Event Logging and Data Collection

By default, Vulnerability ProtectionDeep Security Manager collects Events from the Agents/Appliances at every heartbeat. The amount of data being collected depends on the number of computers being protected, how active your computers are, and the Event recording settings.

System Events

All the Vulnerability ProtectionDeep Security System Events are listed and can be configured on the Administration > System Settings > System Events tab. You can set whether to record the individual Events and whether to forward them to a SIEM system.

Security Events

Each protection module generates Events when Rules are triggered or other configuration conditions are met. Some of this security Event generation is configurable.

The Firewall Stateful Configuration in effect on a computer can be modified to enable or disable TCP, UDP, and ICMP Event logging. To edit the properties of a Stateful firewall Configuration, go to Policies > Common Objects > Other > Firewall Stateful Configurations. The logging options are in the TCP, UDP, and ICMP tabs of the Firewall Stateful Configuration's Properties window.

The Intrusion Prevention module lets you disable Event logging for individual Rules. To disable Event logging for a Rule, open the Rule's Properties window and select Disable Event Logging on the Events area of the Intrusion Prevention Properties tab.

The Intrusion Prevention module can record the data that causes a Rule to trigger. Because it would be impractical to record all the data every time an individual Rule triggers, Vulnerability ProtectionDeep Security will only record the data for a Rule the first time it is triggered within a specified period of time (default is five minutes). To configure whether Vulnerability ProtectionDeep Security will record this data, go to Policy/Computer Editor > Intrusion Prevention > Advanced > Event Data. You can configure the length of the period by adjusting the Period for Log only one packet within period setting in Policy/Computer Editor > Settings > Network Engine > Advanced Network Engine Settings.

The Log Inspection Module can be configured to only record events if a Log Inspection Rule is triggered which contains a condition that exceeds a specified Severity Level. To set the Severity Level at which Log Inspection Events will begin to be recorded, go to Policy/Computer Editor > Log Inspection > Advanced Severity Clipping.

Here are some suggestions to help maximize the effectiveness of Event collection:

• Reduce or disable log collection for computers that are not of interest.
• Consider reducing the logging of Firewall Rule activity by disabling some logging options in the Firewall Stateful Configuration Properties window. For example, disabling the UDP logging will eliminate the "Unsolicited UDP" log entries.
• For Intrusion Prevention Rules, the best practice is to log only dropped packets. Logging packet modifications may result in a lot of log entries.
• For Intrusion Prevention Rules, only include packet data (an option in the Intrusion Prevention Rule's Properties window) when you are interested in examining the source of attacks. Otherwise leaving packet data inclusion on will result in much larger log sizes.