Syslog to monitor traffic

Is Kiwi Syslog the best thing out there to monitor traffic on my 837 ADSL router?

Any suggestions for good traffic monitoring software?

Thanks.

Reply to
Marc
Loading thread data ...

Kiwi Syslog is a fairly good syslog for MS-Windows platforms. It logs system messages that hosts send it, it doesn't monitor anything.

What is it that you want to monitor? Are you looking for packet capturing or something else?

Reply to
Rod Dorman

I'm looking to monitor, in real time, all TCP, UDP traffic outside - in. Or at least something I can refer to in a log as close to real-time as possible.

Reply to
Marc

Anyone?

Reply to
Marc

I'm having a hard time trying to figure out exactly what you are looking for and expecting to see. If you just want to see something like bandwidth gauges/charts, an SNMP based product would probably suit you. MRTG is a nice freeware one. I like the Solarwinds toolsets. However, that does not provide the granularity of determining what is TCP and what is UDP.

If you want something that shows detail of flows, a Netflow product is probably your best solution. However, most of them tend to be logging/reporting applications rather than real time. I don't know of any freeware Netflow products and you can drop some money on them. Or, if you don't care about historical reports, you can just view the flows on the router with 'sh ip cache flow'.

So, what exactly are you trying to accomplish by monitoring the traffic?

Reply to
Scooby

Specifically what the GUI for firewalls like CheckPoint do.

Example: Source Destination Protocol Action

05:53:18 73.103.154.20 83.95.34.98 TCP, UDP or HTTP Blocked or Allowed

I want to watch this in real time. I don't mind paying for software that will do it.

Reply to
Marc

Lost the formatting of my example. Basically I want to watch incoming and outgoing traffic in real time. Know the source, destination, protocol and action taken (blocked, allowed, etc.) If there's a good software out there, I'm happy to pay for it.

Reply to
Marc

~ >>>>> Kiwi Syslog is a fairly good syslog for MS-Windows platforms. It logs ~ >>>>> system messages that hosts send it, it doesn't monitor anything. ~ >>>>>

~ >>>>>>Any suggestions for good traffic monitoring software? ~ >>>>>

~ >>>>> What is it that you want to monitor? Are you looking for packet ~ >>>>> capturing or something else? ~ >>>>>

~ >>>>> -- ~ >>>>> -- Rod -- ~ >>>>> rodd(at)polylogics(dot)com ~ >>>>

~ >>>> I'm looking to monitor, in real time, all TCP, UDP traffic outside - ~ >>>> in. Or at least something I can refer to in a log as close to real-time ~ >>>> as possible. ~ >>>

~ >>> Anyone? ~ >>>

~ >>

~ >> I'm having a hard time trying to figure out exactly what you are looking ~ >> for and expecting to see. If you just want to see something like ~ >> bandwidth gauges/charts, an SNMP based product would probably suit you. ~ >> MRTG is a nice freeware one. I like the Solarwinds toolsets. However, ~ >> that does not provide the granularity of determining what is TCP and what ~ >> is UDP. ~ >>

~ >> If you want something that shows detail of flows, a Netflow product is ~ >> probably your best solution. However, most of them tend to be ~ >> logging/reporting applications rather than real time. I don't know of ~ >> any freeware Netflow products and you can drop some money on them. Or, ~ >> if you don't care about historical reports, you can just view the flows ~ >> on the router with 'sh ip cache flow'. ~ >>

~ >> So, what exactly are you trying to accomplish by monitoring the traffic? ~ >>

~ >

~ > Specifically what the GUI for firewalls like CheckPoint do. ~ >

~ > Example: ~ > Source Destination Protocol ~ > Action ~ > 05:53:18 73.103.154.20 83.95.34.98 TCP, UDP or ~ > HTTP Blocked or Allowed ~ >

~ > I want to watch this in real time. I don't mind paying for software that ~ > will do it. ~ Lost the formatting of my example. Basically I want to watch incoming and ~ outgoing traffic in real time. Know the source, destination, protocol and ~ action taken (blocked, allowed, etc.) If there's a good software out there, ~ I'm happy to pay for it.

Debug nat, logging to the syslog server of your choice, would do the needful, I think.

Aaron

Reply to
Aaron Leonard

That's far too much to watch in real time, even on my single-user 804. What I do is create an access-list and add "log" to transactions I really want to see:

----- access-list 121 remark 3389 is remote desktop access-list 121 permit tcp any eq 3389 any log access-list 121 remark 5900 is VNC access-list 121 permit tcp any eq 5900 any log ... access-list 121 deny ip any any log

-----

set the logging level to include such items:

----- logging buffered 4096 debugging ip access-list log-update threshold 1 logging facility syslog logging 10.1.1.5

-----

and I get entries like this:

----- Mar 26 14:53:50.580 pdt: %SEC-6-IPACCESSLOGP: list 121 denied tcp

166.114.42.49(1157) -> 68.164.169.15(5900), 1 packet

-----

That is a VNC in the non-permitted direction, that has fallen through the whole access-list to the "deny ... log" at the bottom.

I can also request summary statistics on matches to each of the access-list lines:

----- // statistics on matches to every access list statement show access-list [list#] // reset access statistics clear access-list counters [list#]

-----

Loren

Reply to
Loren Amelang

That's exactly what I would suggest as well, to accomodate the OP's request. However, this one probably falls in the category of be careful what you wish for, because you could get an overwhelming amount of entries. I can't imagine sitting there and watch this. But, in this particular case, yes a Syslog server is what you would use to receive the entries. You do want one that will display the entries as the come in - I'm not sure if Kiwi does that or not.

Jim

Reply to
Scooby

Thanks, Loren. Exactly what I'm looking for.

Reply to
Marc

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.