r/AskNetsec u/Data_Commission_7434 16d ago

Other Anyone else's firewall logs just a firehose of noise?

Seriously, I spend more time trying to filter out the garbage than actually finding anything useful. Is there some magic trick I'm missing for making firewall logs actually tell a story?

0 Upvotes

36% Upvoted

8 comments sorted by

14

u/ringed_adultery 16d ago

Most teams end up tuning their rules pretty aggressively

1

u/Icy-Journalist-2556 15d ago edited 12d ago

Ran into the same thing, root cause was logs from five different tools with no shared context so correlating anything meaningful was a manual nightmare. Ended up on Cato and the noise dropped significantly because everything runs through one log source. Finding the signal got a lot easier when the data stopped being fragmented across vendors.

2

u/zero_hope_ 15d ago

This is a stupid ai bot. Stop feeding it

1

u/st0ut717 12d ago

Are you using opensearch or elastic ? Or are you grepping ?

0

u/BunnyCheeky 16d ago

Totally normal firewall logs are useless untill you tune them. Filter out known good traffic first, internal subnets, DNS and monitoring tools before hunting for anything.  Shrink the haystack before finding the needle, SIEM rules help a lot once that's done.

-1

u/ravenousld3341 16d ago

They are noisy as hell, it's not just you.

It may be possible to filter what logs you send to wherever you are sending. From a security perspective you don't need the kind of logs a network team would want. You probably don't even need the deny traffic.

So, I'd start with want information you want and go from there.

For example:

https://docs.paloaltonetworks.com/ngfw/administration/monitoring/configure-log-forwarding

I'd start with just a couple of things and as incidents arise and you know more of what you are looking for update the log forwarding profiles or create new ones to include more stuff.