Actually, there is a feature that is specifically meant for this use-case and allows you to reduce the noise of highly repeating logs.
It's not called "partial logging", but "Session Logs".
If you open the Track settings on your rule with logging, you will see the default logging configuration:
These default settings tell the gateway to create a new log for each connection attempt. In the case of DNS, indeed that means many logs that look the same as machines create a DNS request (and connection) for every DNS resolving.
You can of course switch that rule to Track=None, but that indeed leaves you blind to all this traffic and requests.
Instead, you can modify the Track settings to look like the below:
Deactivate "per Connection" logs and activate "per Session" logs.
Session logs are an aggregation of all connection logs that have the same significant parameters (source, destination, port, action, user, ...). Once a new connection is opened a session log will be sent. Subsequent connections (that share the same significant parameters) will not send another log, instead every 10 minutes a log update will be sent on the session to state how many connections were seen in that time period. That way, if you double click a session log, you can still see how many connection, without having a dedicated log row for each connection.
This reduces the noise and also reduces the load on your log server. We've seen customers reduce their total logging by 30%-60% by utilizing Session logs on noisy rules.
Actually, there is a feature that is specifically meant for this use-case and allows you to reduce the noise of highly repeating logs.
It's not called "partial logging", but "Session Logs".
If you open the Track settings on your rule with logging, you will see the default logging configuration:
These default settings tell the gateway to create a new log for each connection attempt. In the case of DNS, indeed that means many logs that look the same as machines create a DNS request (and connection) for every DNS resolving.
You can of course switch that rule to Track=None, but that indeed leaves you blind to all this traffic and requests.
Instead, you can modify the Track settings to look like the below:
Deactivate "per Connection" logs and activate "per Session" logs.
Session logs are an aggregation of all connection logs that have the same significant parameters (source, destination, port, action, user, ...). Once a new connection is opened a session log will be sent. Subsequent connections (that share the same significant parameters) will not send another log, instead every 10 minutes a log update will be sent on the session to state how many connections were seen in that time period. That way, if you double click a session log, you can still see how many connection, without having a dedicated log row for each connection.
This reduces the noise and also reduces the load on your log server. We've seen customers reduce their total logging by 30%-60% by utilizing Session logs on noisy rules.
| User | Count |
|---|---|
| 8 | |
| 8 | |
| 5 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | |
| 2 |
Tue 21 May 2024 @ 10:00 AM (CEST)
CheckMates Live DACH - Einführung in Check Points Hyperscalinglösung - Quantum MaestroWed 22 May 2024 @ 10:00 AM (BRT)
Brazil: Desafios e melhores práticas na gestão de CibersegurançaTue 28 May 2024 @ 01:00 PM (SGT)
APAC: Evaluating Azure Virtual WAN security: Five customer use casesTue 21 May 2024 @ 10:00 AM (CEST)
CheckMates Live DACH - Einführung in Check Points Hyperscalinglösung - Quantum MaestroWed 22 May 2024 @ 10:00 AM (BRT)
Brazil: Desafios e melhores práticas na gestão de CibersegurançaWed 05 Jun 2024 @ 02:00 PM (PDT)
Orange County, CA: CPX 2024 Highlights, AI-Driven Cyberthreats, and Quantum Computing
