Minimize Logging

[icemaster]

Hi Everyone,

I am just curious about reducing dropped rule logging.

We currently log every rule, I know not really necessary but, you know you have those who have the need to know everything ;-) In addition to all the accept rules being logged, we also log all the dropped rules. This being a good idea to find errors, attack attempts and so on, we can't disable this completely.

How are some of you out there handling the drops logging? This is an enourmous strain on the CPU's not to mention the killing Tera-bytes of logged messages.
Is it a good Idea to maybe Identify certain types of traffic that will always be dropped, create a rule and have it not log?

Any ideas comments? How are you all handling such masses of logs? ;-)
Thanks for any ideas,
icemaster

[mcnallym]

I typically create a rule at the bottom just above the Any, Any, Any Drop Rule to drop NetBIOS, and broadcast traffic without logging.

Any Netbios that matches a rule above is still logged as legit traffic.

I find that seriously reduces the amount of traffic logged on the firewalls.

Quite often I will turn off logging for the smtp mail rule as well, along with seperating out the dns lookups as they can seriously fill up the log as well. I have them turned on initially to test working then turn off to save the log space.