Logs and Monitoring - N10-008 CompTIA Network+ : 3.1

00:02

If you're working with routers, switches, firewalls,

00:05

or other infrastructure devices connected to the network,

00:08

there's probably logs inside of that device that can tell you

00:11

information such as the traffic flows and traffic

00:14

summaries of the data traversing that device.

00:17

If you're looking at logs inside of a firewall,

00:20

for instance, these logs are often very detailed.

00:23

They will show you every single flow of traffic

00:25

that's traversing that firewall, and give you

00:27

information about what's contained within that traffic

00:30

flow.

00:31

These logs are not only useful to use in real time

00:34

so you can see the status of your network,

00:37

but you can also store this information

00:39

and go back in time to determine what

00:41

may have happened before or after a particular event.

00:45

Here, for example, is a set of logs from a firewall.

00:48

Each one of the lines here on the left side

00:51

is a separate flow of traffic.

00:53

On the top line, I have highlighted one particular flow

00:57

that shows protocol, in this case,

00:59

UDP has a hostname, a username, a client field, a client port

01:04

number, a server IP address, a server port number,

01:08

and then the disposition of this traffic.

01:10

You also get a detailed view of this along the right side,

01:14

and as you can see, an extensive number of variables

01:17

are stored for each individual traffic flow.

01:21

This means if you wanted to run a search

01:22

to look for a particular IP address or a particular port

01:25

number, you'd be able to view all of the traffic flows

01:28

on your network that match that particular value.

01:32

Obviously, different devices will

01:34

have different types of logs.

01:36

For example, if you have an active directory

01:38

infrastructure, it probably is going

01:40

to have a series of audit logs that

01:42

allow you to see who might have logged in

01:44

or logged out of the network.

01:46

For example, this audit log shows

01:48

a message saying that a process has been created.

01:50

It shows a process ID.

01:52

Shows the file name.

01:54

In this case, it was cmd.exe that was used in this process.

01:58

And you can see more information about the username

02:01

and the login event.

02:02

You can also see details on the time, the host name, event IDs,

02:06

and other specifics.

02:08

This allows us to keep a historical view

02:10

of exactly who logged into the network, who logged out,

02:13

and perhaps who may have tried to log in

02:15

but used incorrect credentials.

02:18

When you start looking at the log files

02:20

on switches, routers, firewalls, Windows servers, Linux servers,

02:24

and other devices, you'll see that each one of those log

02:27

types is very, very different.

02:29

But all of these diverse log files

02:31

contain details that would allow us to correlate

02:34

data flows together.

02:35

Although all of the logs contain very different information,

02:39

we can use a standardized process

02:41

to retrieve those log files from every single one

02:44

of these devices using a standard protocol called

02:47

syslog.

02:48

We can configure all of these different devices

02:51

to send information to a consolidated logging

02:54

receiver using the standard syslog protocol.

02:57

In many cases, we're consolidating this information

03:00

to SIEM.

03:01

This is a security information and event

03:03

manager that allows us to bring all

03:05

of that data back to one central database. syslog

03:09

receives this data from a particular device,

03:11

it logs a facility code, which identifies the program that

03:15

originally created the log, and it assigns a severity level

03:19

to the information contained within that log.

03:22

This allows us as the network administrator

03:24

to take action on the information

03:26

we're receiving from all of these different logs.

03:28

Some of these logs will contain informational details

03:31

that may not need any type of immediate action,

03:34

whereas other logs may have critical details

03:36

and alert information that require immediate action.

03:40

We can use these severity levels as a filter.

03:43

So we can go to a single screen and say

03:45

that we'd like to see everything that is a warning

03:47

level or higher or maybe we want to view all of the debug

03:50

information sent in every log.

03:53

You as the network administrator get

03:55

to determine exactly what information is important to you

03:57

at any particular time.

03:59

You may decide during normal operation

04:01

that you only want to see alert or emergency log information,

04:04

but if you're doing research on a previous event,

04:07

you may want to expand this filter out to view debug

04:10

information and higher.

04:12

It might also be useful to perform

04:14

ongoing analysis of individual interfaces on these devices

04:18

to see if there may be any problems with the data

04:20

traversing the network.

04:22

For example, you may be looking at interfaces on a switch,

04:25

and you may find that it has a large number of runts.

04:28

The minimum size of an Ethernet frame is 64 bytes.

04:31

So if you receive a frame that is smaller than 64 bytes,

04:35

we qualified that as a runt, and in many cases,

04:38

that means that a collision has occurred on the network.

04:41

On most of our networks today, we're

04:42

using full duplex ethernet so the identification

04:45

of a runt and potentially a collision

04:47

is something you probably want to be aware of.

04:50

If you're not using jumbo frames,

04:52

the maximum size of an ethernet frame

04:54

is going to be 1,518 bytes.

04:57

If your networking device identifies a frame that's

05:00

larger than 1,518 bytes, it identifies

05:03

that as a giant frame, and again, this

05:06

may indicate that some type of communication problem

05:09

is occurring on the network.

05:11

If any of these ethernet signals are corrupted

05:13

as they're being sent across the network,

05:15

you may receive a cyclic redundancy check

05:17

error, or CRC error.

05:19

You might also see this referred to as a frame

05:22

check sequence error, or FCS error.

05:25

These are commonly caused by a bad cable or bad interface,

05:28

and resolving the cable or interface

05:31

causes the CRC errors to cease.

