Coming mid-July
Cybrary Reimagined.
People first, Security first.
Coming mid-July.
Cybrary Reimagined.
Celebrate Cybersecurity Awareness Month with our buy 2, get 1 offer!
People first, Security first.
Valid until October 31. Elevate your skills today!
Start for free

Syslogs vs NetFlow – Which one is right for you?

Syslog:

Syslog is a standard for message logging. Each message is labeled with a facility code and a severity label. Standard port for collecting logs is UDP 514.

Syslog gives information about system events, interfaces up / down, route changes, configuration changes, and any other system level event. If logging levels are set correctly, it can also give you Network Address Translation (NAT) information.

An example of a Syslog output from a Cisco ASA firewall is provided below:

06/19/2017 16:10:56.848 -0400 fw-   -asa <164>%ASA-4-106023: Deny udp src outside:114.199.162.X/23276 dst inside:              /1900 by access-group "acl-out" [0x0, 0x0]

06/19/2017 16:10:56.845 -0400 fw-   -asa <166>%ASA-6-302013: Built inbound TCP connection 1864305098 for outside:151.225.163.X/51681 (151.225.163.X/51681) to inside:              /443 (              /443)

06/19/2017 16:10:56.844 -0400 fw-usr-asa <166>%ASA-6-106100: access-list acl-out permitted tcp outside/151.225.163.X(51681) -> inside/               (443) hit-cnt 1 first hit [0xcde53b26, 0xf56d443a]

Explanation of the Syslog messages:

106023: A real UP packet was denied by the ACL. Recommended Action: A footprinting or port scanning attempt might be occurring.

302013: A connection slot between two hosts was created.

106100: The initial or the total number of occurrences during an interval are listed. The values specify if the packet was permitted or denied by the ACL.

NetFlow:

NetFlow was introduced on Cisco routers and provides the ability to collect IP network statistics, including packet counts. It will not alert on system events like interface down. A network administrator, by analyzing NetFlow data, can determine source and destination of traffic, protocols, duration of communication etc. Typically a third party middleware like NetFlow Integrator is used to capture NetFlow data and export into a readable format for ingestion into log collector / SIEM. The current version of NetFlow is v10.

Example of a NetFlow output from a Cisco ASA firewall is provided below:

1    06/19/2017 16:35:32.000 -0400    ASA Netflow <110>Jun 19 16:35:32                00:00:00:00 nfc_id=20001 exp_ip=               nf_f_conn_id=2878799907 src_ip=                src_port=51292 input_snmp=15 dest_ip=173.241.154.X dest_port=443 output_snmp=14 protocol=6 nf_f_icmp_type=0 nf_f_icmp_code=0 nf_f_xlate_src_addr_ipv4=                 nf_f_xlate_dst_addr_ipv4=173.241.154.X nf_f_xlate_src_port=51292 nf_f_xlate_dst_port=443 nf_f_fw_event="5 - " nf_f_fw_ext_event=2031 nf_f_event_time_msec=1497904532610 nf_f_fwd_flow_delta_bytes=284 nf_f_rev_flow_delta_bytes=152 nf_f_flow_create_time_msec=1497904496097

Notice the details the NetFlow data provides, including connection id, source ip, source port, destination ip, destination port, icmp code & type, translated source port, translated destination port, etc.

It is possible to use both Syslogs and NetFlow. Syslog does not have any overhead but NetFlow may place a load on CPU when utilized. Also, the volume of NetFlow data can be quite large.

So, which one is right for you? My recommendation:

Internet router: Syslog to monitor system events, bandwidth, BGP status. Export to log collector / SIEM and setup alerts.

Internet firewall: Syslog for events, NetFlow for traffic analysis including NAT data. Export to log collector / SIEM and setup machine learning.

Core routers: Syslog to monitor system events, route changes, etc. Export to log collector / SIEM and setup alerts.

Comments? Suggestions? Put them below.

References:

Start learning with Cybrary

Create a free account

Related Posts

All Blogs