Logging network connections
I have now spent a full working day trying to find a simple solution for logging outgoing network connections from a server. Im not looking for network capture, but a bit like netstat, but logged. In fact, Port Reporter tool would be the most optimum solution, but the servers I need this on are all 2008R2s. I have managed to get Port Reporter run on the 2008 using compatibility mode, but this way it doesnt log the port/process/user information. Basically, what I need is the time when a connection is established, which process and user was opening the connection and when is the connection terminated. Of course, destination IP and port are also needed. I've found several tools for real-time monitoring, but this is not what Im looking for. I need to log outgoing connection and keep the logs for about half a year for security reasons. Anyone has any ideas please? I've ran all out.
March 3rd, 2011 9:25am

Hi Sami, Thanks for posting here. Depend on the requirement , I ‘d suggest that you may consider deploying SNMP service to monitor and log the connectivity status of servers in you environment: SNMP defined http://technet.microsoft.com/en-us/library/cc780057(WS.10).aspx SNMP Messages http://technet.microsoft.com/en-us/library/cc783142(WS.10).aspx#w2k3tr_snmp_how_oqdv For more information regarding SNMP service please refer to the links below: SNMP http://technet.microsoft.com/en-us/library/cc759705(WS.10).aspx http://social.technet.microsoft.com/Forums/en-US/winserverManagement/thread/a10ae19b-c4d7-4372-bda0-c771c6d4cca3/ Thanks. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 4th, 2011 5:00am

Thanks for your answer, but Im not sure I understand. The scenario is this; I have a few terminal servers and I need to log when any user/process connects from that terminal server to another server, using whichever protocol. Is there a way to pull this info from a server using SNMP? At least I wasn't able to find a MIB for that.
March 4th, 2011 8:03am

Hi Sami, Thanks for clarify. In this case, I’d suggest you may achieve the goal by using Process Monitor and TCPView, utilities of Windows Sysinternals: Process Monitor http://technet.microsoft.com/en-us/sysinternals/bb896645 TCPView http://technet.microsoft.com/en-us/sysinternals/bb897437 You can also export these date to file for deeper analysis. Thanks. Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 7th, 2011 8:24am

Hi Sami, Please feel free to let us know if the information was helpful to you. Thanks, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
March 8th, 2011 2:42pm

Ive gone through several tools like TCPView or procmon and they're good applications for troubleshooting. However, Im looking for a way to log the connections over a time period of several months, not real time observation.
Free Windows Admin Tool Kit Click here and download it now
March 17th, 2011 9:05am

I too have tried TCPView as well as CurrPorts by Nirsoft. The primary deficiency of TCPView is that it only shows real-time status. If a connection is attempted and fails or is not open while the sysadmin is watching, there is no way to see that it has occured. CurrPorts offers logging, but only on a differential basis at a polling granularity of 1 second. Same problem. As stated by the previous person, the goal is to log the connection attempt (source and est IP and port), the time (both start and end), user, and process that made the attempt. Thanks for any help.
April 19th, 2011 2:14am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics