szelinger wrote:I need help.
I want to log the traffic on the interfaces of my router. I want to log the wired and the wireless traffic also. The router is a TP-LINK TL-WR1043ND.
I want a automatic log. If possible the router sends the dayli log to a server or to an e-mail adress.
If somebody has an idea, pleas let me know.
syslog-ng + iptables -j LOG for what you want.
Just tweak syslog-ng to filter your messages and set another destination {} statement for those messages to be sent to the remore machine's IP and port.
Example:
#1) Optimizing log process creating custom chains (ex. here for your wireless - WLAN).
#2) Throwing traffic coming on your wlan interface to be inspected for logging (ex. wlan interface - wlan0)
iptables -I PREROUTING -i wlan0 -j LOGWLAN
#3) Custom rules in your custom LOG interface chain, for traffic that you want to log. Putting some limit is #useful in order not to flood yor log with multiple messages that are the same:
iptables -A LOGWLAN -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-level 4 --log-prefix "WLAN#ICMP: "
iptables -A LOGWLAN -p tcp --dport 22 -m state --state NEW -m limit --limit 1/s --limit-burst 1 -j LOG --log-level 4 --log-prefix "WLAN#SSH-NEW: "
etc. for the other interfaces.
#4) Here comes the trick using proper filters in syslog-ng. I've included several comments and other options that could be uncommented. You may tweak it for fine granularity log messages handling.
[root@Core-Sf:~]# cat /etc/syslog-ng.conf
@version:3.0
options {
chain_hostnames(no);
# sync(0);
mark_freq(86400);
create_dirs(yes); #permit directory creating
owner(root); #owner of files
group(network); #group of files
perm(0660); #permissions for files
flush_lines(0);
keep_hostname(yes);
log_fifo_size(256);
log_msg_size(1024);
stats_freq(43200);
use_dns(no); #resolve names
use_fqdn (no); #use fully qualified domain name
};
source src {
internal();
unix-stream("/dev/log");
};
source net {
udp(ip(0.0.0.0) port(514));
};
source kernel {
file("/proc/kmsg" program_override("kernel"));
};
destination messages {
file("/var/log/messages");
};
# Here is the Server IP and port to which we want to sent specific log messages
destination logserver {
udp("10.10.10.10" port(514));
};
filter f_iptables_log {
# program(iptables)
facility(kern)
# match(".*WLAN#.*")
match(".*WLAN#.*" value("MESSAGE"))
or match(".*LAN1#.*" value("MESSAGE"))
# Like that way for other log messages distinguished from iptables by the logprefix
# or match(".*LAN2#.*" value("MESSAGE"))
;};
filter f_messages {
#containg all others excepts defined filters above
#level(info .. warn)
#not facility(auth, authpriv, kern)
#and not filter(f_quagga)
#If you do not want to log those iptables messages in your machine's system log
not filter(f_iptables_log)
;};
log {
source(src);
source(net);
source(kernel);
filter(f_messages);
destination(messages);
};
log {
source(src);
source(net);
source(kernel);
filter(f_iptables_log);
destination(logserver);
};
Hope that this will help. If syslog-ng reports errors - check for correct ";" usage in the statements in /etc/syslog-ng.conf.