Syslog for Internet activity

[ilbbaicl]

Hi,

After searching around I am still having difficulty finding a router that can easily send Internet Activity/Sessions logs to a syslog server. They have the activity logged but just don't have the option to syslog it.

Does anyone know of a router that can do this well?

Thanks in advance.

 

[GregN]

Hi,

After searching around I am still having difficulty finding a router that can easily send Internet Activity/Sessions logs to a syslog server. They have the activity logged but just don't have the option to syslog it.

Does anyone know of a router that can do this well?

Thanks in advance.

The Cisco RV220W seems to be the ticket, syslog for all traffic, additionally packet capture. This PDF lays out the details.

I think the issue is the requirement "All Activity", on my network that would be too voluminous to make heads or tails of, and would be a significant bandwidth burden.

 

[stevech]

CradlePoint's routers (all have the same firmware) have a syslog server built-in that logs its own events. And it can forward to a peer Syslog server.

Freeware pt360 is a good syslog (and ftp, tftp, ping, ...) suite.

 

[GregN]

CradlePoint's routers (all have the same firmware) have a syslog server built-in that logs its own events. And it can forward to a peer Syslog server.

Freeware pt360 is a good syslog (and ftp, tftp, ping, ...) suite.

I think quite a few routers have syslog capabilities, for firewall, system events, and alike.

But it appears this guy is looking for another level of granularity, connection level logging, which I don't think alot of routers provide.

pfSense in all of its' glory doesn't provide connection level logging stock via syslog, I think you can setup firewall rules so that each LAN to WAN and back connection gets logged, and then syslog'ed. But the amount of data that would generate to the server ( unless you are that mythical 10 minutes a day grandma ) would consume a significant level of your bandwidth.

ilbbaicl, you might want to take a look at this, syslog firewall rule triggers, and then set-up a firewall rule for all traffic. I suspect that might work ( Even with cradlepoint's products ) But under normal traffic levels you'd probably take a performance hit.

 

[stevech]

Some of you may find it interesting to do a quick scan of the enclosed PDF log file. It's a 3 day SYSLOG from the syslog server inside my CradlePoint MBR900 WiFi/router. I told the router to save as .txt, then I converted it to PDF and uploaded it.

At some places of note, I edited in ">>>NOTE"
Such as when WiFi clients associate, etc.

At home, and moreso in a project at work, I've spent time looking at these logs, where there are connection attempts repeating from the same IP address and some few port numbers. Many/most are from IP addresses I'm told relate to domains in China. And many of the port numbers are reputed to be those used by virus propagators.

For some of the worst attackers, I used the router's "black list" to reject all packets from certain IP addresses. The log entries "Blocked ..." are for incoming packets on ports that aren't forwarded in my router config, OR! for IP addresses or address ranges (domains) that are blacklisted.

(For privacy, I changed to xxx.yyy those entries showing my public IP address, not that it matters that much. And my domain name in dyndns updates).

 

[GregN]

Some of you may find it interesting to do a quick scan of the enclosed PDF log file. It's a 3 day SYSLOG from the syslog server inside my CradlePoint MBR900 WiFi/router. I told the router to save as .txt, then I converted it to PDF and uploaded it.

At some places of note, I edited in ">>>NOTE"
Such as when WiFi clients associate, etc.

At home, and moreso in a project at work, I've spent time looking at these logs, where there are connection attempts repeating from the same IP address and some few port numbers. Many/most are from IP addresses I'm told relate to domains in China. And many of the port numbers are reputed to be those used by virus propagators.

For some of the worst attackers, I used the router's "black list" to reject all packets from certain IP addresses. The log entries "Blocked ..." are for incoming packets on ports that aren't forwarded in my router config, OR! for IP addresses or address ranges (domains) that are blacklisted.

(For privacy, I changed to xxx.yyy those entries showing my public IP address, not that it matters that much. And my domain name in dyndns updates).

Cool.

I think the poster wants every connection made, every website and net service that had a transaction. The origin IP / port, destination IP / port, and probably destination name.

I park one of my browser tabs on NYTimes's home page, there are about at least 20-30 transactions, if not more just on that page. It auto reloads every 3 minutes, that 20 thousand transactions per day, for one tab of my browser. Now add to that igoogle, hotmail, gmail, BBC, aim, yahoo, twitter that auto reload. That combined with my manually loading of pages, and four other machines (not including an XBox, Tivo, andriod phones and other autochecks done ) - I would guess I hit at least three quarters to more than a million connections opened every day (heavy web user, work from home ).

So, lets say, 1.5 million transactions per day, now double that to account for the network logging of each of those, plus all of the scans, FTP and net noise I have, and we are talking a large number of transactions flooding my network. And that is not running utorrent or other network clients, which are not uncommon for folks.

The logging doubles my local net traffic.

( I'm sorry, no intent to dis cradlepoint, was just trying to be funny )

 

[stevech]

right.
The syslog I showed doesn't log web/HTTP transactions, mostly network management incidents and events, such as WiFi clients coming and going, and incoming nefarious packets.

Logging all the HTTP traffic would be a killer- those pages' ads are 7/8 of the traffic as I observe, e.g., the damned doubleclick.com junk.