WEBVTT

1
00:00.000 --> 00:04.880
In this video, I'd love to chat with you about logs. Now, logs as they're being

2
00:04.880 --> 00:05.520
sent over to the

3
00:05.520 --> 00:09.850
40 Analyzer currently in our environment, these three firewalls and this one as

4
00:09.850 --> 00:10.160
well,

5
00:10.160 --> 00:14.500
are all saying they're logs to our root administrative domain. So it's one

6
00:14.500 --> 00:16.160
place we can go to to see

7
00:16.160 --> 00:20.180
and work with all the logs. Now, as we send in logs or as the 40 gate sending

8
00:20.180 --> 00:20.880
logs to the 40

9
00:20.880 --> 00:25.470
Analyzer, there are different kinds of logs. We have traffic logs and a lot of

10
00:25.470 --> 00:26.240
that depends

11
00:26.240 --> 00:29.880
on whether or not in our firewall policies and our security policies that we

12
00:29.880 --> 00:30.720
specify that we
WEBVTT
X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000

12
00:29.880 --> 00:30.720
specify that we

13
00:30.720 --> 00:34.210
want to logging on all traffic or not. So if we're not telling the 40 gates to

14
00:34.210 --> 00:35.280
log the traffic,

15
00:35.280 --> 00:38.600
they're not going to be sending that over to the 40 Analyzer. Another type of

16
00:38.600 --> 00:39.120
log that we're

17
00:39.120 --> 00:42.380
sending over is going to be security logs. So with the security logs, that'd be

18
00:42.380 --> 00:43.200
a result of

19
00:43.200 --> 00:48.140
having security profiles like IPS, application, web filtering, DNS and so forth

20
00:48.140 --> 00:49.120
, that are associated

21
00:49.120 --> 00:52.470
with firewall policies or security policies depending on how the 40 gate is

22
00:52.470 --> 00:53.040
configured.

23
00:53.040 --> 00:55.740
And those are also going to be sent over when they're matched on to the 40

24
00:55.740 --> 00:56.880
Analyzer. There's also

25
00:56.880 --> 01:00.530
event logs and unfortunately the word event, as we'll see in future videos on
WEBVTT
X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000

25
00:56.880 --> 01:00.530
event logs and unfortunately the word event, as we'll see in future videos on

26
01:00.530 --> 01:01.840
the 40 Analyzer

27
01:01.840 --> 01:06.290
means a whole nother thing, but event logs on a 48 firewall, that would be

28
01:06.290 --> 01:07.200
things like a

29
01:07.200 --> 01:11.810
configuration changes made by an administrator or the system was rebooted or an

30
01:11.810 --> 01:12.320
administrator

31
01:12.320 --> 01:15.440
logged in or logged out on the firewall, or if there's an HA event, a high

32
01:15.440 --> 01:16.400
availability event

33
01:16.400 --> 01:19.820
with a failover event, that would also be another example of an event type of

34
01:19.820 --> 01:20.960
log. So the moment

35
01:20.960 --> 01:24.660
these logs are sent over to the 40 Analyzer, and initially once they're sent

36
01:24.660 --> 01:25.600
over, they're saved in

37
01:25.600 --> 01:30.090
a dot log. However, after a moment or two, depending on how busy the 40 Analy
WEBVTT
X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000

37
01:25.600 --> 01:30.090
a dot log. However, after a moment or two, depending on how busy the 40 Analy

38
01:30.090 --> 01:30.960
zer is, it's going to

39
01:30.960 --> 01:34.550
take all that log information that's been receiving, it's going to actually add

40
01:34.550 --> 01:35.520
it or inject it or

41
01:35.520 --> 01:39.360
insert it into the SQL database. And at that point, we can actually see

42
01:39.360 --> 01:40.720
additional information

43
01:40.720 --> 01:45.050
about what's happening in the four to view section of 40 Analyzer. And again,

44
01:45.050 --> 01:46.160
it shouldn't take that

45
01:46.160 --> 01:49.180
long. We're talking, you know, sometimes just milliseconds for that to be added

46
01:49.180 --> 01:50.400
, but on a very

47
01:50.400 --> 01:54.570
busy 40 Analyzer, it could take a little bit of time. So to be aware initially,

48
01:54.570 --> 01:54.960
when those logs

49
01:54.960 --> 01:58.290
come in, you can see in the log view, and it may take a moment or two for them

50
01:58.290 --> 01:59.120
to actually insert

51
01:59.120 --> 02:02.990
it into the database. And then based on the configuration of the 40 Analyzer,
WEBVTT
X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000

51
01:59.120 --> 02:02.990
it into the database. And then based on the configuration of the 40 Analyzer,

52
02:02.990 --> 02:03.680
after a period

53
02:03.680 --> 02:08.330
of time logs are going to be archived. And at that point, we can go ahead and

54
02:08.330 --> 02:09.840
still do log browsing

55
02:09.840 --> 02:13.130
to see that information. But it's no longer available in tools like for the

56
02:13.130 --> 02:14.000
view, and some of the

57
02:14.000 --> 02:17.950
prebuilt views on the 40 Analyzer for logs that have been archived. And so when

