p.s. Though this does beg the question: how useful is it to log port
numbers when there's a very good chance that one or both ends are
behind one or more layers of NATs that don't log state changes? I
understand and agree with the notion that LSN will dilute the value
of IP addresses as source identifiers. But as far as I can tell,
they are already of pretty marginal value even without LSN.
I'm sitting in a meeting talking about this very topic (LSN) with
people from organizations that manage a lot of users and a lot of
address space, and the consensus is that there will be enough logging
at the NAT end that it's worth logging the ports.
R's,
John