centralized logging VS network monitoring tool

Dear Experts

What is the difference between audit log enabling like setting up centralised logging like  Syslog server and  Networking monitoring enabling and setting up, does both serve the same purpose, can you please help me to understand this. what each of these does , is it recommend both to be enabled in two different servers please suggest
D_wathiAsked:
Who is Participating?
 
nociConnect With a Mentor Software EngineerCommented:
They serve different puposes:
Central LOG server:  - Primary get log record off a system to some central place. Needed to reconstruct history when a system gets lost.
(Compare to blackboxes in planes).  They can ALSO be useful to monitor because a lot of stuff might be early indicators of trouble.

Network Monitoring as such is only useful to log traffic & traffic patterns. (Might be useful to find signature of attacks after the act).
Network monitoring also allows to act on observed patterns. Lot of tools can recognize specific patterns used used in the past  (or elsewhere) and then act on the data.

snort is well known tool to observe & act on traffic & traffic patterns in networks.
fail2ban is a log monitor that can act  on f.e. connect/login attempts from certain sources.
splunk to monitor logs on a large scale.
openvas assesses vulnerabilities in networked equipment.
0
 
Fred MarshallConnect With a Mentor PrincipalCommented:
Different things altogether if I understand the terms you're using.
One logs and analyzes events like SIEM.
The other monitors network state like traffic and machine status.
Yes, they can overlap.
0
 
David SankovskyConnect With a Mentor Senior SysAdminCommented:
Allow me to further expand on Fred's answer.

Collecting logs into a centralized system, could make investigations easy - for example, you would be able to very quickly ascertain why a certain service failed on a certain machine.
A Network Monitor (notable examples would be PRTG, CheckMK, orNagios to name a few) allows you to have a real time view of you network with the ability to drill down to very specific checks (CPU / RAM utilization on a server, Disk usage, is a service up or down).

A lot of companies use both systems, we for example use PRTG for monitoring and ELK stack for log collection.
Last week it allowed one of our junior techs who has very little experience with debugging any type of error, got an alert from the monitoring system that MySQL on one of our staging servers was down, When he logged into the ELK stack, he very quickly saw that MySQL couldn't restart after a scheduled server reboot because the server ran out of storage.
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
D_wathiAuthor Commented:
thank you very much for less expensive can you suggest me solution , think syslog server on one of the VM running centos will be okay please suggest and for network monitoring can you please suggest a tool can this be on VM linux/windows can you please suggest. thanks in advance.
0
 
David SankovskySenior SysAdminCommented:
CheckMK is an open source network monitor tool.
It takes some time to get used to it and to learn how to configure it, but it gets comfortable very quickly.
0
 
D_wathiAuthor Commented:
can you please let me know which one is recommend is it SNOT or Nagios please
0
 
nociSoftware EngineerCommented:
They do different things....
Nagios: probe elements on systems/network of existence, reachability, etc. and report/alert on missing/defective etc.
SNORT: Monitor network traffic (mostly on firewalls) and warn on anomalies in traffic, like virus signatures  (not values in files, but traffic paterns, like sudden bulk connections to port 1433...)
So maybe both?
0
 
D_wathiAuthor Commented:
thanks in the small network of very few systems but mpls vpn (hub and 2 spoke ) but very secured network is nagois needed or SNORT, please suggest.
0
 
nociSoftware EngineerCommented:
This is like asking: For a weather forecast do i need a windspeed meter or a rain meter....
( depends on wether you dislike wind/rain the most..., or may you need both for better forecasting)
Or to drive a nail into the wood do i need a light hammer, a heavy hammer, or a sledge hammer.... (depends on nail size).

The real question then is WHAT do you want to accomplish....
Nagios: incident measurement, absence of service measurement, systems load measurement, ... and alert/report if threshholds are exceeded.
           mostly active polling of components
Snort: network traffic measurement  of packets passing through a server/firewall. If certain conditions are met act/report on observed issues.
Splunk: log analysis, watch logs for some trigger events, report/alert on observed issues
OpenVAS: poll all networked equipment and assess if certain KNOWN vulnerabilities exist. (f.e. logons without password, weak encryption methods, weak signing methods, known bugs in services seen)
fail2ban: monitor logs and if a certain amount of failures with Source Ip is reported either block the source and/or report on it.

Looked at Check_MK (didn't know it...) : short lookaround: a tool to help run a nagios environment. (web manager interface to nagios, complementary to nagios)
0
 
Fred MarshallPrincipalCommented:
For network monitoring, PRTG is very good and a reasonable network can be monitored with the free version.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.