Router log monitoring and auditing with EventLog Analyzer

Routers are critical components of network infrastructure, responsible for directing traffic between networks to ensure smooth communication and connectivity. Monitoring the performance, security, and health of routers is essential for maintaining network reliability, optimizing traffic flow, and identifying potential security threats. ManageEngine EventLog Analyzer provides advanced router log monitoring and analysis, offering insights into network activities, security events, and performance metrics.

EventLog Analyzer supports a wide range of routers, including Cisco Routers, HP Routers, Arista Routers, Dell Routers, and Huawei Routers.

This tutorial outlines key use cases for monitoring and securing these routers using EventLog Analyzer. To start monitoring router logs effectively, ensure that logs are configured to be forwarded to the EventLog Analyzer server for centralized analysis, reporting, and alerts.

Monitoring routers using EventLog Analyzer: Use cases

EventLog Analyzer provides comprehensive coverage of router monitoring use cases through its predefined security monitoring reports. These reports can be scheduled for generation at specific intervals and distributed via email for streamlined analysis and proactive network management.

Use Case Description Why implement it? Available Reports
Detect patterns of failed logons or repeated SSH and VPN authorization errors. Identify patterns of failed logons and repeated SSH or VPN authorization errors to detect potential brute force attacks, credential misuse, or misconfigurations. Monitoring these patterns helps mitigate security risks by identifying unauthorized access attempts or configuration issues, ensuring networkmintegrity and compliance with security policies.
  • Failed Logons
  • Bad Authentication
  • SSH Logons
  • Failed SSH Logons
  • Closed SSH Sessions
  • Failed VPN Logons
  • VPN Authorization Errors
Detect critical link state changes, configuration updates, and recurring network errors. Get insights into events like link up/down, state changes, configuration updates, and link errors. It helps track top users or devices making configuration changes and identifies frequent error sources. Enables proactive network management by detecting anomalies, minimizing downtime, and ensuring adherence to configuration policies. Supports troubleshooting and compliance efforts by logging and analyzing device-level events.
  • Link Up
  • Link Down
  • Link Up and Link Down
  • Link State Changes
Monitor and analyze patterns of allowed network traffic to identify potential anomalies. Analyze allowed network traffic to pinpoint high-traffic sources, destinations, and protocols. Track trends to detect anomalies that could indicate security vulnerabilities or misconfigured policies. Helps optimize network performance, ensure compliance with security policies, and proactively identify unusual traffic patterns that may signal unauthorized access or potential breaches.
  • Top Traffic based on Source
  • Top Traffic based on Destination
  • Top Traffic based on Protocol
  • Allowed Traffic Trend
Detect and analyze denied network connections to identify unauthorized access attempts and optimize security policies. This report helps monitor patterns of denied connections, providing insights into blocked traffic by source, destination, and protocol, as well as overall trends. Enhances security by identifying suspicious or unauthorized activities, fine-tuning access controls, and preventing potential breaches.
  • Denied Connections
  • Top Denied Connections based on Source
  • Top Denied Connections based on Destination
  • Top Denied Connections based on Protocol
  • Denied Connections Trend
Monitor network traffic by protocol to identify unusual patterns or potential misuse in TCP, UDP, and ICMP communications. This report provides a detailed audit of network traffic segmented by protocol type, highlighting top sources of TCP, UDP, and ICMP traffic and offering an overview of protocol usage trends. Enables network administrators to detect anomalies, optimize bandwidth usage, and ensure compliance with organizational traffic policies.
  • TCP Traffic Audit
  • UDP Traffic Audit
  • ICMP Traffic Audit
  • Traffic Audit Overview
  • Top TCP Traffic Audit based on Source
  • Top UDP Traffic Audit based on Source
  • Top ICMP Traffic Audit based on Source
  • Top Traffic Audit based on Source

Threat detection use cases

The table below outlines the preconfigured threat detection scenarios supported for the router through EventLog Analyzer. Additionally, our solution provides a customizable correlation rule builder, empowering users to craft their own detection rules.

Use case Relevant MITRE ATT&CK TTPs Detection rules
Routing table attack detection
  • ID: T1016
  • Sub-techniques: T1016.001, T1016.002
  • Tactic: Discovery
  • Too Many Fragments
  • Invalid Fragment Length
  • Overlap Fragments
  • Permitted ARP
  • Denied ARPs
SYN Flood attack detection
  • ID: T1499.001
  • Sub-technique of: T1499
  • Tactic: Impact
  • Cisco Device Threats
Device Severity Reports ID: T1071.001 Tactic: Defense Evasion
  • Allowed Traffic
  • Dennied connections

Ensure regulatory compliance for router monitoring with EventLog Analyzer

Many regulatory standards require organizations to implement monitoring solutions for their network infrastructure, including switches, to track access and modifications and ensure data security. The table below illustrates how EventLog Analyzer can assist in meeting compliance requirements for switch monitoring. For a detailed solution mapping, refer to this space.

