Hi to everyone.
I would like to setup a syslog deamon on one linux/debian machine where I would like to store all data about traffic that went throught one router in case I need to find out what user did what…
Also I would like to avoid setting a proxy so proxylizer is out…
Maybe there is some manual?
thank you
You cannot reasonably use syslog to monitor user traffic (you could log firewall rules being hit but that would generate an insane amount of traffic hard to sift through). Look into Traffic Flow, which is an implementation of Netflow. There are free and open Netflow analyzers, check out ntop’s Netflow probes for example.
ok..thank you…
I managed to get this working, I setup traffic flow and nTop with netflow, so I got nice graphs with distribution of protocols…
but what if I want to know what IP address connected to ip adress x.x.x.x last night at 3:15? can I do that?
hello, radius manager has a utility called “conntrack” (connection tracking) that lets you save in a database (mysql) all connections “new” created by customers. It also has a search by source IP, destination port, source and destination, date and time!
Like this:
Yes, you can do that. It’s just a matter of querying the data right. If nTop doesn’t allow you to do that, maybe use nfdump/nfsen instead. They can most definitely be queried based on time and IP specifically.
but for this solution with radius manager, all customers must be in radius server I suppose?
Maybe there is some solution with traffic flow and mysql as database?
Radius Manager works with two databases, one for freeradius and a second for conntrack with an application that listens on port 4950 by default. mikrotik is configured with a rule of “forward” status connection = new and sent to the server that stored in the database, but I have not tested that can operate without using radius because the application site that logs connections and database are completely different even recommended that reside on different servers because the traffic generated is high with many customers (in my case with 400 clients 50MB, 500,000 entries).
Nfsen is good idea, is 0 cost!
Andrew ,
I would like to thank everyone, I managed to get working nfdump and I think it work very nice…