcisar
  • Locked
  • Question
Disable CHAP on PPPoE WAN connection
Replies
0
Views
101
mcisar
mcisar
xwray
  • Locked
  • Question
PIX 501 DHCP Server function
Replies
0
Views
61
xwray
xwray
brownmab53
  • Locked
  • Question
PIX 525 ASA not allowing DHCP addresses to pass through to router
Replies
0
Views
71
brownmab53
brownmab53

Part and Inventory Search

Sponsor

Back
Top