Network Assurance with SNMP, NetFlow, and Syslog
Network Assurance with SNMP, NetFlow, and Syslog
Introduction
Network assurance is the practice of continuously monitoring, validating, and troubleshooting the health of your enterprise network. Without proper visibility into what is happening across your infrastructure, diagnosing failures, identifying security incidents, and maintaining performance becomes guesswork. The CCNP ENCOR blueprint dedicates an entire domain to network assurance, and three of the most critical tools in this space are Syslog, NetFlow, and SNMP.
In this lesson, you will learn what each of these monitoring technologies does, how they differ from one another, and how they are configured on network devices. By the end, you will understand how to enable logging, export flow data to a collector, and use these tools together to build a comprehensive monitoring strategy for an enterprise network.
Key Concepts
Syslog
Syslog is the most widely used logging mechanism on network devices. It provides information about a device's health, the status of connecting users, the protocols they are using, and general statistics-based analysis. Syslog messages can be stored locally on the device or sent to a remote logging server for centralized collection and long-term retention.
On a security appliance, syslog can reveal whether VPN users have successfully logged in, what IP addresses have been assigned to them, and which group policies are in effect. A real-time log viewer allows administrators to watch these events as they happen.
NetFlow
NetFlow enables you to view network information on a flow-by-flow basis, examining conversations based on Layer 3 and Layer 4 information. Rather than capturing every packet, NetFlow summarizes traffic into flows defined by attributes such as source and destination IP address, source and destination port, and protocol type. The device exports this flow data to a server running a NetFlow collection service, which formats and displays the information through a web-enabled control panel or dedicated software.
The ENCOR v1.1 blueprint specifically calls out traditional NetFlow configuration as a topic candidates must understand, alongside the newer Flexible NetFlow.
SNMP
SNMP (Simple Network Management Protocol) is the standard protocol for querying and monitoring network device parameters. While the reference material focuses on Syslog and NetFlow for detailed logging and flow analysis, SNMP complements them by providing a polling-based mechanism to retrieve device metrics such as CPU utilization, memory usage, interface statistics, and uptime.
Comparison of Monitoring Technologies
| Feature | Syslog | NetFlow | SNMP |
|---|---|---|---|
| Data Type | Event messages and logs | Traffic flow summaries (L3/L4) | Device metrics and status |
| Direction | Device pushes logs to server | Device exports flows to collector | Manager polls device (or device sends traps) |
| Primary Use | Troubleshooting, audit trails, user session tracking | Traffic analysis, bandwidth planning, anomaly detection | Health monitoring, performance trending |
| Storage | Local buffer or remote server | External NetFlow collector | MIB on device, NMS database |
| Granularity | Per-event | Per-flow (conversation) | Per-object (interface, CPU, etc.) |
How It Works
Syslog Operation
When logging is enabled on a network device, every significant event generates a syslog message. These messages are categorized by severity level (0 through 7, with 0 being the most critical) and by facility (the subsystem that generated the message).
The device can be configured to store logs in multiple locations simultaneously:
- Console: Messages displayed directly on the console session
- Buffer: An internal memory buffer on the device, with a configurable size (for example, 4096 bytes by default)
- Flash: Persistent storage on the device's flash memory, with a configurable maximum size (for example, 1024KB)
- Remote server: A syslog server on the network that receives messages for centralized storage and analysis
When the logging buffer exceeds its configured size, the buffer rolls over and new information overwrites the existing entries. This is why sending logs to a remote server is critical for long-term retention. You can verify what is currently in the buffer using the show logging command.
A real-time log viewer provides a live stream of events, showing user login successes, IP address assignments, group policy applications, and protocol activity as they occur.
NetFlow Operation
NetFlow operates by examining packets as they traverse the device and grouping them into flows. A flow is defined as a unidirectional stream of packets sharing common Layer 3 and Layer 4 attributes. The device maintains a flow cache in memory, and when a flow expires or the cache is full, the flow record is exported to the NetFlow collector.
The collector server receives these records and processes them into reports. Administrators can then view traffic patterns, identify top talkers, detect anomalies, and perform capacity planning. The device sends NetFlow information to the collector using a configured IP address and port number.
Flexible NetFlow extends traditional NetFlow by allowing administrators to customize which fields are collected in each flow record, offering greater flexibility for different monitoring requirements.
VPN Statistics as a Monitoring Complement
On security appliances, the VPN Statistics window provides additional monitoring data that works alongside Syslog and NetFlow. This includes:
- Sessions: Current session count and logged-in users
- Crypto Statistics: Number of encrypted packets and security association (SA) creations
- Compression Statistics: Current compressed data in bytes, resets, ratio, and errors
- Encryption Statistics: Number and percentage of sessions using each encryption algorithm
- Global IKE/IPsec Statistics: Active tunnels, packets in and out
- Protocol Statistics: Number and percentage of IKEv1, IKEv2, SSL, and L2TP sessions established
This data shows which connection profiles and group policies are in use, the encryption and authentication algorithms active on each session, and the IP address assignment for each connected user.
