Network Infrastructure Correlation

LogZilla documentation for Network Infrastructure Correlation

Network Infrastructure Event Correlation

Network infrastructure correlation detects patterns in network device behavior, from simple interface flapping to complex BGP adjacency issues. LogZilla's pre-processing capabilities enable highly efficient SEC rules by extracting network-specific fields before correlation.

Prerequisites: Ensure Event Correlation is enabled and forwarder reloading is available as shown in the Event Correlation Overview.

BGP Adjacency Correlation

Business Value

Monitor BGP neighbor relationships to detect network connectivity issues, calculate outage duration, and identify chronic instability patterns.

LogZilla Forwarder Configuration

yaml
# /etc/logzilla/forwarder.d/bgp-correlation.yaml
type: sec
sec_name: bgp-monitoring
rules:
  - match:
      - field: cisco_mnemonic
        op: "eq"
        value: BGP-5-ADJCHANGE
    rewrite:
      message: "BGP_EVENT host=$HOST neighbor=$USER_TAGS_SRCIP"

SEC Rule: BGP Neighbor Down/Up Correlation

text
# Track BGP neighbor outages with duration calculation
type=PairWithWindow
ptype=SubStr
pattern=BGP_EVENT
context=($ENV{EVENT_CISCO_MNEMONIC} eq "BGP-5-ADJCHANGE") && \
        ($ENV{EVENT_MESSAGE} =~ /neighbor.*Down/)
desc=BGP neighbor outage detected on $ENV{EVENT_HOST}
action=eval %neighbor_ip $ENV{EVENT_USER_TAGS_SRCIP}; \
       eval %router_host $ENV{EVENT_HOST}; \
       eval %outage_start (time()); \
       shellcmd (/usr/local/bin/dns-lookup.sh %neighbor_ip > /tmp/bgp-neighbor-%neighbor_ip)
ptype2=SubStr
pattern2=BGP_EVENT
context2=($ENV{EVENT_CISCO_MNEMONIC} eq "BGP-5-ADJCHANGE") && \
         ($ENV{EVENT_MESSAGE} =~ /neighbor.*Up/) && \
         ($ENV{EVENT_USER_TAGS_SRCIP} eq "%neighbor_ip") && \
         ($ENV{EVENT_HOST} eq "%router_host")
desc2=BGP neighbor %neighbor_ip restored on %router_host
action2=eval %outage_duration (time() - %outage_start); \
        eval %store_info (readfile("/tmp/bgp-neighbor-%neighbor_ip")); \
        shellcmd (echo "BGP_OUTAGE host=%router_host neighbor=%neighbor_ip duration=%outage_duration store=%store_info" | \
        logger -t SEC-BGP); \
        delete /tmp/bgp-neighbor-%neighbor_ip
window=14400  # 4 hours maximum outage tracking

SEC Rule: BGP Flapping Detection

text
# Detect BGP neighbor flapping (multiple up/down cycles)
type=SingleWithThreshold
ptype=SubStr
pattern=BGP_EVENT
context=($ENV{EVENT_CISCO_MNEMONIC} eq "BGP-5-ADJCHANGE")
desc=BGP flapping detected: $ENV{EVENT_USER_TAGS_SRCIP} on $ENV{EVENT_HOST}
action=shellcmd (echo "BGP_FLAPPING host=$ENV{EVENT_HOST} neighbor=$ENV{EVENT_USER_TAGS_SRCIP} count=$ENV{ALERT_THRESHOLD}" | \
       logger -t SEC-ALERT -p local0.crit); \
       create FLAPPING_$ENV{EVENT_HOST}_$ENV{EVENT_USER_TAGS_SRCIP} 3600
thresh=6  # 6 state changes
window=1800  # within 30 minutes

Interface Monitoring Correlation

Interface Up/Down Correlation

LogZilla extracts interface names and states from Cisco LINK messages.

LogZilla Forwarder Configuration

Required App: cisco__asa app (for SrcInt user tag)

yaml
# /etc/logzilla/forwarder.d/interface-correlation.yaml
type: sec
sec_name: interface-monitoring
rules:
  - match:
      - field: cisco_mnemonic
        op: "eq"
        value: ["LINK-3-UPDOWN", "LINK-5-CHANGED"]
    rewrite:
      message: "INTERFACE_EVENT host=$HOST interface=$USER_TAGS_SRCINT"

SEC Rule: Interface Flapping Detection

text
# Detect interface flapping with utilization correlation
type=SingleWithThreshold
ptype=SubStr
pattern=INTERFACE_EVENT
context=($ENV{EVENT_CISCO_MNEMONIC} eq "LINK-3-UPDOWN")
desc=Interface flapping: $ENV{EVENT_USER_TAGS_SRCINT} on $ENV{EVENT_HOST}
action=eval %interface $ENV{EVENT_USER_TAGS_SRCINT}; \
       eval %host $ENV{EVENT_HOST}; \
       shellcmd (snmpget -v2c -c public %host 1.3.6.1.2.1.2.2.1.10.%interface > /tmp/interface-stats-%host-%interface); \
       shellcmd (echo "INTERFACE_FLAPPING host=%host interface=%interface" | \
       logger -t SEC-ALERT -p local0.warning)
thresh=4
window=600

Network Device Health Correlation

Multi-Metric Device Health

Correlate CPU, memory, and interface errors to assess overall device health.

