Log internet traffic in and out of network

In my business I have a windows network connected to the internet through a router.  Recently we had a virus on one of the PCs that sent spam.  Our ISP almost cancelled our account, but they were able to help us isolate the computer.  Now, I'd like to set up a computer (probably a linux box) to act as a go between the network and internet so that I could log all traffic going in and out.  Our router has a log function, but it seems to fill up to quickly.  How would I do this?

Mark
msibleyAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
nickhillsConnect With a Mentor Commented:
in your router configuration have a look for a section that mentions syslog or logging server. If you find such a setting, then your router supports syslog.

now all you need is a syslog deamon, and i think Kiwi Syslog is still free.

Install Kiwi, and then configure the router to use your pc, and your done - all the logs will be saved to your pc for future analysis

regards,
Nick
0
 
rsivanandanConnect With a Mentor Commented:
On Linux I remember one of my EE friend setup a proxy server which is free -  Squid. Try out that, it can proxy your connections and do 'allow/disallow' things and probably will also have a logging feature on sites visited.

Cheers,
Rajesh
0
 
naveedbConnect With a Mentor Commented:
Does your router supports syslog? If so, you can setup a windows OR Linux machine as a syslog server to log all traffic going in and out. If you want to go wtih proxy, squid as mentioned by rsivanandan would be good.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
msibleyAuthor Commented:
How would I determine if the router supports syslog?  And, if so, how would I set it up?

Mark
0
 
rsivanandanCommented:
>>Our router has a log function, but it seems to fill up to quickly.

That is syslog (SystemLog).

Cheers,
Rajesh
0
 
ashburyConnect With a Mentor Commented:

Try using Bandwidthd , it is good HOST Based bandwidth monitering tool. From this u`ll come to know HTTP, TCP, UDP, ICMP, VPN, and P2P trafic. And also u`ll come to know any unusual trafic from ur network and also the HOST which is using max bandwidth in ur network.

http://bandwidthd.sourceforge.net/

It should be installed on the proxy server.
0
 
pseudocyberCommented:
>> Now, I'd like to set up a computer (probably a linux box) to act as a go between the network and internet so that I could log all traffic going in and out.

This is called a Firewall.  Not only can it log, but it can also block traffic.  Best practice is to block everything you don't specifically allow.  Better firewalls log more and are easier to use.  I would recommend Checkpoint.  I've heard good things about Sonicwall - less expensive option.  Cisco Pix are excellent, but a little more difficult to use.

Hope this helps.
0
 
pseudocyberConnect With a Mentor Commented:
With a REAL firewall - not one on a Small Office Home Office (SOHO) router - you could block traffic incoming and outgoing and be alerted to all unusual activity.

Basic ruleset:

From Any to "My Web Server" Port 80 Action = Allow
From Inside Net to Any Port 80, 443 Action = Allow - Log
From Any to Any Port Any Action = Drop - Log

These three basic rules say:
1. From any location on the Internet over port 80 (http web traffic) I want to allow it.
2. From any inside network location to the Internet over ports 80 and 443 (http, https) I want to allow it, but watch it too.
3. From any location to any location - in or out - over any port - if the first two rules didn't allow it, I now want to DROP it and log it.
0
 
msibleyAuthor Commented:
Thanks. I found all of your suggestions to be informative, so I split the points.

Mark
0
All Courses

From novice to tech pro — start learning today.