It seems like it’s best practice to log to the buffer at level 7, and perhaps to syslog servers at a lower level. I’m trying to decide what to do with the flexibility afforded by Cisco ASA firewalls. On the one hand, our logging buffer is full of logs for connections established and torn down, leaving everything important out of there. That information is not useful for troubleshooting, but could be helpful for forensics.
I’m wondering what most of you do when it comes to logging ACL hits and connections up/down on the buffer vs syslog servers. I’m thinking of using logging ACLs for the buffer and send everything informational to the syslog server.
No comments:
Post a Comment