58
02:17.950 --> 02:18.880
they're archived,

59
02:18.880 --> 02:23.310
they're compressed, and they have a dot gz extension. So again, still viewable

60
02:23.310 --> 02:24.320
inside the 40 Analyzer

61
02:24.320 --> 02:27.950
with the log browsing, however, not available in the other tools like for to

62
02:27.950 --> 02:29.120
view. So if you need

63
02:29.120 --> 02:32.710
to have that information in SQL database longer, which will be tweak and tune
WEBVTT
X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000

63
02:29.120 --> 02:32.710
to have that information in SQL database longer, which will be tweak and tune

64
02:32.710 --> 02:33.600
the settings in our

65
02:33.600 --> 02:37.740
case for our root V DOM regarding the retention and how long we want to keep

66
02:37.740 --> 02:38.720
logs. It's also

67
02:38.720 --> 02:42.110
important to be aware that it's or some event or something's happening on the

68
02:42.110 --> 02:43.200
network, we may have

69
02:43.200 --> 02:47.310
to look at several different views and dig down into several different logs to

70
02:47.310 --> 02:48.400
kind of triangulate

71
02:48.400 --> 02:52.490
and confirm what's happening, because what if this computer right here is

72
02:52.490 --> 02:53.760
sending a large amount of

73
02:53.760 --> 02:59.290
data out to a country, you know, like India or Russia or Switzerland or

74
02:59.290 --> 03:01.280
somewhere else? Is that
WEBVTT
X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000

74
02:59.290 --> 03:01.280
somewhere else? Is that

75
03:01.280 --> 03:04.720
okay? And the answer is, I don't know, it depends on the baseline of what

76
03:04.720 --> 03:06.320
normal looks like. So

77
03:06.320 --> 03:09.220
that's why it's a great idea to have a tool like 40 Analyzer, where we can

78
03:09.220 --> 03:10.000
start building our

79
03:10.000 --> 03:14.160
baselines and taking a look at what normal is. And if something looks abnormal,

80
03:14.160 --> 03:14.880
we can dig deeper

81
03:14.880 --> 03:17.910
into it and see what's going on. So along those lines, it'd be a great idea to

82
03:17.910 --> 03:18.480
be aware and have

83
03:18.480 --> 03:22.810
documented in our security operations center documented where our critical

84
03:22.810 --> 03:23.520
systems are,

85
03:23.520 --> 03:27.600
because of traffic, especially anomalous amounts of traffic or strange types of

86
03:27.600 --> 03:28.480
traffic is going to

87
03:28.480 --> 03:31.800
or from those critical systems that'd be more cause for alarm. We'd also want
WEBVTT
X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000

87
03:28.480 --> 03:31.800
or from those critical systems that'd be more cause for alarm. We'd also want

88
03:31.800 --> 03:32.480
to be aware of

89
03:32.480 --> 03:35.710
what types of traffic are expected. We'd also want to be aware of the

90
03:35.710 --> 03:37.040
quantities of traffic.

91
03:37.040 --> 03:41.040
So for example, from this device right here, at the end of every month, maybe

92
03:41.040 --> 03:42.240
there is a process

93
03:42.240 --> 03:46.130
that's being driven for sending a whole bunch of data for end of month

94
03:46.130 --> 03:47.760
reporting or some other

95
03:47.760 --> 03:50.960
function, we'd want to be aware of that so we could document it. And that way,

96
03:50.960 --> 03:51.600
when we see it,

97
03:51.600 --> 03:55.200
we won't think, whoa, that's out of line with what normal is. And the beautiful

98
03:55.200 --> 03:55.600
thing is that

99
03:55.600 --> 04:00.480
the 40 Analyzer has a view of everything that's going on. So if we're not sure,
WEBVTT
X-TIMESTAMP-MAP=LOCAL:00:00:00.000,MPEGTS:900000

99
03:55.600 --> 04:00.480
the 40 Analyzer has a view of everything that's going on. So if we're not sure,

100
04:00.480 --> 04:00.800
you know, for

101
04:00.800 --> 04:04.420
example, if that quantity of traffic is okay, we can take further steps into

102
04:04.420 --> 04:05.360
researching it by

103
04:05.360 --> 04:08.390
using another set of features called events and incidents, which we'll cover in

104
04:08.390 --> 04:09.120
a separate set of

105
04:09.120 --> 04:12.680
videos. But understanding what our baseline is and discovering that is an

106
04:12.680 --> 04:14.000
important aspect to then

107
04:14.000 --> 04:17.600
be able to identify what abnormal looks like. And in the next video, I'd like

108
04:17.600 --> 04:18.320
to walk you through

109
04:18.320 --> 04:22.780
some great techniques and options with the current flavor of 40 Analyzer on how

110
04:22.780 --> 04:23.360
to do log

111
04:23.360 --> 04:26.650
browsing and working with our logs that are coming in from our 4 to get devices

112
04:26.650 --> 04:27.520
. So I'll see you in

113
04:27.520 --> 04:29.360
the next video for exactly that.