Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1796
Views
15
Helpful
6
Replies

Integrating NSEL with SIEM

abhijith891
Level 1
Level 1

‎10-05-2018 01:38 AM - edited ‎02-21-2020 08:19 AM

Hi all,

 

I am considering integrating NSEL with our SIEM.  We have already integrated our ASAs with our syslog server but I could see that there isnt clear visibility of traffic in our environment; hence thinking of going for Netflow. So I have a few queries regarding this:

 

1) What is the packet size of a Netflow event? How does it hold against a syslog message? Is the difference in size too big?

2) Will enabling Netflow affect the syslog server's performance(McAfee in our case) inspite of disabling redundant syslog messages? 

3) Will enabling Netflow provide us greater visibility with respect to Anyconnect user logs and wireless guest user logs? If not, which other solution should we consider deploying?

 

Any help on these would be greatly appreciated.

0 Helpful
6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

‎10-05-2018 07:36 AM

Netflow do not have any impact on the modern platform, but you need keep monitor all the time when new things deployed in the network and how it performing.

 

More information related to netflow can be found here.

https://nsrc.org/workshops/2015/sanog25-nmm-tutorial/materials/netflow.pdf

 

1) What is the packet size of a Netflow event? How does it hold against a syslog message? Is the difference in size too big?

 

Netflow give network flow based in ingress and egress interface passing the traffic via that interface.

 

2) Will enabling Netflow affect the syslog server's performance(McAfee in our case) inspite of disabling redundant syslog messages? 

 

Netflow will be enable in the device, but it sends more information to Log Server, i am sure you have good compute power to handle those logs.

 

3) Will enabling Netflow provide us greater visibility with respect to Anyconnect user logs and wireless guest user logs? If not, which other solution should we consider deploying?

 

Netflow give network flow information, not logs.

 

If you looking more of Log process, you can use Prime for wireless.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

abhijith891
Level 1
Level 1
In response to balaji.bandi

‎10-06-2018 10:44 AM

Hi Balaji,

 

Thanks for your inputs. I want to clarify a few things:

 

For question 2 you replied "Netflow will be enable in the device, but it sends more information to Log Server, i am sure you have good compute power to handle those logs."

 

For question 3 you said "Netflow give network flow information, not logs." 

 

 1)From your answers, Netflow is a flow information message, not a log message. Please correct me if i am wrong.

2)Does Netflow only give real-time info or is it possible to retrieve flow info after a week or month? 

3) If Netflow cant help to retrieve Anyconnect user log information, what would be the best alternate solution?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to abhijith891

‎10-06-2018 12:08 PM

1)From your answers, Netflow is a flow information message, not a log message. Please correct me if i am wrong.

 

This document give you full in depth information - ( i do not want to re-invent the wheel for that information).

 

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-netflow/prod_white_paper0900aecd80406232.html

 

2)Does Netflow only give real-time info or is it possible to retrieve flow info after a week or month? 

 

yes it give both the information, real time and archive information for reporting - depends on what kind of netflow collector you use.

Example : Solarwinds NTA, PRTG, Elastic Stack can give you that features.

 

3) If Netflow cant help to retrieve Anyconnect user log information, what would be the best alternate solution?

 

what kind of user log information you looking for, login / Logout or explain more ? to understand better before suggesting.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

abhijith891
Level 1
Level 1
In response to balaji.bandi

‎10-06-2018 01:40 PM

Hi Balaji,

 

Thank you for your inputs. As far as 3rd question, here's the thing:

 

Say, I want a list of Anyconnect users or who had logged in for the last one week/month, how do I retrieve it? On the ASA, I could see it only stores active VPN sessions, and a session vanishes once the user logs out. I tried checking with our SIEM, but it was of no avail. 

0 Helpful

abhijith891
Level 1
Level 1
In response to balaji.bandi

‎10-08-2018 04:17 AM

Hi Balaji,

 

We are authenticating against the AD.

 

And thanks a lot for the links. I will look into these, try to implement it and then get back to you.  Grateful for all your help and time so far.

 

Regards,

Abhijit 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card