Network monitoring is a critical information technology (IT) function often used by Enterprises and Service Providers, which involves watching the activities occurring on an internal network for problems related to performance, misbehaving hosts, suspicious user activity, etc. Network monitoring is made possible due to the information provided by various network devices. The information has been generally referred to as network metadata, i.e., a class of information describing activity on the network which is supplemental and complimentary to the rest of information transmitted over the network.
Syslog is one type of network metadata commonly used for network monitoring. Syslog is a standard for logging program messages and provides devices which would otherwise be unable to communicate a means to notify administrators of problems or performance. Syslog is often used for computer system management and security auditing as well as generalized informational, analysis, and debugging messages. It is supported by a wide variety of devices (like printers and routers) and receivers across multiple platforms. Because of this, syslog can be used to integrate log data from many different types of systems into a central repository.
More recently, another type of network metadata, referred to by various vendors as NetFlow, jFlow, sFlow, etc., has also been introduced as a part of standard network traffic (hereafter generally referred to as “NetFlow”.) NetFlow is a network protocol for collecting IP traffic information that has become an industry standard for traffic monitoring. NetFlow can be generated by a variety of network devices such as routers, switches, firewalls, intrusion detection systems (IDS), intrusion protection systems (IPS), network address translation (NAT) entities and many others. However, until recently, NetFlow network metadata was used exclusively for post factum network supervision purposes such as network topology discovery, locating network throughput bottlenecks, Service Level Agreement (SLA) validation, etc. Such limited use of NetFlow metadata can generally be attributed to the high volume and high delivery rate of information produced by the network devices, the diversity of the information sources and an overall complexity of integrating additional information streams into existing event analyzers. More particularly, NetFlow metadata producers have typically generated more information than consumers could analyze and use in a real time setting. For example, a single medium to large switch on a network might generate 400,000 NetFlow records per second.
Today's syslog collectors, syslog analyzers, security information management (SIM) systems, security event management (SEM) systems, security information and event management (SIEM) systems, etc. (collectively hereafter referred to as an “SIEM system”) are either incapable of receiving and analyzing NetFlow, are limited to processing rudimentary information contained in NetFlow packets, or process NetFlow packets at rates much lower than such packets are typically generated.
The advent of robust network monitoring protocols such as NetFlow v9 (RFC 3954) and IPFIX (RFC 5101 and related IETF RFC) drastically expands the opportunity to use network metadata in the realm of network security and intelligent network management. At the same time, due to the constraints identified above, today's SIEM systems are not generally capable of utilizing network monitoring information beyond simply reporting observed byte and packet counts.