Collecting Firewall and Router Logs

June 22, 2017 | Views: 7346

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Syslogs vs NetFlow – Which one is right for you?


Syslog is a standard for message logging. Each message is labeled with a facility code and a severity label. Standard port for collecting logs is UDP 514.

Syslog gives information about system events, interfaces up / down, route changes, configuration changes, and any other system level event. If logging levels are set correctly, it can also give you Network Address Translation (NAT) information.

An example of a Syslog output from a Cisco ASA firewall is provided below:

06/19/2017 16:10:56.848 -0400 fw-   -asa <164>%ASA-4-106023: Deny udp src outside:114.199.162.X/23276 dst inside:              /1900 by access-group “acl-out” [0x0, 0x0]

06/19/2017 16:10:56.845 -0400 fw-   -asa <166>%ASA-6-302013: Built inbound TCP connection 1864305098 for outside:151.225.163.X/51681 (151.225.163.X/51681) to inside:              /443 (              /443) 

06/19/2017 16:10:56.844 -0400 fw-usr-asa <166>%ASA-6-106100: access-list acl-out permitted tcp outside/151.225.163.X(51681) -> inside/               (443) hit-cnt 1 first hit [0xcde53b26, 0xf56d443a]

Explanation of the Syslog messages:

106023: A real UP packet was denied by the ACL. Recommended Action: A footprinting or port scanning attempt might be occurring.

302013: A connection slot between two hosts was created.

106100: The initial or the total number of occurrences during an interval are listed. The values specify if the packet was permitted or denied by the ACL.


NetFlow was introduced on Cisco routers and provides the ability to collect IP network statistics, including packet counts. It will not alert on system events like interface down. A network administrator, by analyzing NetFlow data, can determine source and destination of traffic, protocols, duration of communication etc. Typically a third party middleware like NetFlow Integrator is used to capture NetFlow data and export into a readable format for ingestion into log collector / SIEM. The current version of NetFlow is v10.

Example of a NetFlow output from a Cisco ASA firewall is provided below:

1    06/19/2017 16:35:32.000 -0400    ASA Netflow <110>Jun 19 16:35:32                00:00:00:00 nfc_id=20001 exp_ip=               nf_f_conn_id=2878799907 src_ip=                src_port=51292 input_snmp=15 dest_ip=173.241.154.X dest_port=443 output_snmp=14 protocol=6 nf_f_icmp_type=0 nf_f_icmp_code=0 nf_f_xlate_src_addr_ipv4=                 nf_f_xlate_dst_addr_ipv4=173.241.154.X nf_f_xlate_src_port=51292 nf_f_xlate_dst_port=443 nf_f_fw_event=”5 – ” nf_f_fw_ext_event=2031 nf_f_event_time_msec=1497904532610 nf_f_fwd_flow_delta_bytes=284 nf_f_rev_flow_delta_bytes=152 nf_f_flow_create_time_msec=1497904496097

Notice the details the NetFlow data provides, including connection id, source ip, source port, destination ip, destination port, icmp code & type, translated source port, translated destination port, etc.

It is possible to use both Syslogs and NetFlow. Syslog does not have any overhead but NetFlow may place a load on CPU when utilized. Also, the volume of NetFlow data can be quite large.

So, which one is right for you? My recommendation:

Internet router: Syslog to monitor system events, bandwidth, BGP status. Export to log collector / SIEM and setup alerts.

Internet firewall: Syslog for events, NetFlow for traffic analysis including NAT data. Export to log collector / SIEM and setup machine learning.

Core routers: Syslog to monitor system events, route changes, etc. Export to log collector / SIEM and setup alerts.

Comments? Suggestions? Put them below.


Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Thank you Burhanuddin1436

  2. Netflow gives you excellent insight into connections – who’s talking to whom, but what protocol and for how long. Qualify/quantify all your traffic with ease.
    Syslog sends/gets all the system messages, error messages, IDS messages, etc. Identify high CPU utilzation, access-list hits, system errors, interface down messages, etc.
    It is best to have both!Here is also a biggest infosec firewall collection.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge



Is Linux Worth Learning in 2020?
Views: 740 / December 14, 2019
How do I Get MTA Certified?
Views: 1312 / December 12, 2019
How much does your PAM software really cost?
Views: 1749 / December 10, 2019
How Do I Get into Android Development?
Views: 2139 / December 8, 2019

We recommend always using caution when following any link

Are you sure you want to continue?