Sorry Al, I'm just trying to get my head around all of this.the server is single
So if the router was set to record inbound HTTP, HTTPS, FTP etc can just briefly expalin what types of thing this would be recording?
Am I getting confused, if the router was set to log inbound HTTP for instance, it is logging people accessing the server remotely?
>"Inbound" traffic is traffic that originates on the public Internet and tries to connect to or access computers on your LAN. "Outbound" traffic is the reverse - traffic from your LAN computers out to the Internet - most often, these days, accessing Web sites.
>
>You talk about computers hooking up directly to the router (which would be outbound traffic you're interested in), now you say the log function on the router is set to record inbound traffic? Have you checked the server to see if it's single- or dual-homed? Is a syslog server program running on the server?
>
>At this point I think it would be a good idea for you to let us know what you're trying to achieve.
>
>>Yes it is Server 2003 SBS, and the log is set to record inbound traffic?
>>
>>
>>>Viv found the user guide for that router. It looks like it can store a log locally, which you can view from the router's embedded web server. Those devices typically have limited RAM, so the internal log may only be the most recent XXX entries, which may not be a very long time in a busy environment.
>>>
>>>If the router is configured to send log entries to the server at 192.168.0.200, then yes, there must be a syslog server program running on that server computer to receive and store the log entries that are sent by the router. Server 2003 Standard or Small Business editions do not include a syslog server. Whoever set up the network and router may have installed one on the server computer for you, if so you just have to find out what it is and how to access or view the information it's collecting. If there isn't one running on the server, then the events the router's been sending to the server have just been ignored. In that case you'll need to install and configure a syslog server.
>>>
>>>Here's an illustration of a dual-homed server where all LAN traffic must pass through the server to get to the Internet:
http://ptgmedia.pearsoncmg.com/images/chap3_0672328054/elementLinks/03fig01.jpg . You can tell if that's your setup because in that case the server will have 2 separate network adapters (with two network cables plugged into it) and two IP addresses.
>>>
>>>For Server 2008, Microsoft switched back to recommending a single-homed server configuration e.g.
http://i.technet.microsoft.com/cc527583.30dc70f9-a28a-4dff-8995-e2774bd8b0a1(en-us,WS.10).gif . In that case, the server computer has only one network adapter and one IP address.
>>>
>>>Does the server have two network adapters and IP addresses, or just one? What exactly are you trying to do? Do you have Small Business Server 2003 (SBS 2003) or is it the Standard edition?
>>>
>>>To answer your question again, in more detail, about someone plugging in to the router directly instead of getting their access "through the server":
>>>
>>>- If the router is configured to send log messages about outgoing traffic to the server at 192.168.0.200 ;
>>>- And the server has a syslog program installed and configured to receive and store those log messages
>>>
>>>then YES, the server will have logs of outgoing traffic from any computers plugged into the router, not just the server computer.
>>>
>>>
>>>
>>>>Hi Al
>>>>
>>>>Thanks for your detailed answer
>>>>
>>>>If the 2003 server is plugged into the router to give it access to the internet, users can logon to the server & then get internet access, what I meant was if someone was plug into the router directly and not go through the server, would their activities be still sent to the LOG on the server?
>>>>
>>>>The router has been logging all HTTP activity to the server eg 192.168.0.200, the server is a 2003 Win server, are you saying there must be a program running to receive this data, or will Server 2003 be putting this info into its own logs is so where?
>>>>
>>>>The program you highlighted looks great, but I don't want to spend any money if possible and also want to look at any data the server has already logged in possible
>>>>
>>>>What I meant by accessing through the server was that users logon to the server, and that then gives them internet access, as apposed to plugging directly into the router.
>>>>
>>>>>>I have a customer with a Netgear DG834 Router, Inbound services in Firewall Rules include the service HTTP, ALLOW always, LAN services is set to 192.168.0.200 for example, if the service is set to Log Always, where can I get my hands on the log, can I see what websites the users have visited? Should it really be set to Log Always or maybe never if the customer trusts his userseone
>>>>>>
>>>>>>Also, If someone was to plug directly into the router, and not access the internet through the server, would the http log be updated to the server?
>>>>>
>>>>>I'm not familiar with that particular device, but some Linksys consumer routers work like this:
>>>>>
>>>>>- you can specify a Log to be Enabled or Disabled. Disabled is the default. If you Enable it, you have to specify the IP address of a computer that will receive events that are generated by and sent from the router.
>>>>>
>>>>>- on the computer at the IP address you specified above, you need to run a so-called "syslog" server. A free one I've used with success is Kiwi Syslog:
http://www.kiwisyslog.com/>>>>>
>>>>>- in your syslog server, you can specify the way it stores the messages/events it receives - the default is to formatted text files, but some syslog servers can store to ODBC databases etc.
>>>>>
>>>>>- you then need a tool to view the log entries that are stored in the text files or database (Kiwi Syslog offers some, don't know if any are free)
>>>>>
>>>>>This is a bit complicated, but flexible and powerful. The main thing to see if your router works the same way, is to see if you need to specify a syslog server's IP address when you enable the log. If not, then it's working some other way.
>>>>>
>>>>>One possible way for a router to maintain a log is to write entries to its internal memory. However, most consumer routers don't have a lot of memory, so they don't have room to store a lot of events. However, if that's what it does then you may be able to access the log by accessing the router either through its embedded Web server at its IP address, or possibly by FTP etc.
>>>>>
>>>>>To answer your last question, if the router is recording events that are stored either locally or on a syslog server, then yes, any device that connects directly to the router will generate events that will get logged.
>>>>>
>>>>>One common reason to do logging like this is for basic tracking of how users are accessing the Internet. If you're doing that there are some things to bear in mind:
>>>>>
>>>>>- workstations will need to be configured with static IP addresses, unless the router is capable of recording host names against log entries. More usual is just recording source IP addresses
>>>>>
>>>>>- I don't know what you mean by people accessing the internet "through the server". One common configuration with SBS 2003 was to configure the server as "dual-homed", with two network cards. The LAN is typically a subnet 192.168.16.xxx, and the WAN network card is usually 192.168.0.xxx and only connects to the internet-facing router. In that scenario, all traffic bound for the Internet from the LAN goes through the server. As far as the router is concerned, all traffic is coming from the server's WAN IP address, so there may not be any way to distinguish the source IP on the LAN. If the server is acting as a proxy server rather than a dual-homed NAT router, it may be even more difficult to get source IP addresses/host names.
Rob
