topic Re: Integrating NSEL with SIEM in Network Security

Integrating NSEL with SIEM

abhijith891 — Fri, 21 Feb 2020 16:19:39 GMT

Hi all,

I am considering integrating NSEL with our SIEM. We have already integrated our ASAs with our syslog server but I could see that there isnt clear visibility of traffic in our environment; hence thinking of going for Netflow. So I have a few queries regarding this:

1) What is the packet size of a Netflow event? How does it hold against a syslog message? Is the difference in size too big?

2) Will enabling Netflow affect the syslog server's performance(McAfee in our case) inspite of disabling redundant syslog messages?

3) Will enabling Netflow provide us greater visibility with respect to Anyconnect user logs and wireless guest user logs? If not, which other solution should we consider deploying?

Any help on these would be greatly appreciated.

Re: Integrating NSEL with SIEM

balaji.bandi — Fri, 05 Oct 2018 14:36:30 GMT

Netflow do not have any impact on the modern platform, but you need keep monitor all the time when new things deployed in the network and how it performing.

More information related to netflow can be found here.

https://nsrc.org/workshops/2015/sanog25-nmm-tutorial/materials/netflow.pdf

1) What is the packet size of a Netflow event? How does it hold against a syslog message? Is the difference in size too big?

Netflow give network flow based in ingress and egress interface passing the traffic via that interface.

2) Will enabling Netflow affect the syslog server's performance(McAfee in our case) inspite of disabling redundant syslog messages?

Netflow will be enable in the device, but it sends more information to Log Server, i am sure you have good compute power to handle those logs.

3) Will enabling Netflow provide us greater visibility with respect to Anyconnect user logs and wireless guest user logs? If not, which other solution should we consider deploying?

Netflow give network flow information, not logs.

If you looking more of Log process, you can use Prime for wireless.

Re: Integrating NSEL with SIEM

abhijith891 — Sat, 06 Oct 2018 17:44:32 GMT

Hi Balaji,

Thanks for your inputs. I want to clarify a few things:

For question 2 you replied "Netflow will be enable in the device, but it sends more information to Log Server, i am sure you have good compute power to handle those logs."

For question 3 you said "Netflow give network flow information, not logs."

1)From your answers, Netflow is a flow information message, not a log message. Please correct me if i am wrong.

2)Does Netflow only give real-time info or is it possible to retrieve flow info after a week or month?

3) If Netflow cant help to retrieve Anyconnect user log information, what would be the best alternate solution?

Re: Integrating NSEL with SIEM

balaji.bandi — Sat, 06 Oct 2018 19:08:33 GMT

1)From your answers, Netflow is a flow information message, not a log message. Please correct me if i am wrong.

This document give you full in depth information - ( i do not want to re-invent the wheel for that information).

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-netflow/prod_white_paper0900aecd80406232.html

2)Does Netflow only give real-time info or is it possible to retrieve flow info after a week or month?

yes it give both the information, real time and archive information for reporting - depends on what kind of netflow collector you use.

Example : Solarwinds NTA, PRTG, Elastic Stack can give you that features.

3) If Netflow cant help to retrieve Anyconnect user log information, what would be the best alternate solution?

what kind of user log information you looking for, login / Logout or explain more ? to understand better before suggesting.

Re: Integrating NSEL with SIEM

abhijith891 — Sat, 06 Oct 2018 20:40:38 GMT

Hi Balaji,

Thank you for your inputs. As far as 3rd question, here's the thing:

Say, I want a list of Anyconnect users or who had logged in for the last one week/month, how do I retrieve it? On the ASA, I could see it only stores active VPN sessions, and a session vanishes once the user logs out. I tried checking with our SIEM, but it was of no avail.

Re: Integrating NSEL with SIEM

balaji.bandi — Sat, 06 Oct 2018 21:01:43 GMT

How is your authentication method configured ? they authenticate with ACS / AD / or what method ?

couple good post for your reference :

https://community.cisco.com/t5/vpn-and-anyconnect/cisco-asa-5510-vpn-login-history/td-p/2090555

https://community.cisco.com/t5/vpn-and-anyconnect/monitoring-vpn-connection-attempts/td-p/1644157

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.html

Re: Integrating NSEL with SIEM

abhijith891 — Mon, 08 Oct 2018 11:17:24 GMT

Hi Balaji,

We are authenticating against the AD.

And thanks a lot for the links. I will look into these, try to implement it and then get back to you. Grateful for all your help and time so far.

Regards,

Abhijit