Syslogs vs NetFlow – Which one is right for you?
Syslog:
Syslog is a standard for message logging. Each message is labeled with a facility code and a severity label. Standard port for collecting logs is UDP 514.
Syslog gives information about system events, interfaces up / down, route changes, configuration changes, and any other system level event. If logging levels are set correctly, it can also give you Network Address Translation (NAT) information.
An example of a Syslog output from a Cisco ASA firewall is provided below:
06/19/2017 16:10:56.848 -0400 fw- -asa <164>%ASA-4-106023: Deny udp src outside:114.199.162.X/23276 dst inside: /1900 by access-group "acl-out" [0x0, 0x0]
06/19/2017 16:10:56.845 -0400 fw- -asa <166>%ASA-6-302013: Built inbound TCP connection 1864305098 for outside:151.225.163.X/51681 (151.225.163.X/51681) to inside: /443 ( /443)
06/19/2017 16:10:56.844 -0400 fw-usr-asa <166>%ASA-6-106100: access-list acl-out permitted tcp outside/151.225.163.X(51681) -> inside/ (443) hit-cnt 1 first hit [0xcde53b26, 0xf56d443a]
Explanation of the Syslog messages:
106023: A real UP packet was denied by the ACL. Recommended Action: A footprinting or port scanning attempt might be occurring.
302013: A connection slot between two hosts was created.
106100: The initial or the total number of occurrences during an interval are listed. The values specify if the packet was permitted or denied by the ACL.
NetFlow:
NetFlow was introduced on Cisco routers and provides the ability to collect IP network statistics, including packet counts. It will not alert on system events like interface down. A network administrator, by analyzing NetFlow data, can determine source and destination of traffic, protocols, duration of communication etc. Typically a third party middleware like NetFlow Integrator is used to capture NetFlow data and export into a readable format for ingestion into log collector / SIEM. The current version of NetFlow is v10.
Example of a NetFlow output from a Cisco ASA firewall is provided below:
1 06/19/2017 16:35:32.000 -0400 ASA Netflow <110>Jun 19 16:35:32 00:00:00:00 nfc_id=20001 exp_ip= nf_f_conn_id=2878799907 src_ip= src_port=51292 input_snmp=15 dest_ip=173.241.154.X dest_port=443 output_snmp=14 protocol=6 nf_f_icmp_type=0 nf_f_icmp_code=0 nf_f_xlate_src_addr_ipv4= nf_f_xlate_dst_addr_ipv4=173.241.154.X nf_f_xlate_src_port=51292 nf_f_xlate_dst_port=443 nf_f_fw_event="5 - " nf_f_fw_ext_event=2031 nf_f_event_time_msec=1497904532610 nf_f_fwd_flow_delta_bytes=284 nf_f_rev_flow_delta_bytes=152 nf_f_flow_create_time_msec=1497904496097
Notice the details the NetFlow data provides, including connection id, source ip, source port, destination ip, destination port, icmp code & type, translated source port, translated destination port, etc.
It is possible to use both Syslogs and NetFlow. Syslog does not have any overhead but NetFlow may place a load on CPU when utilized. Also, the volume of NetFlow data can be quite large.
So, which one is right for you? My recommendation:
Internet router: Syslog to monitor system events, bandwidth, BGP status. Export to log collector / SIEM and setup alerts.
Internet firewall: Syslog for events, NetFlow for traffic analysis including NAT data. Export to log collector / SIEM and setup machine learning.
Core routers: Syslog to monitor system events, route changes, etc. Export to log collector / SIEM and setup alerts.
Comments? Suggestions? Put them below.
References: