I've had the opportunity to work with Solarwinds Orion again and every time I look at it I am amazed at the visibility I have, and sometimes overwhelmed by it. However, the more I dig into it the easier it gets to understand what it's showing me. For example, in the screenshot below I am looking at the Netflow Conversations summary. I've noticed here that over half of my data is is one type of conversation.
By expanding the conversation I can see the interfaces that see the conversation and I now know that its between the sub-interfaces g0/0.11 and g0/0.10. In this case .11 is my voice vlan and .10 is my data. To me this is interesting because there shouldn't be much carry over of data between the two interfaces.
Selecting the conversation takes me to a more detailed view of just this conversation and I've expanded it out again.
Clicking on the interface takes me to the conversation.
I'm beginning to notice that this conversation is frequent and on udp port 514. I could filter even more using the flow navigator as seen below. In this case there isn't much I need to do with it.
Now that I know this is UDP traffic on port 514 you can start to paint the picture. UDP port 514 is syslog traffic. It is interesting how it called this traffic "cmd like exec" in the Orion system, but I know what it is. Logging into my router and looking at the interfaces shows one of the addresses in question.
And sure enough, when I look at the config, someone has set up a syslog server that my router is now sending information to.
And Pinging from my workstation fails as well.
At this point I'm ready to remove the syslog configuration because I know it doesn't exist, its not even a server on my server segment, and I didn't put it in the config in the first place. By removing the config and ceasing to send syslog information to a non-existent syslog server Ill cut down the traffic on my network and clean up my netflow display in Orion.
Now if I had some way to manage my configurations that would be great. The good news is that Solarwinds has a product. The bad news is that I don't have it installed on my server. Guess Ill have to get that going pretty soon here. In the mean time Ill keep cleaning up my network management and using Orion to spot anomalies in my network.