05:33

And there may be cases where encapsulation errors might

05:37

occur, where one switch is expecting one type of frame,

05:40

and the other switch is expecting

05:42

a different type of frame.

05:44

On older switches, for example, you

05:46

may see trunk links that are using inner switch link

05:49

protocol, or ISL.

05:50

These days, we tend to use the 802.1Q standard,

05:54

but if one side is set for ISL and the other side is set

05:58

for .1Q, then you'll have an encapsulation error.

06:03

If you were to log in to a switch

06:04

and view the statistics on an individual interface,

06:07

you might get a message very similar to this.

06:10

And although it seems like there's

06:11

a lot of information on the screen,

06:13

you tend to start focusing in on very specific areas

06:17

to get the information you need.

06:18

For example, you may want to look

06:20

at the very first line that shows

06:21

that fast ethernet interface 0/1 is up

06:25

and the line protocol is up and connected,

06:27

which means that this interface should be operating normally

06:30

on the network.

06:31

We can look at another line that shows

06:33

this is configured for full duplex and 100

06:36

megabits per second, and the media type

06:38

is a 10/100 interface.

06:40

We can also see that there have been 5,701 packets.

06:44

We can see 1,157,662 bytes, and 0, no buffer frames.

06:51

We can also see there have been 0 CRC errors, which

06:55

means that this particular network should

06:57

be performing normally.

06:59

However, we can also see a large number of broadcasts.

07:01

5,130 broadcasts and 2,269 multicasts.

07:07

By looking at the individual interfaces on a switch,

07:11

you can start putting together a view

07:13

of exactly how each interface is performing

07:16

and if there might be any errors or problems

07:18

with individual ports.

07:21

When you're working with a data center or a computer room,

07:24

you also have to be concerned about the environment.

07:26

There are many different variables

07:28

that can affect the overall health and availability

07:30

of the network, such as the temperature in the room.

07:33

These devices can get very hot and need constant cooling,

07:37

so we want to be sure that the air conditioning that we have

07:40

in the room is always working properly,

07:42

so we'll want to monitor that temperature.

07:44

We might also want to monitor the humidity level.

07:47

If we have a lot of humidity in the air,

07:49

then we may have some condensation,

07:51

and we certainly want to keep that water away

07:53

from our electrical equipment.

07:55

If we have a low amount of humidity,

07:57

we may have an excessive amount of static discharge, which

08:00

is also bad for the silicon.

08:03

Since we are connecting all of these power devices

08:06

to an electrical system, it would also

08:08

be useful to know if we're receiving

08:10

the proper amount of voltage and that everything is working

08:13

as expected, so constant monitoring

08:15

of the electrical system can be a very valuable metric.

08:19

In a very large data centers, you

08:21

may be using water as part of your cooling system.

08:24

This means we may want to have flood monitors

08:26

in different parts of the room to make sure

08:28

that that water never gets close to our electrical equipment.

08:32

If you start collecting this information over time,

08:35

you can begin to create a baseline of what

08:38

may be expected.

08:39

For example, you may create an all events baseline that

08:42

shows the number of information events

08:44

that you have coming through during the day versus the debug

08:48

or notice events, and this can be

08:50

used to look at event categories, security

08:53

events, important events, or other type of metrics

08:56

on your network.

08:57

SNMP and log files can tell you a lot about what's

09:01

happening on the network, but you occasionally

09:03

would like to have a lot more detail of information that

09:06

may be contained within the ethernet packets themselves.

09:09

In those cases, you may need additional collection tools,

09:13

such as NetFlow.

09:14

NetFlow allows you to gather statistics and details

09:18

from the raw traffic traversing the network.

09:20

There are many different ways to collect this data.

09:23

It may require a separate individual NetFlow probe,

09:26

or there may be NetFlow capabilities

09:28

built into the equipment that you're already using.

09:31

Generally, NetFlow will have a NetFlow probe and a NetFlow

09:34

collector.

09:35

The probe will sit out on the network

09:37

sometimes as part of a tapped connection or it

09:40

may be receiving traffic from a switched port analyzer or span

09:44

connection, and it's watching all of the packets

09:47

traverse the network.

09:48

It's gathering those details and exporting

09:51

all of that NetFlow traffic back to a central NetFlow collector.

09:55

From the NetFlow collector, you can then

09:57

create detailed reports of everything

09:59

that's been seen over time.

10:01

This allows you to get extensive information of what

10:04

may be occurring on the network, such as the type

10:07

of conversations, the endpoints communicating, the applications

10:11

in use, and much more.

10:13

For example, you can get a distribution

10:15

showing the amount of TLS traffic versus port 0, UDP,

10:19

in the clear HTTP, and Microsoft SQL server traffic on one view.

10:24

This will give you some insight into exactly what

10:27

might be traversing the network and might also

10:30

help you interact with your security devices

10:33

to make sure that only the proper information is

10:35

being sent over the network.

10:38

We've talked about a lot of different types of metrics

10:41

in this video, but sometimes, all you want to know

10:44

is whether a service is up or down.

10:47

Fortunately, many third party services, especially services

10:51

in the cloud, can provide you with a list of all

10:53

of those services and a status of how

10:56

that service is performing.

10:58

So if you happen to connect to the status page

11:00

and you see that a particular problem was recently resolved,

11:03

you may be able to track that back to your NetFlow or log

11:06

files to determine if that, indeed,

11:08

had an impact on your network.