3 Replies Latest reply on Sep 9, 2014 11:42 AM by nicole pauls

    Network Events Widget - What is it looking for?

    yeah yeah

      Can someone tell me what the Network Events Widget is supposed to be looking for? What activity kicks it off? I would love for LEM to sniff traffic or even show any network activity that takes place from server to server or application to application. This would be good to see what ports are being used. Can LEM do this? I'm still in EVAL mode, and since I've had LEM, this widget has displayed 0 information.

        • Re: Network Events Widget - What is it looking for?
          nicole pauls

          Most of those widgets are driven from filters, which are driven from real-time event data - i.e. stuff coming from logs. Usually network events come from firewalls, routers, switches, IPS/IDS, proxy servers, that sort of thing, so if you're sending log data from those, you'll likely see stuff in the network events widgets/filters.

           

          We're not sniffing traffic, though NetFlow would be another way to accomplish that (or maybe Deep Packet Inspection) - in either case you'd be better suited checking to see if Netflow Traffic Analyzer or Network Performance Monitor can fill that gap.

           

          For ports being used, you could also use Firewall Security Manager to take a look at your firewall rules. LEM could show you based on log data, if you're logging from your firewall and that's where you're interested in seeing data.


          Anyway, guessing you're not seeing events since you're not logging from a firewall/router that's showing network traffic events?

            • Re: Network Events Widget - What is it looking for?
              yeah yeah

              I have a couple of switches pointing to it, but nothing yet. The agents installed on some Windows 2008r2/2012 servers won't pull in anything regarding ports/protocols/services being used by the server or applications? I have some windows servers with IIS, and I would love to see when/who/what is hitting the server from a server side. Can that be obtained?

                • Re: Network Events Widget - What is it looking for?
                  nicole pauls

                  Ah, usually with switches we just see infrequent error messages and config changes, not a ton of exciting stuff.

                   

                  For Windows servers, the Windows Filtering Platform data (from the windows firewall) might include that, but it also includes a ton of noise about regular activity so it might be tough to suss out (or might be off/not logging).

                   

                  With IIS, you will be able to see all the pages being accessed, and if users are logged in when accessing the site, it will include their username. Otherwise the IP addreses, which page, error codes, that sort of thing. They will come through as WebTrafficAudit events.