I recently had a user upload massive files from the office here to an FTP server on the net and since there was no limitation of bandwidth at either endpoint, he inadvertently consumed all of our T1 bandwidth with this transfer. While this was happening, I was trying to figure out where all this traffic was coming from, I could see it going out but did not know how to find which particular node was the culprit. I do have a syslog in place, but the raw reports from it were of not much help, I typically use this with filters for troubleshooting purposes, but how can you filter for something if you don't know what it is that you're looking for. After a couple of hours, I finally found who it was just by walking around the building, but I'm obviously needing a better mechanism to figure this out a lot quicker. I have just purchased a tool that parses and analyzes syslog files and generates reports based on info found there, but what do people do without a tool like this, and what if you want to see it in real time? Is there any type of monitoring on the PIX itself or other tools that would assist in this? I did take a look at the various graphs and such in the PDM, but nothing there identifies the addresses of connection endpoints, only number of connections, bandwidth consumption, etc.
Thanks,
-Peter