0
1
I have connected my ubuntu 14.04 computer to a "mirrored" port on my firewall, so that I can see all traffic on the network. I use this today to see who uses our bandwidth with NTOPNG.
but since I already have this connection, I was thinking I could start to log ALL traffic on the network. (preferably a cleaned-up version, to avoid too much space usage). any ideas how I can do this (for free). I was hoping to store this for 90 days to comply with local cyberlaws.
it must be a system that I can automatically clean up on a daily basis, so that my disks does not go full.
Some reasons why this is a question, and I do not just use TCPdump.
I do not need to log everything, only ip to/from and date time, and maybe what port it uses. (so, if anyone have a good idea of filter I can use)
I need to store for a long time (90 days), so the amount of data must be reduced to avoid disk going full. and also cleanup must be efficient, but it should be more than 90 days to comply with law.
Sverre
Posted 2014-10-20T07:48:12.390
Reputation: 338
thanks for moving it, I was honestly not sure what was the best place for it. – Sverre – 2014-10-20T08:53:31.630
Does your firewall act as a network proxy server? If it is then you could have it stream the logs it generates to your Ubuntu? – Kinnectus – 2014-10-20T20:04:03.907
no, we used to log from a proxy, but we found that the transparent proxy created some funny issues when testing websites (development office). – Sverre – 2014-10-21T04:04:26.433
You can have a look at your modem/router settings and see if you can enable its syslog. Every requested address goes through to your modem (obviously) so this is a good method of logging traffic. Log on to your router GUI, look for syslog or logging. It'll all for an IP of a machine to act as a syslog client (your Ubuntu in this case). Install a syslog client on Ubuntu and it should automatically start listing activity. Save the activity as you require. – Kinnectus – 2014-10-21T06:42:55.030