Configuration Example
Enabling Syslog Logging
To enable syslog logging on a device, you first activate the logging subsystem and then specify where the logs should be stored. The following example enables logging, stores log data to flash, and sets a buffer size.
logging enable
logging buffered 4096
logging flash-size 1024
logging enableactivates the logging subsystem on the devicelogging buffered 4096sets the internal logging buffer to 4096 bytes; when exceeded, older entries are overwrittenlogging flash-size 1024allocates 1024KB of flash storage for persistent log retention
To verify current logging status and review buffered messages:
show logging
This command displays the contents of the logging buffer. If the buffer has rolled over, only the most recent entries within the configured size will be visible.
Configuring a Remote Syslog Server
To send log messages to a remote syslog server for centralized monitoring:
logging host 192.168.1.100
logging trap informational
logging host 192.168.1.100specifies the remote syslog server addresslogging trap informationalsets the severity threshold; messages at this level and above are sent to the remote server
Configuring NetFlow Export
NetFlow is configured by specifying a collector server on the network that will receive the exported flow data. The device sends its flow information to the collector using a destination IP address and UDP port.
flow-export destination inside 192.168.1.50 2055
insiderefers to the interface through which the collector is reachable192.168.1.50is the IP address of the server running the NetFlow collection software2055is the UDP port on which the collector is listening
The collector server then formats this data and presents it through a web-enabled control panel or dedicated application, giving administrators visibility into traffic patterns across the network.
Verifying NetFlow and Syslog
To confirm that NetFlow is exporting data and syslog is functioning:
show logging
show flow-export counters
Best Practice: Always configure both a local logging buffer and a remote syslog server. The local buffer provides immediate access to recent events during troubleshooting, while the remote server ensures long-term retention and centralized analysis across multiple devices.
Real-World Application
Centralized Monitoring in Enterprise Networks
In production enterprise networks, Syslog, NetFlow, and SNMP are rarely deployed in isolation. A mature monitoring architecture combines all three to provide complete visibility:
- Syslog captures discrete events such as user logins, configuration changes, interface state transitions, and security alerts. These are forwarded to a centralized syslog server where they can be searched, filtered, and correlated.
- NetFlow provides traffic flow analysis that syslog cannot. It answers questions like "Which application is consuming the most bandwidth?" and "Are there unusual traffic patterns that could indicate a security breach?" Flow data is exported to a collector that aggregates and visualizes traffic trends.
- SNMP fills in the remaining gaps by providing real-time and historical metrics on device health, interface utilization, error rates, and resource consumption.
Common Deployment Scenarios
VPN Monitoring: When managing remote access VPN connections, syslog reveals whether users have successfully authenticated, which group policies have been applied, and what IP addresses have been assigned. NetFlow shows the volume and type of traffic each VPN user is generating. Together, they provide full accountability for SSL VPN environments.
RADIUS Accounting Integration: For environments using RADIUS for authentication, RADIUS accounting can be enabled alongside syslog and NetFlow. This allows administrators to see whether a connection has succeeded or failed, and if it failed, the specific reason. Only RADIUS or TACACS+ can be used for VPN accounting purposes.
Capacity Planning: NetFlow data collected over weeks or months reveals traffic trends that inform capacity planning decisions. Administrators can identify peak usage periods, forecast bandwidth requirements, and justify infrastructure upgrades with concrete data.
Design Considerations
Important: When configuring the logging buffer size, balance between having enough history for troubleshooting and not consuming excessive device memory. A buffer that is too small will roll over quickly and lose valuable data; a buffer that is too large can impact device performance.
- Deploy a dedicated syslog server and NetFlow collector on a management network segment to keep monitoring traffic separate from production data
- Use consistent severity levels across all devices so that alerts from the centralized server are meaningful and actionable
- Ensure the NetFlow collector has sufficient storage and processing capacity to handle flow exports from all monitored devices simultaneously
Summary
- Syslog provides event-based logging that captures device health, user session activity, and protocol status; it can be stored locally in a buffer or on flash, and forwarded to a remote server for centralized analysis
- NetFlow summarizes traffic into flows based on Layer 3 and Layer 4 information and exports that data to a collector server, enabling traffic analysis and anomaly detection on a flow-by-flow basis
- SNMP complements Syslog and NetFlow by providing a polling-based mechanism to retrieve device metrics and performance data
- The ENCOR v1.1 blueprint specifically includes traditional NetFlow configuration alongside Flexible NetFlow as required knowledge
- In production networks, combining Syslog, NetFlow, and SNMP together with RADIUS accounting delivers full visibility and accountability across the enterprise
For your next step, practice configuring Syslog remote logging and NetFlow export on lab devices, and explore how Flexible NetFlow allows you to customize flow records for specific monitoring requirements.