AIMultiple ResearchAIMultiple Research

Firewall Audit Logs: Analysis and 6 Steps for Improvement in 2024

Written by
Cem Dilmegani
Cem Dilmegani
Cem Dilmegani

Cem is the principal analyst at AIMultiple since 2017. AIMultiple informs hundreds of thousands of businesses (as per Similarweb) including 60% of Fortune 500 every month.

Cem's work focuses on how enterprises can leverage new technologies in AI, automation, cybersecurity(including network security, application security), data collection including web data collection and process intelligence.

View Full Profile
Researched by
Ezgi Alp
Ezgi Alp
Ezgi Alp
Ezgi is an industry analyst at AIMultiple. She specializes in firewalls and firewall management.

She has held various positions in academia and the finance industry. Ezgi holds a PhD in finance and a bachelor's degree in management. She has a background in publishing scientific articles and presenting at conferences.

• Tanyeri A. B., and Alp E. (2022).
View Full Profile
Firewall Audit Logs: Analysis and 6 Steps for Improvement in 2024Firewall Audit Logs: Analysis and 6 Steps for Improvement in 2024

Firewall logging is essential for monitoring, analyzing, and auditing network traffic to detect potential security threats and attacks at an early stage. In the realm of cybersecurity, the management and analysis of firewall audit logs play a pivotal role in fortifying network defenses and upholding regulatory standards.

Firewall audit complements logging by systematically evaluating firewall configurations, rule sets, and policies to ensure they align with security best practices and compliance requirements, further enhancing the overall security posture of an organization’s network infrastructure. Businesses looking for firewall audit solutions may explore firewall audit software.

What is firewall logging?

This image represents how firewall audit logs are created and rotated.

Firewall logging is the process of recording activities that occur within a firewall system, including the source of data packets and the protocols used. Firewall logging provides insights into network traffic, security threats and vulnerabilities. 

Firewall audit logs

Firewall audit logs offer a time-ordered account of system events, encompassing user activities, access attempts, and configuration modifications, vital for security surveillance and compliance assessments. Derived from firewall audit logs, they significantly assist in monitoring and analyzing firewall management activities.

These logs, stored in log data or a data lake, can be accessed through the web interface or command line interface. They help in generating reports, analyzing traffic patterns, and verifying security configurations.

Firewall rules and standards

Audit logs capture the implementation and execution of firewall rules, providing visibility into how the firewall is enforcing security policies and handling network traffic. In turn, adherence to established rules and standards ensures that firewall activities are aligned with security objectives, compliance requirements, and operational best practices.

For more detailed information, please refer to the article on firewall compliance.

Firewall security standards

They encompass guidelines, requirements, and specifications aimed at securing firewall configuration and management. Adhering to these standards is crucial for organizations to safeguard their internal networks from threats and enhance their security posture. Common firewall security standards include ISO, NIST, GDPR, PCI-DSS, PSD2, FINRA, SOX, DORA, DISA STIG, HIPAA, FISMA, and NERC CIP.

Firewall rules

They are also referred to as rule sets or rule bases, consisting of specific configurations within a firewall that dictate how incoming and outgoing network traffic should be handled. These rules determine whether traffic should be allowed, blocked, or redirected based on defined criteria, effectively controlling network communication and access. The five main firewall rules include deny all, least privilege, explicit allow, explicit deny, and stateful inspection.

Different levels of firewall logs

Firewall logs typically operate on a variety of levels, from low level of details to high level of details, depending on the configuration and the types of events they capture.

  1. Low level of details in firewall logs

Some logs may contain basic information about network traffic like source and destination IP addresses, ports, protocols, and actions taken by the firewall (allowing or blocking traffic). These levels are suitable for monitoring authentication events and administrative change events, such as modifications to low-level kernel settings, firewall status, or user objects on a computer.

  1. High level of details in firewall logs

Some other logs may provide more comprehensive insights, including user names and application names. These higher levels of logging are suitable for computers managing sensitive information or those operating in high-risk security environments, as they can help confirm potential system compromises, especially when accessing systems remotely.

Determining the appropriate log level for your firewall involves balancing your security objectives, compliance needs, and available resources. It’s crucial to strike a balance between the need for visibility and analysis and the potential impact on performance and storage requirements.

Log retention

Effective firewall logging is essential for network security, and log retention ensures that valuable information is stored for future analysis and forensic investigation purposes. Log retention refers to the practice of storing log files for a specified duration, determined by legal or operational requirements, before deletion. To ensure data integrity, logs should be archived in a specific format and stored securely offsite, using appropriate backup media based on budget and other considerations. 

Log retention periods vary based on organizational policies and the value of data. Data with little value may not be stored at all, while data important for system administration but not log management infrastructure can be kept at the system level only. Most enterprises keep audit logs, IDS logs, and firewall logs for at least two months. Some regulations mandate retention periods ranging from six months to seven years.

Figure 1: Shows the firewall management system settings on log retention
This image shows the firewall management system settings on log retention, the practice of storing firewall audit logs.

