Firewall logging

[tuckerr200]

I just bought this router and I do not see where you get any logging information for the firewall?

On my old netgear router it would log firewall information.

I have setup a thumb drive and send logs to the the thumb drive using merlin software. the log files appear to be corrupt when trying to read them? it creates the to .gz files but i can not read the contents of the two files?

any help on this would be great.

 

[RMerlin]

I just bought this router and I do not see where you get any logging information for the firewall?

On my old netgear router it would log firewall information.

I have setup a thumb drive and send logs to the the thumb drive using merlin software. the log files appear to be corrupt when trying to read them? it creates the to .gz files but i can not read the contents of the two files?

any help on this would be great.

Traffic monitoring (which generates those archived binary files) and firewall logging are two completely different things.

Firewall logging is done to syslog - System Log page. You have to enable firewall logging first, on the Firewall page.

 

[rljames]

I'd also be interested in seeing Firewall data. Something similar (from Netgear WNDR3700) to below would be very useful;

> [Time synchronized with NTP server] Thursday, March 28,2013
> [Dynamic DNS] host name regname.webhop.net registration successful, Thursday, March 28,2013
> [WLAN access rejected: incorrect security] from MAC address FF:FF:FF:FF:FF:FF, Thursday, March 28,2013
> [Internet connected] IP address: 74.34.xxx.xxx, Thursday, March 28,2013
> [DHCP IP: 192.168.1.6] to MAC address FF:FF:FF:FF:FF:FF, Thursday, March 28,2013
> [DoS Attack: TCP/UDP Chargen] from source: 93.174.93.48, port 55133, Thursday, March 28,2013
> [email sent to: rljames@xxxxx.com] Thursday, March 28,2013 04:00:02

Will the Firewall "Logged Packets Type = Both" yield this info mixed in with the System Log -> General? Is there any performance penalty for Firewall logging?

 

[RMerlin]

I'd also be interested in seeing Firewall data. Something similar (from Netgear WNDR3700) to below would be very useful;

> [Time synchronized with NTP server] Thursday, March 28,2013
> [Dynamic DNS] host name regname.webhop.net registration successful, Thursday, March 28,2013
> [WLAN access rejected: incorrect security] from MAC address FF:FF:FF:FF:FF:FF, Thursday, March 28,2013
> [Internet connected] IP address: 74.34.xxx.xxx, Thursday, March 28,2013
> [DHCP IP: 192.168.1.6] to MAC address FF:FF:FF:FF:FF:FF, Thursday, March 28,2013
> [DoS Attack: TCP/UDP Chargen] from source: 93.174.93.48, port 55133, Thursday, March 28,2013
> [email sent to: rljames@xxxxx.com] Thursday, March 28,2013 04:00:02

Most of these messages aren't related to the firewall (NTP update, DDNS update, WAN getting a DHCP lease), and are already logged by Asuswrt, all in the System Log.

 

[rljames]

Most of these messages aren't related to the firewall (NTP update, DDNS update, WAN getting a DHCP lease), and are already logged by Asuswrt, all in the System Log.

Can you give an example of similar "DoS" attack and "WLAN access rejected" AC66 events recorded in the System Log?
Is there an option to remove all the System "Kernel" event noise from the log?

The Netgear WNDR3700 log would routinely show "DoS" events. I'd like to specifically/easily monitor the AC66 for similar activity and I've looked through the "System Log" but don't see anything Firewall related...
(And BTW, the NG also nicely allowed for scheduled eMail of the logs...)

 

[RMerlin]

Can you give an example of similar "DoS" attack and "WLAN access rejected" AC66 events recorded in the System Log?
Is there an option to remove all the System "Kernel" event noise from the log?

The system log *is* the kernel log. Removing kernel entries would mean not logging anything anymore.

There is no specific logging done for those network events. You can enable logging dropped packets on the Firewall page, but it will only unnecessarily increase the load on the router. That will log every single packet that gets rejected by the firewall.

 

[rljames]

The System Log *contains* "kernel" categorized messages, such as those below;

Apr 22 12:00:20 kernel: br0: port 3(eth2) entering learning state
Apr 22 12:00:20 kernel: br0: topology change detected, propagating

But also other "types" such as these "dnsmasq-dhcp" events;

Apr 22 12:00:55 dnsmasq-dhcp[506]: DHCPOFFER(br0) 192.168.1.64 cc:ff:ad:68:b6:5f
Apr 22 12:00:55 dnsmasq-dhcp[506]: DHCPREQUEST(br0) 192.168.1.64 cc:ff:ad:68:b6:5f

Maybe I'm misunderstanding or looking in the wrong places but AC66 logging seems of very little practical daily operation feedback value.
I'd like to see info on "DoS", WLAN access attempts, shared USB access, etc.