[logs] SIM solution - Objectives ? (Firewall logging)

[Eric Fitzgerald]

mjr wrote:
> As far back as I can remember (and that's a long way!) some of
> us have been saying that permit log entries are more important
> than deny.

Generalizing, I think that the same is true of almost ANY audit trail.

One minor behavioral difference you might notice is that failures/denies
in non-firewall logs tend to be caused more often by misconfiguration
than by malice, at least in my experience.  YMMV.

Eric Fitzgerald
Microsoft Corporation