The most important thing you can do with a firewall is collect and analyze its Syslog information.
Firewall logs should be inspected on a regular basis. Always make sure the Syslog collector or server is configured to archive older information and that disk space is not completely consumed.
The Syslog collector or server should be sized according to the following parameters:
The number of firewalls and other network devices sending Syslog messages to the Syslog server
The number of Syslog events per second (usually called EPS) generated by all devices
How long Syslog information should be kept available
Consider the type of information you want to get from your firewall logs. Here are some examples:
Connections permitted ...