- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Logging Philosophy - Options - Combinations - etc.
I would like to hear the Communities responses to a general logging philosophy question for security monitoring, incident investigation, etc. against the performance, storage, etc
How much DON’T you log?
With a bog-standard FortiGate and a bog-standard FortiAnalyser I having issues with the numerous combinations of options on the ‘Log Settings’ page. What is the minimum you would recommend?
For example I can find very little information on the dis/advantages of "Generate Logs when Session Starts"
Or, use local Memory or Disk?
Any advice, insights, etc greatfully received.
Regards
P.
___________________________________________
Find it - Fix it - Forget it = network management !!
- Labels:
-
FortiAnalyzer
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Paul
Please refer below article about log management
https://docs.fortinet.com/document/fortigate/6.4.0/best-practices/730764/log-management
Regards
Anas
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Anas
Not what I was looking for.I have, of course, read all the related Forti-docs and general logging advice from different sources. I was asking specifically for advice from the Forti community on how they deal with the numerous logging options.
However if you could answer the question I posed about "Generate Logs when Session Starts", that would be helpful.
P.
___________________________________________
Find it - Fix it - Forget it = network management !!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Paul,
in general:
- if you HAVE a FortiAnalyzer, I would suggest you log as much as you can get away with (depending on FortiAnalyzer license/sizing/model); any logs might be relevant down the line for investigation/troubleshooting
-> you can refer to the document linked by Anas for some general recommendations
-> If you do have FortiAnalyzer, I would suggest against logging to FortiGate disk, as that can eat up resources on FortiGate
-> if you do not have a FortiAnalyzer, but a FortiGate with disk, I would suggest against logging to FortiGate memory, as that eats into FortiGate memory and can impact performance; depending on available disk space, some logging might need to be disabled
-> I would only suggest to log to FortiGate memory if you have no other options
If you are concerned about logging volume, at the very least:
- retain logging for any sensitive traffic
- retain FortiGate system event logs
- retain logging for any business-critical FortiGate features (VPN, authentication, ...)
- retain logging based on any legal requirements you might have