Logging sucks

[Guest]

[VanguardLH]

I cannot find a global option to enable/disable firewall logging for ALL policies (predefined and applications).  Instead I have to go to every rule for each predefined policy and enable logging.  Then I have to go to every application policy and each rule within it to enable logging on that rule.  When I decide to turn off logging, I have to repeat this highly laborious process.  I have hundreds of application rules.  Oh joy, how I love going through each one to enable logging and then again to disable logging, and having to remember to do the same when a new application policy is defined ... NOT!  Not having a global on/off option for logging just sucks.

Then after spending a long time enabling logging on every rule in every predefined and application policy, I test the logging and find that many events never get logged or they are not logged reliably.  I connect from another host using NetBIOS for file sharing (ports 135, 137-139) and maybe once out of 3 times is there a logged event of the connection.  I have Outlook connect to SpamPal, a local anti-spam proxy, which then connects to the POP3 mail host.  When Outlook polls for new mail, I see the event for the connection from Outlook to SpamPal (at 127.0.0.1 for localhost) but there is no event recorded for the connection from SpamPal to the POP3 mail host.  And, yes, logging is enabled on both the Outlook and SpamPal application policies.

The inability of flipping logging on and off (and for ALL connects) and then missing some connects that were supposed to be logged pretty much obviates the use of logging in Comodo's v3 firewall to know what is going on in my system.

[sded]

Look at miscellaneous/settings/logging, where you can turn all firewall and d+ logging on and off (separately).  The logging is selective in any case (by the program, unfortunately) so there is no way to directly get a really complete log.   

[VanguardLH]

The misc settings only let me set the size of the logging, and to disable logging (and enable if I deselect the disable).  Those were already setup to increase the logfile from 2MB to 10MB and the logging disables were NOT selected (so logging was enabled).  Yet I got nothing in the logs.  Only a couple of policies had rules within them where they blocked and logged.  I wanted logging enabled for ALL policies and ALL rules within them so I could monitor ALL traffic that was going through the firewall.  It took something like an hour, or more, of finding out where I had to enable logging on every rule in every policy along with going through all the policies and rules for each to enable logging.  Yes, this allows me very fine granularity in what I log but then that level of granularity isn't wanted nor is it easy to configure.  That's like wanting to put a couple of teaspons of sugar in your couple but doing so by using a microscope and tweezers to add the sugar one grain at a time.  Ease-of-use was obviously not considered by the developers who think workarounds are sufficient.

[Vettetech]

Why in the world do you want to log everything. That can actually slow your pc down. You can make a global rule to log everything if thats what you want.

[panic]

Ease-of-use was obviously not considered by the developers who think workarounds are sufficient.

Of course, the devlopment team are concerned with usability. Can you please add this (toggle to allow log all and log none) to the Firewall Wishlist topic? The developers can, and do, monitor that thread and it has been responsible for more than a few refinements to the firewall.

Thanks in advance,
Ewen :-)

[VanguardLH]

Why in the world do you want to log everything. That can actually slow your pc down. You can make a global rule to log everything if thats what you want.

Yes, logging can slow the firewall and the traffic through it.  That's why I'd like a global option to immediately and easily enable all logging, and then immediately and easily disable it when I was through trying to see what was happening during the logging period.

Please explain the global rule that I would define that would log all traffic through the firewall.  There is already the Outgoing pre-defined policy for Comodo's processes but that doesn't log anything for the applications, just for Comodo itself. 

I'm still trying to figure out why Comodo will log the traffic between Outlook and SpamPal, both of which are local, but not from SpamPal to the mail host out on the Internet.  When a mail poll occurs, all I see is an event logged for Outlook and nothing recorded for SpamPal.

[VanguardLH]

Of course, the devlopment team are concerned with usability. Can you please add this (toggle to allow log all and log none) to the Firewall Wishlist topic? The developers can, and do, monitor that thread and it has been responsible for more than a few refinements to the firewall.

I can't find an option that lets me flip a thread from one forum to another.  Maybe only a moderator or admin can do that.  If so, could you move this thread over to the wishlist forum?  Thanks.

