Firewall logging - Best Practice
I'm interested in the general policy you practice on logging in firewall rules. What should be in the log in every case? What is never important at all?
- Broadcast (from promisc. iinterfaces due to snort?) is of limited interest, right?
- Do I really want to see who is knocking on some port of my WAN interface?
- Enable logging for the pass rules to see which IPs are visited by certain clients?
What's your policy on these and other firewall log issues?
I keep logs as quiet as possible. Only important stuff should be showing up.
Though, this is after I assure all of my rules are blocking/passing the proper traffic. Like the logging of incoming WAN denies… once I know it is working, that rule is silenced.
"- Do I really want to see who is knocking on some port of my WAN interface?"
While it might not be of interest if its here and there a few of them.. But you sure might be interested if with say 1000 a second sort of thing.