LogZilla Forwarder Configuration

yaml
# /etc/logzilla/forwarder.d/device-health.yaml
type: sec
sec_name: device-health
rules:
  - match:
      - field: program
        op: "eq"
        value: ["Cisco", "Juniper", "PaloAlto Traffic", "PaloAlto System"]
      - field: severity
        op: "le"
        value: 4  # Warning level and above
    rewrite:
      message: "DEVICE_HEALTH host=$HOST program=$PROGRAM severity=$SEVERITY"

SEC Rule: Device Health Correlation

text
# Correlate multiple device health indicators
type=EventGroup3
ptype=SubStr
pattern=DEVICE_HEALTH
context=($ENV{EVENT_PROGRAM} eq "cisco_ios") && \
        ($ENV{EVENT_USER_TAGS_CPU_USAGE} > 80)
thresh=3
ptype2=SubStr
pattern2=DEVICE_HEALTH
context2=($ENV{EVENT_PROGRAM} eq "cisco_ios") && \
         ($ENV{EVENT_USER_TAGS_MEMORY_USAGE} > 90)
thresh2=2
ptype3=SubStr
pattern3=INTERFACE_EVENT
context3=($ENV{EVENT_CISCO_MNEMONIC} eq "LINK-3-UPDOWN") && \
         ($ENV{EVENT_MESSAGE} =~ /down/)
thresh3=1
desc=Device health degradation on $ENV{EVENT_HOST}
action=shellcmd (echo "DEVICE_HEALTH_ALERT host=$ENV{EVENT_HOST} cpu_high=true memory_high=true interface_down=true" | \
       logger -t SEC-CRITICAL -p local0.crit); \
       shellcmd (/usr/local/bin/device-health-report.sh $ENV{EVENT_HOST})
window=900

OSPF Neighbor Correlation

OSPF Adjacency Monitoring

Track OSPF neighbor state changes and detect routing instability.

SEC Rule: OSPF Neighbor Correlation

text
# Monitor OSPF neighbor state changes
type=Pair
ptype=SubStr
pattern=OSPF_EVENT
context=($ENV{EVENT_CISCO_MNEMONIC} eq "OSPF-5-ADJCHG") && \
        ($ENV{EVENT_MESSAGE} =~ /Down/)
desc=OSPF neighbor down on $ENV{EVENT_HOST}
action=eval %neighbor_id $ENV{EVENT_USER_TAGS_SRCIP}; \
       eval %router_host $ENV{EVENT_HOST}; \
       create OSPF_DOWN_%router_host_%neighbor_id 7200
ptype2=SubStr
pattern2=OSPF_EVENT
context2=($ENV{EVENT_CISCO_MNEMONIC} eq "OSPF-5-ADJCHG") && \
         ($ENV{EVENT_MESSAGE} =~ /Full/) && \
         ($ENV{EVENT_USER_TAGS_SRCIP} eq "%neighbor_id") && \
         ($ENV{EVENT_HOST} eq "%router_host")
desc2=OSPF neighbor %neighbor_id restored on %router_host
action2=shellcmd (echo "OSPF_RECOVERY host=%router_host neighbor=%neighbor_id" | \
        logger -t SEC-INFO); \
        delete OSPF_DOWN_%router_host_%neighbor_id

Network Security Correlation

Firewall Connection Correlation

Monitor firewall connection patterns for security analysis.

LogZilla Forwarder Configuration

Required Apps: cisco__asa app (for SrcIP and DstIP user tags), sonicwall app (for fw_action user tag)

yaml
# /etc/logzilla/forwarder.d/firewall-correlation.yaml
type: sec
sec_name: firewall-security
rules:
  - match:
      - field: cisco_mnemonic
        op: "eq"
        value: ["ASA-6-302013", "ASA-6-302014", "ASA-2-106001"]
    rewrite:
      message: "FIREWALL_EVENT host=$HOST action=$USER_TAGS_FW_ACTION src=$USER_TAGS_SRCIP dst=$USER_TAGS_DSTIP"

SEC Rule: Suspicious Connection Patterns

text
# Detect port scanning attempts
type=SingleWithThreshold
ptype=SubStr
pattern=FIREWALL_EVENT
context=($ENV{EVENT_CISCO_MNEMONIC} eq "ASA-2-106001")
desc=Port scan detected from $ENV{EVENT_USER_TAGS_SRCIP}
action=eval %src_ip $ENV{EVENT_USER_TAGS_SRCIP}; \
       shellcmd (echo "PORT_SCAN_DETECTED src_ip=%src_ip target_count=$ENV{ALERT_THRESHOLD}" | \
       logger -t SEC-SECURITY -p local0.alert); \
       shellcmd (iptables -A INPUT -s %src_ip -j DROP); \
       create BLOCKED_IP_%src_ip 86400
thresh=20  # 20 different destination attempts
window=300  # within 5 minutes

Related Topics

Network Infrastructure Correlation | LogZilla Documentation