I would like to hear the Communities responses to a general logging philosophy question for security monitoring, incident investigation, etc. against the performance, storage, etc
How much DON’T you log?
With a bog-standard FortiGate and a bog-standard FortiAnalyser I having issues with the numerous combinations of options on the ‘Log Settings’ page. What is the minimum you would recommend?
For example I can find very little information on the dis/advantages of "Generate Logs when Session Starts"
Or, use local Memory or Disk?
Any advice, insights, etc greatfully received.
Regards
P.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Paul
Please refer below article about log management
https://docs.fortinet.com/document/fortigate/6.4.0/best-practices/730764/log-management
Regards
Anas
Hello Anas
Not what I was looking for.I have, of course, read all the related Forti-docs and general logging advice from different sources. I was asking specifically for advice from the Forti community on how they deal with the numerous logging options.
However if you could answer the question I posed about "Generate Logs when Session Starts", that would be helpful.
P.
Hey Paul,
in general:
- if you HAVE a FortiAnalyzer, I would suggest you log as much as you can get away with (depending on FortiAnalyzer license/sizing/model); any logs might be relevant down the line for investigation/troubleshooting
-> you can refer to the document linked by Anas for some general recommendations
-> If you do have FortiAnalyzer, I would suggest against logging to FortiGate disk, as that can eat up resources on FortiGate
-> if you do not have a FortiAnalyzer, but a FortiGate with disk, I would suggest against logging to FortiGate memory, as that eats into FortiGate memory and can impact performance; depending on available disk space, some logging might need to be disabled
-> I would only suggest to log to FortiGate memory if you have no other options
If you are concerned about logging volume, at the very least:
- retain logging for any sensitive traffic
- retain FortiGate system event logs
- retain logging for any business-critical FortiGate features (VPN, authentication, ...)
- retain logging based on any legal requirements you might have
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1633 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.