Re: Integrating NSEL with SIEM

abhijith891 · ‎10-05-2018

Hi all,

I am considering integrating NSEL with our SIEM. We have already integrated our ASAs with our syslog server but I could see that there isnt clear visibility of traffic in our environment; hence thinking of going for Netflow. So I have a few queries regarding this:

1) What is the packet size of a Netflow event? How does it hold against a syslog message? Is the difference in size too big?

2) Will enabling Netflow affect the syslog server's performance(McAfee in our case) inspite of disabling redundant syslog messages?

3) Will enabling Netflow provide us greater visibility with respect to Anyconnect user logs and wireless guest user logs? If not, which other solution should we consider deploying?

Any help on these would be greatly appreciated.

balaji.bandi · ‎10-05-2018

Netflow do not have any impact on the modern platform, but you need keep monitor all the time when new things deployed in the network and how it performing.

More information related to netflow can be found here.

https://nsrc.org/workshops/2015/sanog25-nmm-tutorial/materials/netflow.pdf

1) What is the packet size of a Netflow event? How does it hold against a syslog message? Is the difference in size too big?

Netflow give network flow based in ingress and egress interface passing the traffic via that interface.

2) Will enabling Netflow affect the syslog server's performance(McAfee in our case) inspite of disabling redundant syslog messages?

Netflow will be enable in the device, but it sends more information to Log Server, i am sure you have good compute power to handle those logs.

3) Will enabling Netflow provide us greater visibility with respect to Anyconnect user logs and wireless guest user logs? If not, which other solution should we consider deploying?

Netflow give network flow information, not logs.

If you looking more of Log process, you can use Prime for wireless.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

abhijith891 · ‎10-06-2018

Hi Balaji,

Thanks for your inputs. I want to clarify a few things:

For question 2 you replied "Netflow will be enable in the device, but it sends more information to Log Server, i am sure you have good compute power to handle those logs."

For question 3 you said "Netflow give network flow information, not logs."

1)From your answers, Netflow is a flow information message, not a log message. Please correct me if i am wrong.

2)Does Netflow only give real-time info or is it possible to retrieve flow info after a week or month?

3) If Netflow cant help to retrieve Anyconnect user log information, what would be the best alternate solution?

balaji.bandi · ‎10-06-2018

1)From your answers, Netflow is a flow information message, not a log message. Please correct me if i am wrong.

This document give you full in depth information - ( i do not want to re-invent the wheel for that information).

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-netflow/prod_white_paper0900aecd80406232.html

2)Does Netflow only give real-time info or is it possible to retrieve flow info after a week or month?

yes it give both the information, real time and archive information for reporting - depends on what kind of netflow collector you use.

Example : Solarwinds NTA, PRTG, Elastic Stack can give you that features.

3) If Netflow cant help to retrieve Anyconnect user log information, what would be the best alternate solution?

what kind of user log information you looking for, login / Logout or explain more ? to understand better before suggesting.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

abhijith891 · ‎10-06-2018

Hi Balaji,

Thank you for your inputs. As far as 3rd question, here's the thing:

Say, I want a list of Anyconnect users or who had logged in for the last one week/month, how do I retrieve it? On the ASA, I could see it only stores active VPN sessions, and a session vanishes once the user logs out. I tried checking with our SIEM, but it was of no avail.