Network Logging and Monitoring Flashcards
Only routers can stop broadcast traffic. TRUE of FALSE?
False. Switches can too but not by default
What’s the name of Microsoft’s graphical utility used to capture network traffic called? In order to use it what capability does your NIC need to have?
Network Monitor
NIC needs to operate in promiscuous mode
What OSI layer does SNMP work at?
Layer 7
SNMP agents send what kind of messages about them to the what?
SNMP Trap messages to the Network Management Station (NMS)
The NMS solicits for what on an SNMP agent using what type of message?
Solicits for an Object ID (OID) using SNMP GET
In SNMP, what are SET messages used for?
configuring agents
What SNMP message gathers many types of info at once to cut down on multiple GET messages?
GET BULK
Which version of SNMP uses plain-text authentication with MD5/SHA, no encryption and uses UDP by default?
SNMPv2c
what utility allows you to log events based on 8 (0-7) severity levels?
syslog
By default, what two places do all system messages and debug output generated by the IOS go out of?
Console Port and RAM buffer
List the top 4 (by urgency) severity states by number and description
0 - Emergency (lowest level)
1 - Alert
2 - Critical
3 - Error
List the lower 4 severity states by number and description
4 - Warning
5 - Notification
6 - Information
7 - Debugging
If you configure severity level 03, what levels of severity will you be notified on?
0 through 3
SIEM provides what?
real-time analysis of security alerts generated by network hardware applications
Regarding security event management:
What term is used to describe the long-term storage, analysis and reporting on log data?
What term is used to describe the management of real-time monitoring and correlation of events?
Security Information Management (SIM)
Security Event Management
(SIM, SEM and SIEM are often used interchangeably)
What software monitoring products are used exclusively by security network admins?
SIEM (security information and event management) software products
When I a SIEM alert is triggered and notification generated, who typically addresses the problem?
The Security Operations Centre
List the 3 types of system event logs?
1) Application
2) Security
3) System
Windows Server 2008 offered what optional monitoring and optimization tool?
System Centre Operations Manager 2010
Utilization cover what 3 things?
1) Wired/Wireless Bandwidth utilisation
2) Server/Host activity utilisation
3) wireless channel utilisation
what standard, originally developed for the sendmail project and used by Unix facilitates the transmission of log entries generated by a device across an IP network to a message collector?
Syslog
Which Microsoft tool checks the baseline configuration for it’s operating systems?
MS Baseline Security Analyzer (MBSA). But now replaced by Microsoft Security Compliance Toolkit (SCT)
Which Microsoft application is used for all kinds of Microsoft OS and product updates and which is used for application patches?
WSUS (Windows Server Update Services) for OS updates
SCCM (Systems Centre Configuration Manager)
log entry, sending an email, or sending a text message in response to an alert are forms of what?
Notifications
What is being described below?
the database of the Object IDs published by the vendor of a network device that SNMP uses to collect data about the device.
Management Information Base of SNMP
When capturing error rate measurements, what is actually measured?
How many frames are received where the CRC check fails
What can bad connections on the receive pair or dirty optical connection cause?
High Error rate/CRC failures
It’s common to see error rates on the transport layer when what mechanism is being used?
TCP offload. (e.g. used by iSCSI)
Packet drops is a measurement at what layers?
Transport or Network!
At Network layer Collected as a percentage of total ICMP packets sent/lost
Transport layer uses an incremental counter.
High packet loss is a sign of network congestion or connectivity issue at sending host.
Erroneous frames SENT can’t be measured because hosts don’t report it, what can be used as a proxy metric for it?
Error Rate
