Analyzing-Firewall-Logs

Analyzing Firewall Logs

Analyzing Firewall Logs provides insight in to the security threats and traffic behavior. In depth analysis of the firewall security logs provides critical network intelligence about attempts to breach security and attacks like virus, trojan, denial of service, etc.

From the Network Objects tree, double-click the Security Management Server or Domain Log Server. The General Properties window opens. In the Management tab, select Logging & Status. From the navigation tree, click Logs.  is a simple and free online tool for checking open ports on your local/remote machine. It’s fast and easy. Just enter the port number and check (the result will be either open or closed).

A firewall is software or hardware that helps prevent hackers and few kinds of malware from getting to any PC through a network or the Internet. The file does this by checking the info that is coming from the Internet or a network and then either blocking it or allowing it to pass through to the PC.

The Firewall log file can be useful for determining the cause of program failures, The investigators can use logs to identify malicious activity, although the firewall does not provide the complete information needed to track down the source of the activity but provides a few insights about the nature of the activity.

Related Product : Computer Hacking Forensic Investigator | CHFI

The log is a plaintext file and can be viewed using any text editor. Notepad is the default text editor for the most Firewall log files. The period up to which the logs are stored depends on the storage limit set for the file. The newer logs replace older ones. The database administrators collect and store the logs from time to time due to the memory constraint.

During the time of security attacks, these logs can give the investigators an idea about the breach. The investigators can correlate these logs with other suspicious files to detect the source and other targets of the attack.

Analyzing Firewall Logs: Cisco

In one way or the other, log messages are very useful; in most cases, a small subset of log messages will initially provide the most benefit. After examining these events, investigators can expand the scope of their analysis by searching for additional details. The below table summarizes the most common messages and the associated severity level. Fortunately, most of these messages come from fairly contiguous mnemonic identifiers. The Identifiers aid in identification when using command-line tools.

The Cisco firewall logs are in the above mentioned format. The logs contain date and time, mnemonic message, firewall action, source IP address and port, destination IP address and port, type of request. All these objects are useful to the investigators in the investigation process. From the below screenshot the Mnemonic can be identified from the table 3. With the help of Mnemonics the severity of the can be figured out.

Also Read : Analyzing Router Logs in Network Forensic Investigation

Use the application Check Point Log viewer to view the checkpoint firewall logs. The application uses color coding to differentiate error severity, as mentioned in the table below (Table 4).

Event Log Color coding

Red An error message
Orange A Warning message
Blue An information

ICONs represent every action in a Checkpoint firewall log viewer, as shown in the slide.

Questions related to this topic

  1. How do you analyze firewall logs?
  2. How long should firewall logs be retained?
  3. What logs should be sent to Siem?
  4. How do I find the log files on a server?

This Blog Article is posted by

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

Leave a Comment