SNMP connection logging, forward and outward may be indistinguishable

GroupMaster · September 11, 2017, 12:49am

I am currently using SNMP logging to track all in, out and forwarded connections. The issue I have is that forwarded and outward connections are not always clearly distinguishable from each other. I can assume that the forwarded connections will have the forwarded port number as the source port, entering the lan and exiting the wan, but in the coincidental event of an outward connection using a port number that I am also forwarding, they are indistinguishable. Is there a way to change the system to use something like "-j LOG --log-prefix "FORWARD(iptables): " --log-level 3" to the DNAT table?

LEDE Reboot 17.01.2 r3435-65eec8bd5f / LuCI lede-17.01 branch (git-17.152.82987-7f6fc16)

richb-hanover · September 12, 2017, 5:07pm

Slightly OT. What MIB are you using to track these connections? I wasn't aware that it was implemented in LEDE... Thanks!

davidc502 · September 13, 2017, 1:59am

I'll second the question about which MIBs are being used.

Best Regards,

GroupMaster · September 16, 2017, 1:18am

I am using the built-in SNMP "External system log server" option as the source of connection info. From there I have it branch off two ways, one is to real-time on-screen monitoring and the other is to a program that sorts and records to mysql. One simply needs to turn this feature on and then enable it on which interface they want to monitor. See: System... System ... Logging

I hope that answered you question. I am not that familiar with the technicals of SNMP so I did my best to answer. The definition of MIB is not really to clear to me.

abenz · September 16, 2017, 1:43am

I have to admit I also got excited about your "MIB"
But what you described doesn't rely on SNMP.

Can I ask what program do you use to sort the records to mysql?

GroupMaster · September 16, 2017, 2:02am

SNMP is how the connection data is sent to the intended receiving computer. As for what is taking the data and putting it into mysql... it doesn't have a name. It's an educational project. As for the real-time monitoring, wallwatcher. I don't mind talking about the project, just not openly on a forum. Or not yet anyway.

richb-hanover · September 17, 2017, 11:52am

Hmmm... I just want to be sure we're talking about the same thing... The "External system log server" on the System page, Logging tab, that sends (by default) to port 514, uses the syslog protocol, not SNMP.

That said, it's cool that you can collect this information, and I will look forward to the time when wallwatcher is ready for the world to see! Thanks.

GroupMaster · September 17, 2017, 12:02pm

Ok, and this conversation has really has nothing to do with wallwatcher.
I stand corrected. syslog it is, thank you for the clarification. So back to the initial question, can the output be modified to "tag" the forwarded connection logs?