Log internet traffic in and out of network

In my business I have a windows network connected to the internet through a router.  Recently we had a virus on one of the PCs that sent spam.  Our ISP almost cancelled our account, but they were able to help us isolate the computer.  Now, I'd like to set up a computer (probably a linux box) to act as a go between the network and internet so that I could log all traffic going in and out.  Our router has a log function, but it seems to fill up to quickly.  How would I do this?

Mark
msibleyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rsivanandanCommented:
On Linux I remember one of my EE friend setup a proxy server which is free -  Squid. Try out that, it can proxy your connections and do 'allow/disallow' things and probably will also have a logging feature on sites visited.

Cheers,
Rajesh
0
naveedbCommented:
Does your router supports syslog? If so, you can setup a windows OR Linux machine as a syslog server to log all traffic going in and out. If you want to go wtih proxy, squid as mentioned by rsivanandan would be good.
0
msibleyAuthor Commented:
How would I determine if the router supports syslog?  And, if so, how would I set it up?

Mark
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

rsivanandanCommented:
>>Our router has a log function, but it seems to fill up to quickly.

That is syslog (SystemLog).

Cheers,
Rajesh
0
ashburyCommented:

Try using Bandwidthd , it is good HOST Based bandwidth monitering tool. From this u`ll come to know HTTP, TCP, UDP, ICMP, VPN, and P2P trafic. And also u`ll come to know any unusual trafic from ur network and also the HOST which is using max bandwidth in ur network.

http://bandwidthd.sourceforge.net/

It should be installed on the proxy server.
0
pseudocyberCommented:
>> Now, I'd like to set up a computer (probably a linux box) to act as a go between the network and internet so that I could log all traffic going in and out.

This is called a Firewall.  Not only can it log, but it can also block traffic.  Best practice is to block everything you don't specifically allow.  Better firewalls log more and are easier to use.  I would recommend Checkpoint.  I've heard good things about Sonicwall - less expensive option.  Cisco Pix are excellent, but a little more difficult to use.

Hope this helps.
0
nickhillsCommented:
in your router configuration have a look for a section that mentions syslog or logging server. If you find such a setting, then your router supports syslog.

now all you need is a syslog deamon, and i think Kiwi Syslog is still free.

Install Kiwi, and then configure the router to use your pc, and your done - all the logs will be saved to your pc for future analysis

regards,
Nick
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pseudocyberCommented:
With a REAL firewall - not one on a Small Office Home Office (SOHO) router - you could block traffic incoming and outgoing and be alerted to all unusual activity.

Basic ruleset:

From Any to "My Web Server" Port 80 Action = Allow
From Inside Net to Any Port 80, 443 Action = Allow - Log
From Any to Any Port Any Action = Drop - Log

These three basic rules say:
1. From any location on the Internet over port 80 (http web traffic) I want to allow it.
2. From any inside network location to the Internet over ports 80 and 443 (http, https) I want to allow it, but watch it too.
3. From any location to any location - in or out - over any port - if the first two rules didn't allow it, I now want to DROP it and log it.
0
msibleyAuthor Commented:
Thanks. I found all of your suggestions to be informative, so I split the points.

Mark
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.