The firewall logs are the best source of information to determine whether an internal server was accessed by hosts on the internet, as they record all the traffic that passes through the firewall, including the source and destination IP addresses, ports, protocols, and actions taken by the firewall rules.
The server’s syslog is a file that records events and messages related to the server’s operation, such as system errors, warnings, or notifications. It may not contain information about the network traffic to and from the server, especially if the server was shut down during the investigation.
The NetFlow statistics are a network protocol that collects and analyzes data about the network traffic flows, such as the volume, type, and direction of the traffic. It can provide useful information about the network performance and utilization, but it may not show the details of the individual packets or the firewall actions.
The audit logs on the core switch are a record of the configuration changes and commands executed on the switch, such as adding, deleting, or modifying VLANs, ports, or routing protocols. They can help troubleshoot or verify the switch’s operation, but they may not show the network traffic to and from the server.
CompTIA Network+ N10-008 Study Guide, Chapter 7: Network Security, Section 7.2: Network Security Devices and Technologies, p. 372-373
Professor Messer’s CompTIA N10-008 Network+ Course Notes, Section 5.1: Network Monitoring Tools, p. 51
Professor Messer’s CompTIA N10-008 Network+ Training Course, Video 5.1: Network Monitoring Tools, 12:28-14:02