Re: Syslog to monitor traffic

"Loren Amelang" <loren@xxxxxxxxxxx> wrote in message
news:lh2d33t5pd1neaslb999mhs09uob8qorru@xxxxxxxxxx
On Mon, 30 Apr 2007 08:15:46 -0500, "Marc" <mhmuray@xxxxxxxxx> wrote:

Basically I want to watch incoming and
outgoing traffic in real time. Know the source, destination, protocol and
action taken (blocked, allowed, etc.)

That's far too much to watch in real time, even on my single-user 804.
What I do is create an access-list and add "log" to transactions I
really want to see:
-----
access-list 121 remark 3389 is remote desktop
access-list 121 permit tcp any eq 3389 any log
access-list 121 remark 5900 is VNC
access-list 121 permit tcp any eq 5900 any log
...
access-list 121 deny ip any any log
-----

set the logging level to include such items:
-----
logging buffered 4096 debugging
ip access-list log-update threshold 1
logging facility syslog
logging 10.1.1.5
-----

and I get entries like this:
-----
Mar 26 14:53:50.580 pdt: %SEC-6-IPACCESSLOGP: list 121 denied tcp
166.114.42.49(1157) -> 68.164.169.15(5900), 1 packet
-----

That is a VNC in the non-permitted direction, that has fallen through
the whole access-list to the "deny ... log" at the bottom.

I can also request summary statistics on matches to each of the
access-list lines:
-----
// statistics on matches to every access list statement
show access-list [list#]
// reset access statistics
clear access-list counters [list#]
-----

Loren

That's exactly what I would suggest as well, to accomodate the OP's request.
However, this one probably falls in the category of be careful what you wish
for, because you could get an overwhelming amount of entries. I can't
imagine sitting there and watch this. But, in this particular case, yes a
Syslog server is what you would use to receive the entries. You do want one
that will display the entries as the come in - I'm not sure if Kiwi does
that or not.

Jim





.

Relevant Pages

  • Re: Security audit file shows users continually loggin on and off
    ... machines) logging in and out of the server. ... I noticed in the security log file that I have entries of users loggin ...
    (microsoft.public.windows.server.active_directory)
  • Re: Security audit file shows users continually loggin on and off
    ... machines) logging in and out of the server. ... I noticed in the security log file that I have entries of users loggin on ... seeing the Administrator logging on and off as well and this troubles me. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Syslog to monitor traffic
    ... That's far too much to watch in real time, ... set the logging level to include such items: ... I can also request summary statistics on matches to each of the ... // statistics on matches to every access list statement ...
    (comp.dcom.sys.cisco)
  • Re: Syslog to monitor traffic
    ... That's far too much to watch in real time, ... set the logging level to include such items: ... I can also request summary statistics on matches to each of the ... // statistics on matches to every access list statement ...
    (comp.dcom.sys.cisco)
  • Re: foreign ip in /var/log/wtmp
    ... That's normally a login ... you reported differences in the wtmp entries ... between logging in via ssh verses logging in over the console. ...
    (comp.os.linux.security)