VPN and Firewall Log Management

March 10, 2021

The hybrid workforce is here to stay. With that in mind, you should start putting more robust cybersecurity controls in place to mitigate risk. Virtual private networks (VPNs) help secure data, but they are also challenging to bring into your log monitoring and management strategy. VPN and firewall log management gives real-time visibility into security risks.

Monitoring VPN and firewall logs

Many VPN and firewall log monitoring problems are similar to log management in general. 

Different log formats

Each firewall has its own log format, and the format can change from version to version. For example, right now, two of the most popular firewalls are Cisco ASA and Palo Alto. Cisco’s format differs from Palo Alto’s, but Palo Alto 8.0 also differs from Palo Alto 9.0.

Palo Alto 9.0 log entries include more metadata fields and a new SD-WAN section. This means your current parsers might not get the data that you want. It becomes a constant battle to keep up with the new parsers and the new fields that firewall logs have. 

Level to log

On some firewalls, like an ASA, if you log at the informational level, you get normal log messages, like buildups and teardowns. However, if you put it to the debug level, you get a lot more data that exponentially grows your log data patterns. Where you usually get 1 million logs, you’re not up to 5 million when in debug mode. 

Importing logs

Firewalls also use different protocols for importing them. Many use the Syslog format, but some proprietary firewalls use others. For example, Checkpoint uses OPSEC-LEA that requires a special agent to go off and query that to pull logs in. 

Tips for getting started with VPN and firewall log management

Securing your hybrid workforce will require becoming more comfortable with VPN and firewall logs. To mature your security, you need to start collecting, aggregating, correlating, and analyzing these logs as soon as possible. 

Graylog Alert Stages

Set the schema

Logging logs correctly means getting the right information coming in and depends on your firewall version. First, you want to put all the log files into a schema that normalizes data points into specific fields. Graylog Illuminate includes schema to help with this so that customers can create dashboards that give meaningful visibility. 

Normalize and parse the data

To make your log data useful, you need to normalize the data with a single, comparable format. Then you can break apart the log message and do additional checks. 

For example, you might want to create a dashboard around a source IP that shows up no matter what firewall version you’re using. You want to normalize that data when you bring it in. This lets you break the big log message into smaller, easy-to-read fields. In Graylog, you can do this through pipeline rules and enrichment. 

Now that you’ve parsed the data, you can review the logs more meaningfully. You can start looking at things like:

  • Internal versus external IP addresses
  • Resource or destination IP addresses
  • Geolocation monitoring

Set up indexes

Generally, you only need to retain logs for 30 days. In some cases, compliance requirements might make that 90 days. In either case, you want to set the right indexing times so that you can keep the data for as long as you need it while not overwhelming your storage capacity. 

Use pre-built dashboards 

To get quick insights, you should start by setting up the dashboards to see the important information quickly. Graylog Iluminate includes pre-built dashboards based on our schema. This means that you can set dashboards that give you visualizations for things like: 

  • Networks type
  • IP address
  • Threat intelligence

This not only makes investigations easier, but it lets you see things like what hosts an IP address talked to, bytes transmitted, and IP reputation. 

Having prebuilt dashboards or searches around IPs or names will help you quickly find real-time or historical data. Instead of taking 20-30 minutes by building a search, you should be able to get answers within a few seconds, even if you’re reviewing historical data. 

Getting the right information from logs 

To get the most out of your logs, you need alerts that provide you with the information that helps you rapidly detect threats. 

Unusual logins

Remote employees are at a higher risk for credential theft attacks. To detect potential security events in a remote or hybrid workforce, you need security logs and unusual logon alerts. Using highly targeted alerting rules will generally trigger fewer alerts, reduce alert fatigue, and prioritize risk. Unfortunately, to narrow the output, you can find yourself writing and maintaining many very complex alerts.

Graylog Logins Filter

For more efficient alerts, consider some of the following alerts:

  • Geolocation: based on country, or even by city
  • Time of day: based on outlier behaviors such as late afternoon or evening
  • Number of logins: setting baselines for excess numbers of logins per day or during a given timeframe
  • Multiple locations: tracking multiple account logins from different IP addresses

VPN licensing limits

With so many users logging in remotely, you need visibility into your VPN license usage, or employees won’t be able to do their jobs. Too many users VPNing into your network can make it seem like the firewall broke. In reality, you needed more licenses. 

Graylog Licensing Limits Filter

With Graylog, you can capsule your VPN sessions coming in. You can run a rule every hour that collects logs based on the number of concurrent connections open in your firewall. You can use this to set a threshold limit that notifies you when you’re close to exceeding your number of licenses. For example, you could set the threshold at 90% that gives you visibility into employee network use and whether you need additional licenses. 


Organizations accelerated their digital transformation strategies an average of 6 years in 2020. IT teams struggled to keep businesses running more than anything else. As a result, many didn’t have the time to check their tools daily, including IPSs, firewalls, intrusion detection services, and different logging solutions. 

Graylog Archive Catalog

Once everything settles, teams will need to go back and review this information. Graylog’s archiving makes it easier for teams to reimport logs to review them and look for the different patterns that show themselves. You can review your saved dataset with archiving, pulling logs back in, and running them through log analysis dashboards to see your irregular traffic patterns.

Graylog: Centralized Log Management for Managing VPN and Firewall Logs

You never know what you're going to miss until it's missed. You want to have all the relevant log data around firewall rules, but having it all in there can create too much noise. Graylog’s log management software helps filter out the noise through our pipelines and streams so you can have the right dashboards. Using prebuilt correlation and alert rules, you’re ready to view log data quickly and efficiently.

Happy Logging

Get Graylog

See Demo