Comprehensive switch log monitoring and security with EventLog Analyzer

Switches are critical components in network infrastructure, enabling communication between devices within a network. Ensuring the performance, health, and security of switches is vital for maintaining network stability and preventing unauthorized access. ManageEngine EventLog Analyzer monitors switch logs to provide insights into network activity, potential security threats, and overall performance.

This tutorial outlines various use cases for monitoring and securing switches using EventLog Analyzer. To effectively monitor and secure switches through log monitoring, ensure that switch logs are configured to be sent to the EventLog Analyzer server.

Please find below the links to configure the syslog service on:

Monitoring switches using EventLog Analyzer: Use cases

EventLog Analyzer covers the below switch monitoring use cases with its security monitoring reports. These reports are predefined and can be scheduled to be generated at specific times and distributed over email.

Vendor Use Case Description Why implement? Available Reports
HP User authentication monitoring Monitor logon and logoff activities on HP switches. Ensure authorized access and detect unauthorized attempts. Logons, Logoff, Top Successful Logons from Source, Failed Logons
Interface and trunk monitoring Track the status of interfaces and trunks (up/down). Quickly identify network disruptions and restore connectivity. Interface Up, Interface Down, Trunk Up, Trunk Down
Configuration change auditing Monitor changes to switch configurations. Ensure compliance with network policies and detect unauthorized changes. Configuration Change
System health monitoring Track the health status of fans, power, and system reboots. Prevent hardware failures and ensure consistent switch operation. Fan Ok, Fan Failed, Power Status, System Reboot
Security event monitoring Monitor critical events like ACL errors and emergency events. Detect and respond to security threats in real time. ACL Error, Emergency Events, Critical Events
Cisco System event monitoring Monitor various system events on Cisco switches. Ensure the operational health of switches and prevent downtime. System Events, Fan Failed, Power Supply, System Temperature Exceeded, System Shutdown due to Temperature
Interface status monitoring Track the status of interfaces. Ensure network reliability and diagnose issues related to interface performance. Interface Up, Interface Down, Interface down due to link failure, Interface Down Suspended by Speed
User authentication monitoring Monitor logon activities, including successful and failed attempts, on Cisco switches. Secure access to network devices and detect unauthorized access attempts. Top logons based on users, Top logons based on remote devices, Top logons based on ports, Top failure logons based on users, Top Failure Logons based on Remote Devices, Logons Trend, Failed Logons Trend
Event severity monitoring Monitor and respond to events based on severity, from emergency to debug levels. Maintain network performance by addressing critical events promptly. Emergency Events, Alert Events, Critical Events, Error Events, Warning Events, Notice Events, Information Events, Debug Events
Threats Monitor power supply and environmental conditions to detect tampering or external threats. Ensure physical security and operational integrity by monitoring critical environmental factors. Power Supply, Power Supply Scheduled, Fan Failed, System Shutdown due to Temperature
Arista User authentication monitoring Monitor logon and logoff activities on Arista switches. Secure access and detect unauthorized access attempts. Logons, Logoff, Logons Trend, Failed Logons, Failed Logons Trend
System event monitoring Monitor system events such as configuration changes, reboots, and hardware status on Arista switches. Maintain device reliability and configuration compliance. Configuration Change, System Reboot, Command executed, Fan Status, Power Status, Temperature Status, Package Status
Event severity monitoring Monitor and respond to events based on their severity level. Improve incident response times by prioritizing critical events. Emergency Events, Alert Events, Critical Events, Error Events, Warning Events, Notice Events, Information Events, Debug Events
Critical event response Monitor and respond to critical events that could indicate a security threat. Quickly address high-severity security incidents to protect network infrastructure. Critical Events, Emergency Events, Alert Events

Securing switches using EventLog Analyzer: Use cases

EventLog Analyzer provides a comprehensive set of detection rules designed to identify and mitigate potential threats targeting network switches, including unauthorized access, configuration changes, and anomalous traffic patterns. The table below highlights some of the key security use cases that EventLog Analyzer covers, helping to ensure the integrity and security of your network infrastructure.

