Blog :: Netflow :: Network Operations :: Security Operations


Syslogd is often used to turn machine messages or syslogs into events for further processing. Ultimately, alarms are generated which can trigger some type of notification.  The problem with the messages created by syslogd, is their nonstandard and loosely structured data format.  This post is about the end of Syslog and the evolution of IPFIX due largely to the fact that the data exported in IPFIX is highly structured.

IPFIX Sysloging

If you decided to break into the TV manufacturing business today, you wouldn’t go about building a big tube based television and tout its amazing picture quality.  If you did, you probably wouldn’t sell many bulky TVs.  In order to compete, you would have to design an ultra thin flat screen with features like amazingly light in weight, true 3D picture quality and possibly make it blue tooth compatible. Similarly, if you were going to break into the network appliance business as a switch, router, firewall or IPS you probably wouldn’t brag about SNMP and syslog support because most people assume they are supported.  Today’s network and security admins want flow technologies.  Specifically, they are asking for NetFlow or IPFIX support and companies supporting flow technologies are typically the leaders in their industry.  Take Cisco, Palo Alto Networks and SonicWALL for example, all three support NetFlow and IPFIX and are the top leaders in the firewall market.  VMware is the leading virtual server software vendor and they support NetFlow and IPFIX.

Do these vendors export syslogs?  Of course they do but, the types of network malware and analysis possible with syslogs is a bit limiting in comparison to flow technologies and SNMP just doesn’t lend itself very well to reporting on network security threats, here’s why…

Every IPFIX implementation has information elements that are common, and ones that are of a user-defined data type. The common information elements are the standard ones which are already predefined for vendors and the user-defined data types are the ones vendors can define. IPFIX allows a vendor ID to be specified for each user-defined element which makes the export of proprietary information easier. As a result, vendors can export any information of their choice, not just SNMP, but practically any information.

One other aspect of IPFIX’s flexibility is the ability to define variable length fields. For instance, SonicWall has added support for information that can dramatically vary in lengths such as  HTTP URL, User Name, Application Detection, Detected Intrusions , Detected Viruses and several other proprietary information elements. Enterasys, nTon, Juniper, and many other have also adopted IPFIX due to its flexibility.

If you are stuck with big investment in a legacy system that you are still trying to recover an ROI on, use something like IPFIXify to convert logs to IPFIX.  Think of it as a syslog to IPFIX gateway.  The structured format of flow data makes it easier to leverage its contents as meta or contextual information when correlating logs between disparate system types.  For example, user names from Cisco ISE to identify the source of anomalous flows.

It’s time to move away from syslog and start gaining the benefits of a structure data technology. IPFIX is the future of log messaging.

Please feel free to share your experience if you have been exporting your Syslogs as IPFIX.