This message originated from Cribl Community Slack.
Click here to view the original link.
Hi all, is there anyone having experience to reduce Network device logs(VPN,IPS,FW)?
We are currently working on a proposal for log reduction on Cisco ASA devices for our customer.
But the customer mind if reduction logs have impact on their SIEM operation.
Based on our analysis, we believe that certain logs—such as informational-level messages (e.g., session teardown notifications, routine status updates)—are generally low-value for SIEM correlation and threat detection, and can be safely excluded.
So if you have an experience about similar log reduction strategies for Cisco ASA or other network devices, could you share with me?
Solved
Log Reduction Strategies For Cisco ASA Without Impacting SIEM Operations
Best answer by Jon Rust
This is a common strategy, especially when combined with sending a copy of all data to an object store. This provides a way to replay dropped data if they're needed in the future.
Check packs.cribl.io for the Cisco ASA pack as a starting point.
This is a common strategy, especially when combined with sending a copy of all data to an object store. This provides a way to replay dropped data if they're needed in the future.
Check packs.cribl.io for the Cisco ASA pack as a starting point.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.