You cannot defend what you cannot see. While firewalls log allowed/blocked sessions, they miss the broader context of network behavior. Syslog, NetFlow, and sFlow provide the deep telemetry required for threat hunting and performance baselining.
Syslog aggregates discrete events (login failures, interface flaps, ACL hits). It is essential for compliance and reactive forensics, but it lacks the volumetric context to detect slow data exfiltration or DDoS attacks.
💡 Pro-tip: Centralize all Syslog to a SIEM over TLS. Attackers frequently target local syslog files to cover their tracks; remote, immutable logging prevents this.
The @@ syntax configures rsyslog to use TCP (reliable) rather than UDP, ensuring critical security events are not dropped during network congestion.
NetFlow (and IPFIX) exports metadata about traffic flows (Source IP, Dest IP, Port, Bytes). sFlow samples packets at the hardware level. Both allow you to visualize who is talking to whom, identifying C2 beaconing and lateral movement without capturing payloads.
⚠️ NetFlow exports can generate massive amounts of data. Ensure your flow collector is provisioned with high IOPS storage and adequate network bandwidth to handle the telemetry stream from core switches.
| Protocol | Data Type | Use Case |
|---|---|---|
| Syslog | Discrete Events | Auth failures / Config changes |
| NetFlow | Flow Metadata | Traffic volume / C2 hunting |
| sFlow | Packet Samples | High-speed DDoS analysis |
Verify exercises to earn ★ 230 XP and unlock next lab level.