IT professionals have been looking for better ways to monitor and store firewall logs for years. Properly handled, firewall events can give insight into APTs, DoS attacks, firewall rule planning and misconfigurations, policy violations, and much more. To date, Syslog has been the go-to mechanism for access to firewall log info. It’s universally supported by the firewall community, easy to understand, and it’s quick to implement on both the firewall as well as the syslog analyzer.
Unfortunately syslog is resource intensive on both the firewall and the log analyzer. It’s largely unstructured, requires string pattern matching, and the exact format and fields vary from one firewall to the next. How often do you turn on full “Accept” and “Deny” logging for every rule? Sure you can and yes it’s valuable but the amount of syslog created is tremendous.
Enter NetFlow and IPFIX…
Read more »