Hi Al
Thanks for your detailed answer
If the 2003 server is plugged into the router to give it access to the internet, users can logon to the server & then get internet access, what I meant was if someone was plug into the router directly and not go through the server, would their activities be still sent to the LOG on the server?
The router has been logging all HTTP activity to the server eg 192.168.0.200, the server is a 2003 Win server, are you saying there must be a program running to receive this data, or will Server 2003 be putting this info into its own logs is so where?
The program you highlighted looks great, but I don't want to spend any money if possible and also want to look at any data the server has already logged in possible
What I meant by accessing through the server was that users logon to the server, and that then gives them internet access, as apposed to plugging directly into the router.
>>I have a customer with a Netgear DG834 Router, Inbound services in Firewall Rules include the service HTTP, ALLOW always, LAN services is set to 192.168.0.200 for example, if the service is set to Log Always, where can I get my hands on the log, can I see what websites the users have visited? Should it really be set to Log Always or maybe never if the customer trusts his userseone
>>
>>Also, If someone was to plug directly into the router, and not access the internet through the server, would the http log be updated to the server?
>
>I'm not familiar with that particular device, but some Linksys consumer routers work like this:
>
>- you can specify a Log to be Enabled or Disabled. Disabled is the default. If you Enable it, you have to specify the IP address of a computer that will receive events that are generated by and sent from the router.
>
>- on the computer at the IP address you specified above, you need to run a so-called "syslog" server. A free one I've used with success is Kiwi Syslog:
http://www.kiwisyslog.com/>
>- in your syslog server, you can specify the way it stores the messages/events it receives - the default is to formatted text files, but some syslog servers can store to ODBC databases etc.
>
>- you then need a tool to view the log entries that are stored in the text files or database (Kiwi Syslog offers some, don't know if any are free)
>
>This is a bit complicated, but flexible and powerful. The main thing to see if your router works the same way, is to see if you need to specify a syslog server's IP address when you enable the log. If not, then it's working some other way.
>
>One possible way for a router to maintain a log is to write entries to its internal memory. However, most consumer routers don't have a lot of memory, so they don't have room to store a lot of events. However, if that's what it does then you may be able to access the log by accessing the router either through its embedded Web server at its IP address, or possibly by FTP etc.
>
>To answer your last question, if the router is recording events that are stored either locally or on a syslog server, then yes, any device that connects directly to the router will generate events that will get logged.
>
>One common reason to do logging like this is for basic tracking of how users are accessing the Internet. If you're doing that there are some things to bear in mind:
>
>- workstations will need to be configured with static IP addresses, unless the router is capable of recording host names against log entries. More usual is just recording source IP addresses
>
>- I don't know what you mean by people accessing the internet "through the server". One common configuration with SBS 2003 was to configure the server as "dual-homed", with two network cards. The LAN is typically a subnet 192.168.16.xxx, and the WAN network card is usually 192.168.0.xxx and only connects to the internet-facing router. In that scenario, all traffic bound for the Internet from the LAN goes through the server. As far as the router is concerned, all traffic is coming from the server's WAN IP address, so there may not be any way to distinguish the source IP on the LAN. If the server is acting as a proxy server rather than a dual-homed NAT router, it may be even more difficult to get source IP addresses/host names.
Rob