Compliance requirements: Solution mapping
EventLog Analyzer reports and alerts Detection rules Regulations Requirements
Logon Reports
  • Logons
  • Logoff
  • Top Successful Logons from Source
  • Top logons based on Users
  • Logons Trend
  • Logons
 FISMA
  • Access Control (AC)
  • Configuration Management (CM)
  • Information System Monitoring (SI-4)
PCI DSS
  • PCI DSS requirements 10.1
  • PCI DSS requirements 10.2.1
  • PCI DSS requirements 10.2.2
  • PCI DSS requirements 10.2.3
SOX
  • SEC 302 (a) (4) (C)
  • SEC 302.2
  • SEC 404.B
HIPAA
  • 164.306 (a) (1)
  • 164.306 (a) (1) (i)
  • 164.308 (a) (6) (ii)
GLBA
  • Section 314.4(b)(1)
  • Section 314.4(c)
  • Section 501B (2) & (3)
CMMC
  • C003 - AC.2.013
  • C013 - CM.2.061
POPIA
  • Chapter 3 - Section 19 (2) (a)
ISLP
  • ARTICLE 12
  • ARTICLE 13
  • ARTICLE 19.3
  • ARTICLE 20.5
  • ARTICLE 30.4
  • ARTICLE 30.6
NRC
  • ACT B.1.6
  • ACT B.1.22
  • ACT B.2.6
  • ACT C.3.4
  • ACT C.3.7
  • ACT C.4.3
FERPA
  • Section 99.31 (a)(1)(ii)
PDPA
  • RULE VI Section 25
  • RULE VII Section 30
SAMA
  • 3.2.1.1 Cyber Security Risk Identification
  • 3.2.1.3 Cyber Security Risk Response
  • 3.2.5 Cyber Security Audits
  • 3.3.5 Identity and Access Management
  • 3.3.6 Application Security
  • 3.3.7 Change Management
CJDN
  • Application Development, Logging
QCF
  • 4.2 Application Security Service
  • 4.6.2 Threat Modelling
  • 6.2 Data Protection Service
  • 6.8.3 Data at rest
  • 7.2 Change and Patch Management Service
  • 8.11 Security monitoring and operations strategy
  • 13.2 Identity and Access Management Service
TISAX
  • 4.1.2
  • 5.2.4
ECC 2-2 Identity and Access Management
PDPL
  • Article 19 - Information Security
  • Article 21 - Controls and Procedures for Dealing with Credit Data
UAE-NASA
  • T3.2.3
  • T5.2.2
LGPD
  • Art 14
Failed Logon Reports
  • Failed Logons
  • Top Failed Logons from Source
  • Top Failure Logons based on Users
  • Failed Logons Trend
 Logoff FISMA
  • Access Control (AC)
  • Configuration Management (CM)
  • Information System Monitoring (SI-4)
PCI DSS
  • PCI DSS requirements 10.2.2
  • PCI DSS requirements 10.2.3
SOX
  • SEC 302 (a) (4) (C)
  • SEC 302.2
  • SEC 404.B
HIPAA
  • 164.306 (a) (1)
  • 164.306 (a) (1) (i)
  • 164.308 (a) (6) (ii)
GLBA
  • Section 314.4(b)(1)
  • Section 314.4(c)
  • Section 501B (2) & (3)
CMMC
  • C003 - AC.2.013
  • C013 - CM.2.061
POPIA
  • Chapter 3 - Section 19 (2) (a)
ISLP
  • ARTICLE 12
  • ARTICLE 13
  • ARTICLE 19.3
  • ARTICLE 20.5
  • ARTICLE 30.4
  • ARTICLE 30.6
NRC
  • ACT B.1.6
  • ACT B.1.22
  • ACT B.2.6
  • ACT C.3.4
  • ACT C.3.7
  • ACT C.4.3
FERPA
  • Section 99.31 (a)(1)(ii)
PDPA
  • RULE VI Section 25
  • RULE VII Section 30
SAMA
  • 3.2.1.1 Cyber Security Risk Identification
  • 3.2.1.3 Cyber Security Risk Response
  • 3.2.5 Cyber Security Audits
  • 3.3.5 Identity and Access Management
  • 3.3.6 Application Security
  • 3.3.7 Change Management
CJDN
  • Application Development, Logging
QCF
  • 4.2 Application Security Service
  • 4.6.2 Threat Modelling
  • 6.2 Data Protection Service
  • 6.8.3 Data at rest
  • 7.2 Change and Patch Management Service
  • 8.11 Security monitoring and operations strategy
  • 13.2 Identity and Access Management Service
TISAX
  • 4.1.2
  • 5.2.4
ECC
  • 2-2 Identity and Access Management
PDPL
  • Article 19 - Information Security
  • Article 21 - Controls and Procedures for Dealing with Credit Data
UAE-NASA
  • T3.2.3
  • T5.2.2
LGPD Art 14

What's next?

Explore EventLog Analyzer, comprehensive log management solution with a 30-day free trial.

Download nowSign up

Need assistance to configure Routers or other log sources for effective auditing and ensuring security?

Get a personalized demo

Additional Resource

Configuring MS SQL Server for Auditing in EventLog Analyzer SQL injection attack detection using EventLog Analyzer

Auditing other log sources

Microsoft SQL serverTerminal server

Related Articles

Getting started with log managementWhat is SIEM?Windows logging best practicesMore articles from our logging guide

Relevant Videos

SQL Auditing Using EventLog Analyzer