Source: AlgoSec1

How to improve a firewall logging in 6 steps

1. Use a centralized log management system

  • Utilize a centralized log management system to receive, store, normalize, and index logs from all firewalls.
  • Achieve a unified view of network activity and security status for comprehensive monitoring and reporting.

This practice provides a unified view of network activity and security status for comprehensive monitoring and reporting and enables efficient log storage, normalization, and indexing from all firewalls for effective analysis.

Figure 2: Shows the control panel of a firewall management system
This image shows the control panel of a firewall management system, used to reach firewall audit logs

Source: Tufin2

2. Choose the right logging level

  • Configure your firewall to log relevant network traffic based on security objectives and compliance requirements.
  • Balance visibility and analysis needs with performance and storage impact.

This balances visibility and analysis needs with performance and storage impact for optimized logging.

3. Enable comprehensive logging

  • Ensure all relevant network traffic is logged, including allowed and denied connections.
  • Provide a complete view of network activity for effective monitoring and analysis.

This practice provides a comprehensive record of events for effective monitoring, analysis, and threat detection.

4. Enable log rotation and retention

  • Implement log retention policies based on legal and operational requirements to manage log files efficiently.
  • Set up log rotation to create new log files periodically and archive or delete old logs based on time or size limits.

It helps to manage log files efficiently and ensures maintaining the integrity and accessibility of audit trail logs.

5. Secure audit trail

  • For secure firewall log storage, it’s advisable to store and analyze firewall logs in a centralized server rather than locally, where they are initially stored when logging is enabled.

This practice protects audit logs from unauthorized access or tampering, ensuring the accuracy and reliability of log data. The image displayed below shows an audit trail of a firewall audit software.

Figure 3: Image of audit trail of a firewall management system
This is the image of audit trail of a firewall management system, shows the change in firewall audit logs.

Source: Tufin3

6. Apply filters and alerts

  • Use filters to focus on relevant log entries and exclude noise and irrelevant information.
  • Configure alerts to trigger notifications or actions for specific events or patterns, streamlining log analysis and response processes.

This approach reduces noise and irrelevant information in audit logs while enabling timely detection and response to security incidents.


What are audit log entries?

Audit log entries refer to the recorded documentation of activities within the software systems utilized throughout an organization, including details such as event occurrences, timestamps, responsible users or services, and impacted entities.

What should I look for in firewall audit logs?

When reviewing firewall audit logs, focus on unauthorized access attempts, rule modifications, denied connections, traffic anomalies, logging errors, traffic patterns, and compliance checks to maintain network security.

Further reading

Find the Right Vendors
Access Cem's 2 decades of B2B tech experience as a tech consultant, enterprise leader, startup entrepreneur & industry analyst. Leverage insights informing top Fortune 500 every month.
Cem Dilmegani
Principal Analyst
Follow on
Cem Dilmegani
Principal Analyst

Cem is the principal analyst at AIMultiple since 2017. AIMultiple informs hundreds of thousands of businesses (as per Similarweb) including 60% of Fortune 500 every month.

Cem's work focuses on how enterprises can leverage new technologies in AI, automation, cybersecurity(including network security, application security), data collection including web data collection and process intelligence.

Cem's work has been cited by leading global publications including Business Insider, Forbes, Washington Post, global firms like Deloitte, HPE, NGOs like World Economic Forum and supranational organizations like European Commission. You can see more reputable companies and media that referenced AIMultiple.

Cem's hands-on enterprise software experience contributes to the insights that he generates. He oversees AIMultiple benchmarks in dynamic application security testing (DAST), data loss prevention (DLP), email marketing and web data collection. Other AIMultiple industry analysts and tech team support Cem in designing, running and evaluating benchmarks.

Throughout his career, Cem served as a tech consultant, tech buyer and tech entrepreneur. He advised enterprises on their technology decisions at McKinsey & Company and Altman Solon for more than a decade. He also published a McKinsey report on digitalization.

He led technology strategy and procurement of a telco while reporting to the CEO. He has also led commercial growth of deep tech company Hypatos that reached a 7 digit annual recurring revenue and a 9 digit valuation from 0 within 2 years. Cem's work in Hypatos was covered by leading technology publications like TechCrunch and Business Insider.

Cem regularly speaks at international technology conferences. He graduated from Bogazici University as a computer engineer and holds an MBA from Columbia Business School.

Sources: Traffic Analytics, Ranking & Audience, Similarweb.
Why Microsoft, IBM, and Google Are Ramping up Efforts on AI Ethics, Business Insider.
Microsoft invests $1 billion in OpenAI to pursue artificial intelligence that’s smarter than we are, Washington Post.
Data management barriers to AI success, Deloitte.
Empowering AI Leadership: AI C-Suite Toolkit, World Economic Forum.
Science, Research and Innovation Performance of the EU, European Commission.
Public-sector digitization: The trillion-dollar challenge, McKinsey & Company.
Hypatos gets $11.8M for a deep learning approach to document processing, TechCrunch.
We got an exclusive look at the pitch deck AI startup Hypatos used to raise $11 million, Business Insider.

To stay up-to-date on B2B tech & accelerate your enterprise:

Follow on

Next to Read


Your email address will not be published. All fields are required.