• Support
  • Forums
  • Blogs

Filtering firewall forwarding logs to reduce data limit

nadamsnadams

New Life Form
I have a customer that is logging about 2,500,000 traffic-forward logs and 2,800,000 firewall logs. Close to the end of every month, I have to purge data which I really dont want to do. Is anyone having this problem? I would like to filter the logs but I want to do it in a way that if anything does happen I will have it. Is there any documentation or best practices on this. 

Share post:

Answers

  • Well, the best thing I can say is that you can't have it both ways. Data streams received at a sensor node are processed with the plugin to generate events.  If a  filtering rule is active and matches an event, it is purged by the sensor, lost forever.  If a suppression rule matches, the event is so tagged. The event is then sent to the cloud control node for correlation and data storage. 

    What you would most likely want to do is filter at the sending server level, forwarding only raw data important to you but keeping a full record of all the initial raw data locally. 




Sign In or Register to comment.