Cyber Defense with MITRE Framework | Graylog + SOC Prime | On-Demand Webinar >> ​

VPN and Firewall Log Management

The hybrid workforce is here to stay. With that in mind, you should start putting more robust cybersecurity controls in place to mitigate risk. Virtual private networks (VPNs) help secure data, but they are also challenging to bring into your log monitoring and management strategy. VPN and firewall log management gives real-time visibility into security risks.


Many VPN and firewall log monitoring problems are similar to log management in general.


Each firewall has its own log format, and the format can change from version to version. For example, right now, two of the most popular firewalls are Cisco ASA and Palo Alto. Cisco’s format differs from Palo Alto’s, but Palo Alto 8.0 also differs from Palo Alto 9.0.

Palo Alto 9.0 log entries include more metadata fields and a new SD-WAN section. This means your current parsers might not get the data that you want. It becomes a constant battle to keep up with the new parsers and the new fields that firewall logs have.


On some firewalls, like an ASA, if you log at the informational level, you get normal log messages, like buildups and teardowns. However, if you put it to the debug level, you get a lot more data that exponentially grows your log data patterns. Where you usually get 1 million logs, you’re not up to 5 million when in debug mode.


Firewalls also use different protocols for importing them. Many use the Syslog format, but some proprietary firewalls use others. For example, Checkpoint uses OPSEC-LEA that requires a special agent to go off and query that to pull logs in.


Securing your hybrid workforce will require becoming more comfortable with VPN and firewall logs. To mature your security, you need to start collecting, aggregating, correlating, and analyzing these logs as soon as possible.


Graylog Alert Stages


Logging logs correctly means getting the right information coming in and depends on your firewall version. First, you want to put all the log files into a schema that normalizes data points into specific fields. Graylog Illuminate includes schema to help with this so that customers can create dashboards that give meaningful visibility.


To make your log data useful, you need to normalize the data with a single, comparable format. Then you can break apart the log message and do additional checks.

For example, you might want to create a dashboard around a source IP that shows up no matter what firewall version you’re using. You want to normalize that data when you bring it in. This lets you break the big log message into smaller, easy-to-read fields. In Graylog, you can do this through pipeline rules and enrichment.

Now that you’ve parsed the data, you can review the logs more meaningfully. You can start looking at things like:

  • Internal versus external IP addresses
  • Resource or destination IP addresses
  • Geolocation monitoring


Generally, you only need to retain logs for 30 days. In some cases, compliance requirements might make that 90 days. In either case, you want to set the right indexing times so that you can keep the data for as long as you need it while not overwhelming your storage capacity.


To get quick insights, you should start by setting up the dashboards to see the important information quickly. Graylog Iluminate includes pre-built dashboards based on our schema. This means that you can set dashboards that give you visualizations for things like:

  • Networks type
  • IP address
  • Threat intelligence

This not only makes investigations easier, but it lets you see things like what hosts an IP address talked to, bytes transmitted, and IP reputation.

Having prebuilt dashboards or searches around IPs or names will help you quickly find real-time or historical data. Instead of taking 20-30 minutes by building a search, you should be able to get answers within a few seconds, even if you’re reviewing historical data.


To get the most out of your logs, you need alerts that provide you with the information that helps you rapidly detect threats.


Remote employees are at a higher risk for credential theft attacks. To detect potential security events in a remote or hybrid workforce, you need security logs and unusual logon alerts. Using highly targeted alerting rules will generally trigger fewer alerts, reduce alert fatigue, and prioritize risk. Unfortunately, to narrow the output, you can find yourself writing and maintaining many very complex alerts.


Graylog Logins Filter


For more efficient alerts, consider some of the following alerts:

  • Geolocation: based on country, or even by city
  • Time of day: based on outlier behaviors such as late afternoon or evening
  • Number of logins: setting baselines for excess numbers of logins per day or during a given timeframe
  • Multiple locations: tracking multiple account logins from different IP addresses

VPN licensing limits

With so many users logging in remotely, you need visibility into your VPN license usage, or employees won’t be able to do their jobs. Too many users VPNing into your network can make it seem like the firewall broke. In reality, you needed more licenses.

Graylog Licensing Limits Filter


With Graylog, you can capsule your VPN sessions coming in. You can run a rule every hour that collects logs based on the number of concurrent connections open in your firewall. You can use this to set a threshold limit that notifies you when you’re close to exceeding your number of licenses. For example, you could set the threshold at 90% that gives you visibility into employee network use and whether you need additional licenses.


Organizations accelerated their digital transformation strategies an average of 6 years in 2020. IT teams struggled to keep businesses running more than anything else. As a result, many didn’t have the time to check their tools daily, including IPSs, firewalls, intrusion detection services, and different logging solutions.


Graylog Archive Catalog

Once everything settles, teams will need to go back and review this information. Graylog’s archiving makes it easier for teams to reimport logs to review them and look for the different patterns that show themselves. You can review your saved dataset with archiving, pulling logs back in, and running them through log analysis dashboards to see your irregular traffic patterns.


You never know what you’re going to miss until it’s missed. You want to have all the relevant log data around firewall rules, but having it all in there can create too much noise. Graylog’s log management software helps filter out the noise through our pipelines and streams so you can have the right dashboards. Using prebuilt correlation and alert rules, you’re ready to view log data quickly and efficiently.


Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.