We need to monitor our network devices to react to events, such as account access, redundant devices, and bandwidths.

Oftentimes device logs are aggregated into a status dashboard, where we can get the status of all systems at a glance.

NetFlow - Gathers summaries of statistics about the flow of traffic on a network

• Probe - Sits somewhere on a network to watch traffic
• Collector - Summary records are sent to the collector

NetFlow essentially creates metadata about data that travels through networks, but sometimes we need to analyze raw data.

We can do this using a protocol analyzer such as WireShark to gather network frames.

Network Performance Baseline - Shows what a typical day for a network might look like using various metrics

• Useful for troubleshooting for comparison
• Often collected by SIEM or management console

SIEM (Security and Information Event Manager)

• Logging of security events and info
• Includes both raw logs and summaries/reports
• Security alerts and real time information
• Log aggregation + long-term storage

Syslog - a standard for transferring log file from many different devices to a central location, oftentimes a SIEM

So data is being sent to the SIEM using syslog, but we quickly become overwhelmed with data. We can choose to only capture information of a certain priority or store certain longs for a shorter period of time than others.

API Integration - Allows us to control and manage devices directly from a central management station, as well as automate these tasks.

• No SSH required, essentially communication with devices in their "native language"
• You can write scripts to automatically control or manage devices using APIs

Port Mirroring - Allows you to copy traffic from one or more switch ports to a port mirror

• Can also mirror from one switch to another
• Port mirror: AKA SPAN