Posted: Thu Nov 20, 2008 1:31 Post subject: syslogd
Running DD-WRT V24 On A Linksys wrt45g and it runs syslogd and I can get some data in the trap, with wallwatcher or syslog wathcer but no incoming or outgoing IP's, From what I am reading the capability for this function was removed??? I understand that
you would want to conserve memory for other processes
but I feel logging is an important function a firewall provides and an effective tool against many of the threats we now face on the internet.. Can anyone
provide a solution, the router is a linux system so I imagin there has to be a way.... Any Feedback will be greatly appreciated as I been going at this for a while
Posted: Mon Dec 29, 2008 15:09 Post subject: Uncheck Filter IDENT (Port 113) to enable ip logging
In another forum post, I found that Filter IDENT (Port 113) must be unchecked to enable IP logging. Once this was unchecked I could view the logs of remote IPs using WallWatcher. :D
Wall watcher can convert IP addresses to URLs that are human readable, but is usable only on windows machines.
Is there any update on getting website logging available in DD-WRT V24 SP2?
I’ve setup wallwatcher with the IP addresses. But, this logging is not that useful for really knowing what’s going on in the network vis-à-vis who is visiting which websites.
I’ve switched to DD-WRT to get the antenna power boost on my Buffalo router and the Dual SSID capability. But, I’ve lost the basic website logging that was provided by my simple Netgear router. Also, I think Tomato provides websites with their routing.
You have to log at the application level to get the visited webpages. Set up squid or tinyproxy as a transparent (forced) proxy. squid can log all visited pages and can also block URLs via ACL. You can run it on a linux box where you have lots of space for logs.
squid and tinyproxy also exist as mipsel packages so you can try to install them on the router if you have a lot of free flash space.
Another possibility is to install tcpdump and analyze the traffic. Look for "GET" commands in http on port 80. be carefull, you may end up with a huge logfile, although tcpdump truncates the packets after 68 bytes. You can use wireshark to analyze the log and in this case you can also find types of traffic other than http.
But instead of spending all day analyzing logs you should encourage your users to use VPN and block all other outgoing traffic.
Did someone found a viable solution for wrt54gl with dd-wrt to log visited sites?
Not that I've heard of. I've solved the problem by switching to Tomato for my AP's, mostly because of DD-WRT's broken ACK timing (another issue one would think would be a high priority, but apparently isn't even on the developers' radar). Tomato can log domain names, but can't email the log like my ancient Trendnet router can; but that's good enough for my needs, if a bit less convenient than it could be.
I've just been working on the same problem for the past few days. My solution was to disable the dnsmasq version that comes with v24, and to write a startup script that downloads, installs in RAM and runs the full version with logging enabled. I am then sending the log to Wallwatcher on a remote machine, but you can just as easily set it up to log to a file on a local SD card or USB or whatever. I have about 20 concurrent users 24 hours a day on an oil rig, and the log is about 20-30MB per 24h (and you can't even start thinking of the f*cked up sh*t I find in there )
edit: concerning the link above, be aware that the dnsmasq package you have to download may be different for your particular router.
(as you can see, at the start of the thread I am confused by the dnsmasq logging options not working as they should, until I realize they have been disabled)
Note that this is pretty much the only way to (relatively) efficiently log the visited sites. The next step is to run a (transparent) proxy server, but you simply need more power and memory than a 54G has to do that. You can always buy or build one of these small ClarkConnect box (low power, no keyboard, no screen, only SSH remote control) and program it to do that, cost is about $100. They also make very good little servers. (I am sure these things have a specific name, but I forgot what it is).
edit: also, if you get the dnsmasq log file on a Windows machine, a good freeware to search by ip address, keyword, etc it is grepwin.