[Someone]

Wishlist is a thread on " Feedback/Comments/Announcements/News"

https://forums.comodo.com/feedbackcommentsannouncementsnews/comodo_firewall_wishlist_v6-t15557.0.html;msg160910#new

[sded]

You may find this thread http://forums.comodo.com/empty-t16888.0.html  on logging interesting, since we did a few experiments.  Logging allows are a particular problem.  Simple things like putting a global rule to log all incoming/outgoing don't work.  Most things only log the first time you execute them.  Chains of local connections only log the first one, and only once.  SPI won't log at all.   I agree that logging sucks.  There are bug reports on things that are broken, and you might check for other requests in the wishlist-there have been several.  The search tool is working again, so you can probably find some other interesting logging threads.  If you want to see the effects of your rules you can use Wireshark.  If you actually want to see a log of the rules activity, as in several other firewalls, you will need to wait until the wishlist gets around to you.  Firewall logging as a debugging aid is not something that Comodo supports. 

[VanguardLH]

Simple things like putting a global rule to log all incoming/outgoing don't work.

I'm finding that out.  I just defined a global rule where I could enable logging.  I can't simply disable the rule to eliminate the logging, and leaving a global "allow all" rule doesn't quite seem kosher, to me.  Having to delete the rule and recreate it when I want to do logging is a nuisance, but not as much a nuisance as having to visit every policy and rule within each policy to enable logging, and do it all again to disable logging.  There is a global option to disable all firewall logging but, after I disable most logging, I still want logging on the blocked applications. 

Most things only log the first time you execute them.  Chains of local connections only log the first one, and only once.

Noticed that, too.  Can see Outlook connection to SpamPal get logged but not the connection from SpamPal to the mail host.

If you want to see the effects of your rules you can use Wireshark.

Yeah, that was under consideration, too.  While that lets me monitor all network activity, it really doesn't show me how the firewall itself is working as regards to its particular policies.

If you actually want to see a log of the rules activity, as in several other firewalls, you will need to wait until the wishlist gets around to you.  Firewall logging as a debugging aid is not something that Comodo supports.

Alas, logging is how I guage the effectiveness of a firewall.  If I cannot monitor that it is working as configured then I have no assurance it is indeed working as configured.  The lack of adequate logging is why I've abandoned other firewalls.

[Vettetech]

Logging to me doesn't prove how a firewall works. Download a leak test and watch Comodo kick in. Download a know trojan or something and you will see Comodo kick in again. Comodo is the bets firewall out there. Logging doesn't prove it. Sorry I guess I don't agree with you cause frankly I never look at my logs. I actually never get any logging cause my hardware firewall blocks all I need.

[Someone]

Firewall logs are more important (for a firewall) than the latest POC keylogger..
There can be no f doubt about that.

[panic]

G'day,

And therein lies, I believe, the difference between knowledge and faith.

Logging is important, if only to verify that your current configuration is doing what it is supposed to do.

Confucius said

I read and I believe.
I see and I understand.
I do and I know.

Admittedly, logs that show nothing can mean either A) nothings happening or B) logging isn't working properly.

Ewen :-)

[VanguardLH]

Logging to me doesn't prove how a firewall works. Download a leak test and watch Comodo kick in. Download a know trojan or something and you will see Comodo kick in again. Comodo is the bets firewall out there. Logging doesn't prove it. Sorry I guess I don't agree with you cause frankly I never look at my logs. I actually never get any logging cause my hardware firewall blocks all I need.

All you need is not what all anyone else chooses to *need*.  Look at it the opposite way.  You have an application that won't connect.  You know that if you disable the firewall then the application can connect.  So WHAT in the firewall is causing the problem?  You don't know because there is no [decent and reliable] logging.  Yeah, you could go hunt around in the global policies and then wander through the hundreds of application policies looking at the multiple rules within each one - but do you really think that is an effective means of troubleshooting the firewall?

You propose that logging is unnecessary when something gets blocked that you want to have blocked.  How about when something is blocked that you do NOT want blocked?  Are you going to forego troubleshooting the problem and simply disable the firewall during the entire time that the problematic application is loaded and leave yourself exposed that entire time just because you couldn't determine WHAT within the firewall was causing the problem?

[Vettetech]

Honestly I have never had that problem on any of my of pc's. I know every program on my pc. I never download or install anything I do not know. My hardware firewall stops all inbounds. I use Comodo for the HIPS and program control,

[Tags:]