VERBOSE network monitoring solution(everybody's experience is needed plz)

Posted on 2011-05-12
Last Modified: 2013-12-06
hello everybody,

I'm newly hired in a new company (hence new network), and i've been assigned the task to implement a very verbose monitoring system, but the thing is i don't have much experience in that field, and i don't know what to search because it's not an IDS or IPS :

1-We need a program/system to monitor a specific user traffic, i want to know every URL he is going to, every system he logs in to ,i even want to know if he pinged a specific IP !!

2-Same as "1" but for all our users

3-We need a monitoring system to log everything going on on the network , of course based on ip/mac/etc. source to destination and time/date.

4-we need a prog/system to be a centralized location to collect all our windows clients logs,windows servers logs and sql servers logs, and display them in a more proper manner than the built in windows event viewer.

-we are in a windows server 2008/ windows 7 environment
-all our switches are cisco 3560 so i can do port mirroring if needed

I know i may sound insane but please i need everybody's experience, and thank you in advance :)
Question by:a77
    LVL 17

    Expert Comment

    1) You are not into monitoring definition. You will be more or less spying on user. Get some spywares which are available in the market. In a simpler sense,  netflow will tell you which Ip is going where and using which protocol, proxy servers will give you detailed log of which web sites user(s) are visiting, spywares  will tell you what user is typing in their m/c. :) :)
    We cannot recommend spywares in EE.

    2)Covered above.

    3)You need to log everything???? HMMM.......... it's weird. Anyway, get a free syslog(e.g kiwi syslog server) server and enable syslogging in networking devices. If you log "everything", in a few days you will be running out of space. make sure you clean the logs frequently. People log ONLY what they need. So you should be consulting someone about what to log.

    4)I have no idea, you have to wait for some windows experts. I am not very familiar in windows.

    LVL 12

    Accepted Solution

    Sounds like you need a all in one keylogger to me.  You have mentioned most of the things a good keylogger will do.  

    If you are in fact looking into monitoring these files captured from this type of logger I would recommend software from   You can install at a central machine and look through the logs of any machine it is put on via network share, ftp, etc.  

    Either way you go, that kind of solution is going to take up a lot of space when saving the data from that many people and you might want to hire someone else just so sift through the data :)

    Author Comment

    surbabu, honestly we got hacked 2 times from the internal network so we are now in getting-crazy mode :)
    so we are investigating now and we need to monitor any new attempts, but i think what i'm asking is a traffic analyzer, like the way IDS's work, it read all the traffic from a mirrored port and analyzes them.

    cbowman92:i think we will use keyloggers on our main suspects, but i'm not comfortable with it, sounds like a final solution if nothing else worked.

    LVL 17

    Assisted Solution

    Got hacked internally?????? Analyzing traffic would do no help then. If someone is hacking from inside you can hardly do anything. That's why a proper security plan with IDS/IPS should be there. There are no tools that will assist you in this.
    You got hacked that's fine, but how can you be sure that the guy(s) did not  steal credentials to hack? No monitoring would help then.

    1) Proper user authentication/authorization access need to be done.(Tacacs/RADIUS)
    2) Put the spywares to track who is doing what. (This is impractical for large number of users)
    3) Netflow will only tell you who accessed what.
    4) Most of internal hack happens by exploiting social loopholes and insecure administration.
    5) Implement domains and disable the external usb/DVD/CD so users won't be able to run executables.
    6) lastly, you should know which employee has got capabilities, so monitor them with spywares or cbowman's recommendation.



    Author Comment

    well it seems like netflow + a keylogger would be my best solution to monitor specific users.
    thank you guys, but one last question, cbowman, do you know if that "all in one keylogger" is detected by antivirus? if yes do you know another one that's not ?
    thank you surbabu ;)

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Large and small networks have one same need, Service monitoring. Service monitoring consists of watch services of the several servers in the network. To monitor means that the administrator will receive an alert when a service is down or it's state …
    Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    26 Experts available now in Live!

    Get 1:1 Help Now