Vendor Use Case Description Why implement? Detection alerts / correlation rules
HP Unauthorized configuration changes Detect and monitor any unauthorized configuration changes on HP switches. Prevent potential security breaches by ensuring only authorized users can make configuration changes. Configuration Change, Critical Events, Emergency Events, Error Events
ACL violations Detect ACL errors that could indicate an attempt to bypass security policies. Ensure network security by detecting and addressing any ACL misconfigurations or violations promptly. ACL Error, Alert Events, Critical Events
Cisco Interface down due to link failure Detect and investigate link failures that could be caused by malicious tampering or hardware failure. Quickly identify and address potential security threats that could disrupt network connectivity. Interface down due to link failure, Interface Down Suspended by Speed, Emergency Events
ACL violations Detect ACL errors that could indicate an attempt to bypass security policies. Ensure network security by detecting and addressing any ACL misconfigurations or violations promptly. ACL Error, Alert Events, Critical Events
Arista Critical event responses Monitor and respond to critical events that could indicate a security threat. Quickly address high-severity security incidents to protect network infrastructure. Critical Events, Emergency Events, Alert Events
Advanced persistent threat (APT) detection Detect unusual patterns of logons, logoffs, or command executions that may indicate an APT in progress. Identify and mitigate long-term, targeted attacks that could lead to significant data loss or disruption. Logons, Logoff, Command executed, Critical Events
Supply chain attack indicators Monitor for unusual firmware or software package updates that could indicate a supply chain attack. Protect against compromised updates that could introduce vulnerabilities or malware into the network. Configuration Change, Command Executed

Switch compliance auditing with EventLog Analyzer

Many regulatory standards require organizations to implement monitoring solutions for their network infrastructure, including switches, to track access and modifications and ensure data security. The table below illustrates how EventLog Analyzer can assist in meeting compliance requirements for switch monitoring. For a detailed solution mapping, refer to this space.

Compliance requirements: Solution mapping

EventLog Analyzer reports and alerts Detection rules Regulations Requirements
Logon Reports
  • Logons
  • Logoff
  • Top Successful Logons from Source
  • Top logons based on users
  • Logons Trend
 Logons FISMA
  • Access Control (AC)
  • Configuration
  • Management (CM)
  • Information System
  • Monitoring(SI-4)
PCI DSS
  • PCI-DSS requirements 10.1
  • PCI-DSS requirements 10.2.1
  • PCI-DSS requirements 10.2.2
  • PCI-DSS requirements 10.2.3
SOX
  • SEC 302 (a) (4) (C)
  • SEC 302.2
  • SEC 404.B
HIPAA
  • 164.306 (a) (1)
  • 164.306 (a) (1) (i)
  • 164.308 (a) (6) (ii)
GLBA
  • Section 314.4(b)(1)
  • Section 314.4(c)
  • Section 501B (2) & (3)
CMMC
  • C003 - AC.2.013
  • C013 - CM.2.061
POPIA
  • Chapter 3 - Section
  • 19 (2) (a)
ISLP
  • ARTICLE 12
  • ARTICLE 13
  • ARTICLE 19.3
  • ARTICLE 20.5
  • ARTICLE 30.4
  • ARTICLE 30.6
NRC
  • ACT B.1.6
  • ACT B.1.22
  • ACT B.2.6
  • ACT C.3.4
  • ACT C.3.7
  • ACT C.4.3
FERPA Section 99.31 (a)(1)(ii)
PDPA
  • RULE VI Section 25
  • RULE VII Section 30
SAMA
  • 3.2.1.1 Cyber Security Risk Identification
  • 3.2.1.3 Cyber Security Risk Response
  • 3.2.5 Cyber Security Audits
  • 3.3.5 Identity and Access Management
  • 3.3.6 Application Security
  • 3.3.7 Change Management
CJDN  
QCF Application Development, Logging
TISAX
  • 4.2 Application Security Service
  • 4.6.2 Threat Modelling
  • 6.2 Data Protection Service
  • 6.8.3 Data at rest
ECC
  • 7.2 Change and Patch Management Service
  • 8.11 Security monitoring and operations strategy
  • 13.2 Identity and Access Management Service
PDPL
  • 4.1.2
  • 5.2.4
UAE-NASA
  • Article 19 - Information Security
  • Article 21 - Controls and Procedures for Dealing with Credit Data
LGPD
  • T3.2.3
  • T5.2.2
  • Art 14
 

Additional Resource

Configuring MS SQL Server for Auditing in EventLog Analyzer SQL injection attack detection using EventLog Analyzer
 
 

Relevant Videos

SQL Auditing Using EventLog Analyzer