Logging and Security

What is the best and cheapest way to view network traffic traversing an ASA firewall?
I'm trying to understand the difference between Syslog and TCP Dump?

For instance.. one of the top sites in the ASDM happens to be a multimedia streaming site.. I would like to know what IP is connected to that site so i could bust em but it happens in the off hours and I only know how to view the real-time traffic in the ASDM.  

Can someone please take me thru a best practices configuration step by step?  Is there a free syslog server i could use?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TCPDUMP is used to view the actual network traffic (packets) that flow over the network.  They break down the headers from the various protocols (Ethernet, ATM, Framerelay, IP, TCP, NetBIOS, NETBUEI, HTTP, and so on).

SYSLOG is generally where applications may log events.  In the Windows world you can relate SYSLOG to the Event logs.

I believe that Kiwi (http://www.kiwisyslog.com) has a free version for non-commercial non-production use.

In your case, syslog is what you want.  TCPDUMP would provide you with way too much information.

However, what is your companies policy on Internet usage?  If what they are doing is against the policy, I have found it best to just setup a rule to block traffic to that IP address or range of IP addresses.  If what they are doing is allowed, then I would suggest getting permission from management to setup rules that will limit the amount of bandwidth non-business traffic can use.  I takes a bit of monitoring to see what ip addresses people are going to and how much bandwidth they use.    We have a Cisco CAT6500 and I have enabled NetFlow and I use NTOP to capture the NetFlow data and do basic reporting.  When are experiencing slowness on the Internet, I look in NTOP to see what is using it.  If it is non-business related, I add the IP address(es)  to an network object in PIX that is policed to limit bandwidth.

If you really want to catch the person, then you would need to setup an ACE that logs all access to the IP address(es) of the streaming media servers.  You want to target the servers, just in case there is more that one employee accessing the sites.  If there are 10 employees hitting this site and you only target one, you could be in trouble.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
georgehayes3Author Commented:
Thank You.  I would love to use netflow but the ASA doesnt support it from what i understand
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
System Utilities

From novice to tech pro — start learning today.