Looking for some input on firewall event logging. Today, we log every single flow (permit or deny) through all of our firewalls (~600). We overrun our management system in about 20 minutes (and it is very slow to search). What are other people doing in regards to firewall logging? I like to think that we are being a little ridiculous, but our ISO likes the ability to see every flow from a specific time for potential attacks. FWIW, we also push all of these logs to a cloud SOC. Does this sound pretty much normal?
No comments:
Post a Comment