A firewall’s primary function is to control traffic. Troubleshooting authorized connections or verifying configuration changes are necessary functions to support that primary function. While we can use a firewall to detect and notify administrators of suspicious activity, there is a balance between collecting log information to support administrative functions and conserving resources (processor, bandwidth, and useability of data).  As we learn what normal traffic is we should tailor the log information to reflect that normal;  sometimes an adversary will be able to cloak their activity within that normal traffic.  An owner would be wise to install an Intrusion Detection System and even a Network Monitoring System in order to better detect adversarial activity.  In cases where an owner chooses not to install more capable detection layers then I think that we are well served by maintaining a robust ability to detect abnormal activity using log information.  We can only effectively detect abnormal activity with log information alone by reducing the noise floor generated by normal activity so that a casual network administrator can recognize the abnormal activity.

In the case where an owner puts forth minimal effort to control traffic and correct configuration errors, we will have much less sensitivity to abnormal traffic.  This is a consequence of that owner’s decisions and can only be avoided by giving up on detection entirely.