Collecting Firewall and Router Logs
Syslog is a standard for message logging. Each message is labeled with a facility code and a severity label. Standard port for collecting logs is UDP 514.
Syslog gives information about system events, interfaces up / down, route changes, configuration changes, and any other system level event. If logging levels are set correctly, it can also give you Network Address Translation (NAT) information.
An example of a Syslog output from a Cisco ASA firewall is provided below:
06/19/2017 16:10:56.848 -0400 fw- -asa <164>%ASA-4-106023: Deny udp src outside:114.199.162.X/23276 dst inside: /1900 by access-group "acl-out" [0x0, 0x0]
06/19/2017 16:10:56.845 -0400 fw- -asa <166>%ASA-6-302013: Built inbound TCP connection 1864305098 for outside:151.225.163.X/51681 (151.225.163.X/51681) to inside: /443 ( /443)
06/19/2017 16:10:56.844 -0400 fw-usr-asa <166>%ASA-6-106100: access-list acl-out permitted tcp outside/151.225.163.X(51681) -> inside/ (443) hit-cnt 1 first hit [0xcde53b26, 0xf56d443a]
Explanation of the Syslog messages:
106023: A real UP packet was denied by the ACL. Recommended Action: A footprinting or port scanning attempt might be occurring.
302013: A connection slot between two hosts was created.
106100: The initial or the total number of occurrences during an interval are listed. The values specify if the packet was permitted or denied by the ACL.
NetFlow was introduced on Cisco routers and provides the ability to collect IP network statistics, including packet counts. It will not alert on system events like interface down. A network administrator, by analyzing NetFlow data, can determine source and destination of traffic, protocols, duration of communication etc. Typically a third party middleware like NetFlow Integrator is used to capture NetFlow data and export into a readable format for ingestion into log collector / SIEM. The current version of NetFlow is v10.
Example of a NetFlow output from a Cisco ASA firewall is provided below:
1 06/19/2017 16:35:32.000 -0400 ASA Netflow <110>Jun 19 16:35:32 00:00:00:00 nfc_id=20001 exp_ip= nf_f_conn_id=2878799907 src_ip= src_port=51292 input_snmp=15 dest_ip=173.241.154.X dest_port=443 output_snmp=14 protocol=6 nf_f_icmp_type=0 nf_f_icmp_code=0 nf_f_xlate_src_addr_ipv4= nf_f_xlate_dst_addr_ipv4=173.241.154.X nf_f_xlate_src_port=51292 nf_f_xlate_dst_port=443 nf_f_fw_event="5 - " nf_f_fw_ext_event=2031 nf_f_event_time_msec=1497904532610 nf_f_fwd_flow_delta_bytes=284 nf_f_rev_flow_delta_bytes=152 nf_f_flow_create_time_msec=1497904496097
Notice the details the NetFlow data provides, including connection id, source ip, source port, destination ip, destination port, icmp code & type, translated source port, translated destination port, etc.
It is possible to use both Syslogs and NetFlow. Syslog does not have any overhead but NetFlow may place a load on CPU when utilized. Also, the volume of NetFlow data can be quite large.
So, which one is right for you? My recommendation:
Internet router: Syslog to monitor system events, bandwidth, BGP status. Export to log collector / SIEM and setup alerts.
Internet firewall: Syslog for events, NetFlow for traffic analysis including NAT data. Export to log collector / SIEM and setup machine learning.
Core routers: Syslog to monitor system events, route changes, etc. Export to log collector / SIEM and setup alerts.
Comments? Suggestions? Put them below.