Windows

Network monitoring for fun and profit


In network security, there are a few important tasks you just can't ignore. They include things such as perimeter security (firewalls and proxies), disaster recovery (backups and redundant systems), and monitoring (packet analysis and system logs). In the area of monitoring, there are a few tools that you might consider evaluating for use in your own network.

  • Nagios: One example is Nagios, a highly configurable, flexible network resource monitoring tool. It's open source (thus available for free), highly extensible, and very customizable to your needs. Unless otherwise noted, all of the following are open source software (and thus available for free).
  • Snort: Another is Snort, "the de facto standard for intrustion detection/prevention." It is, in essence, exactly as advertised.
  • tcpdump: Don't forget venerable standards such as tcpdump. Combined with a scripting language that provides powerful text filtering abstractions such as Perl, Python, or Ruby, or even with something a bit more basic like grep+sed+awk, it's the expert's packet analysis toolkit.
  • lsof: For more localized use, lsof can be an incredibly flexible and powerful tool. Again, you'll need some text filtering to really make use of it.
  • syslog: It doesn't get much more basic and ubiquitous than syslog. If you have to maintain security on any UNIX or UNIX-like system -- such as a Linux distribution, FreeBSD, NetBSD, OpenBSD, OpenSolaris, or Darwin, for instance -- you should learn how to put syslog's facilities to good use (and, once again, how to effectively automate text filtering).
  • event log: There's also event log on Windows. It's not open source, but it's part of the system. You need to know something about it if you're going to try to maintain security on Windows systems.
  • EventSentry: Tools like EventSentry can be of incredible benefit to the Windows network administrator. For single-system monitoring, you might be able to get by with nothing more than the free trial version, which isn't time-limited but does strip away many of the more powerful features of the full version. To monitor an entire network, you'll want to invest in the complete package -- or get something else. It's not open source software, which means licensing issues must be dealt with.
  • Eventlog to Syslog Utility: For "something else," there's always the open source Purdue University Eventlog to Syslog Utility, AKA "evtsys." It's a simple tool that you run on Windows systems to automatically read and reformat events in the event log, then send them to a UNIX system to be handled by syslog. It's an excellent tool and makes the life of the busy netadmin much more easily managed by collecting all the necessary log events in one convenient place on the network.
  • glTail.rb:My inspiration for writing this article, however, was one I've only just discovered today. I'm not 100 percent certain it's all that useful in practice, yet, but it sure as heck is fun to watch it work. Get a load of glTail.rb, a "realtime logfile visualization." It looks a lot better than similarly graphical (though not very similarly functioning) tools like EtherApe ever did. Check out the "xvid movie" link there -- it's an AVI video, so even Ubuntu users who haven't figured out how to get WMV files working in MPlayer shouldn't have any trouble with it.It's mesmerizing.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

4 comments
JCitizen
JCitizen

I can rely on Kiwi Syslog and XP Event Viewer for now; later I might need more. I like the simple syslog so I don't have to log on to my gateway so often to monitor what is going on. Kiwi's daemon is free and if you know how to configue it, can provide a lot of filtered information. The paid version is even better and has support. However most of you are probably better served with a combination of the syslog sited here and the Eventlog Syslog utility. I may play with this later. Some of the third party security software I like, provides built in tools. Their logging and tracking tools can be more detailed than some of the light weight tools mentioned here. Too bad I had to drop Symantec because, for example their Visual Trace and alert tracker were useful to me. To the usual user they were probably a pain but I liked them. My Check Point gateway has a good feature in the consol that provides information on IDS events and an instant WHOIS link. I receive a detailed monthly analysis report complete with pie charts and hyperlinks to information on IDS activity. This became essential when working with my ISP on network security problems. These are just examples; you may have better ones to relate to the dicussion.

jason
jason

Just on glTail, my best use for it has been a quick and dirty 50-odd inch screen which runs the application against my spam filters, squid box and web servers. I can look and see a quick bottle neck on my system, but more importantly my CEO's and management can look and have a pretty interface. I use it similar to googles scrolling list of search terms. All in all a really useful tool.

stacey7165
stacey7165

Hyperic HQ (http://www.hyperic.com) is also open source and can consume all your Nagios monitoring metrics and provide realtime and historical data analysis, aggregates logs, events and security data with performance data, and provides flexible app and group views. It also provides the majority of your technologies OOB including VMware, which makes set up a snap.

apotheon
apotheon

I considered adding Wireshark to the mix, and making it a list of ten. That tends to get better traffic from Google, for some reason. I just couldn't come up with a title that really captured the spirit of it and started with the number 10, though -- and don't much like Wireshark's interface, myself. Some of you surely have some favorite network monitoring tools of your own -- and opinions of the tools I've mentioned. Let's hear about it.