10
5
I've got a public network configured using OpenWRT.
How can I log all connections (not the traffic) that flows through the public network?
I need those entries:
Georg Schölly
Posted 2011-04-18T11:47:03.813
Reputation: 1 146
4
You can do this with log rules in the firewall. This will generate a lot of traffic, so you likely want to send the logs to another server. The default logger may truncate the logs so you may want to install another logger like syslog-ng as I documented in OpenWRT syslog-ng Installation. You won't geet the hostnames, as by the time they are being routed they have been converted to IP addresses.
You may want to use Shorewall or Shorewall-lite to generate the firewall for you.
If you are concerned about logging web traffic, then you may want to use Squid or some other proxy which will log all the accesses. Your Open-WRT router likely isn't likely to run it though.
BillThor
Posted 2011-04-18T11:47:03.813
Reputation: 9 384
What about a USB stick, I think that would be sufficient for some traffic. (My WNDR3700 might be even fast enough to do the occasional gzipping.) – Georg Schölly – 2011-04-18T20:13:28.450
Yes you could try configuring the syslog to write to a USB device. I think syslog doesn't truncate messages locally. It looks like syslog will rotate logs on its own. You may need to compress and rename files if you want to keep them. The logrotate package may help. – BillThor – 2011-04-18T20:25:02.510
0
ssh into router
logread | grep -A 10 authenticated
Wed Jun 3 21:15:20 2015 daemon.info hostapd: wlan0: STA e0:xx:xx:xx:xx:xx IEEE 802.11: authenticated
Wed Jun 3 21:15:20 2015 daemon.info hostapd: wlan0: STA e0:xx:xx:xx:xx:xx IEEE 802.11: associated (aid 1)
...
Wed Jun 3 21:15:20 2015 daemon.info hostapd: wlan0: STA DHCPREQUEST(br-lan) 192.168.0.13 e0:xx:xx:xx:xx:xx
Figure out how to send to remote server using logread -r or syslog-ng ( http://wiki.openwrt.org/doc/howto/log.syslog-ng )
See also:
here
Posted 2011-04-18T11:47:03.813
Reputation: 190
Thank you for your answer. Unfortunately I was interested in all connections traversing the router, not only SSH. – Georg Schölly – 2015-06-04T13:20:33.553
Hi @GeorgSchölly -- The example shows a DHCP request, including three of your goals, 1) source MAC 2) source/dest IP 3) time By customizing the related tools via ssh, you should be able to fully comtomize the logging output. In my case, I was having a hard time correlating ip addresses and mac addresses. Due to the short term nature of the logread buffer, this type of setup still requires some additional work if not actively monitoring. – here – 2015-06-09T05:21:06.340
2Just a warning: a single typical page view can result in as many 20 or more individual connections. These logs tend to quickly get unwieldly – Joel Coehoorn – 2011-04-18T16:04:33.317