How to monitor and log traffic from /to user

General questions.
Post Reply
kamilk
Posts: 2
Joined: August 11th, 2017, 12:25 pm

How to monitor and log traffic from /to user

Post by kamilk » August 11th, 2017, 12:31 pm

Hi,
how can i monitor and log a traffic from my local user to wan netwroks and from wan to my local user ?
When i`am an ISP i must logs traffic from my local network to Internet, and i must know about person x was cennected to server x in date. How can i do it?

ummeegge
Community Developer
Community Developer
Posts: 4122
Joined: October 9th, 2010, 10:00 am

Re: How to monitor and log traffic from /to user

Post by ummeegge » August 11th, 2017, 8:37 pm

Hi kamilk ,
the german federal constitutional court will make in the main trial a decision if the so called "Vorratsdatenspeicherung" is legal in the terms of the german law even it is active until then --> https://netzpolitik.org/2017/bundesverf ... en-urteil/ my opinion of a InternetServiceProvider is to provide the internet as a service to me and not to analyse my user activity.
<--> if you are not an ISP but wanted to do that in your company, you should also be informed over the law specifics in that manner. Here we have a so called "Arbeitnehmerdatenschutz" which should prevent a permanent logging of the user activity --> https://www.datenschutzbeauftragter-inf ... tenschutz/
<--> but if you are a normal user which wants to log and observe his infrastructure you can find some tools which do not provide NSA capabilities :D but does have some of your quested features even the official tools are not for long term usage...
iptraf-ng --> http://wiki.ipfire.org/en/addons/iptraf-ng/start --> a lot of protocols, filter possibilities, logging, (-) a vast amount of logs after a shorter period.
iftop --> http://wiki.ipfire.org/en/addons/iftop/start --> which is in Core112 currently out but should come again with Core113 i think, no logging, only realtime overview.
inofficial tools are more findable in here i think:
pmacct --> viewtopic.php?t=14849 . History is possible over databases such as MySQL .
Nfsen, Nfacct --> viewtopic.php?t=19022 . History is also possible over pcap files no DB needed.
A lightweight solution and may technically also a way which ISPs go is to collect only the data and send it to another machine e.g.:
softflowd or fprobe --> http://people.ipfire.org/~ummeegge/Netf ... _analyzer/ or a flow-based network traffic analyser which captures the "Netflows" and send them to a dedicated machine which makes nothing else then to correlate, analyze, process but also displays some nice/wanted visuals. For regular user ELK --> https://logz.io/learn/complete-guide-elk-stack/ --> https://forum.ipfire.org/viewtopic.php? ... 86#p109986 or SPLUNK --> https://www.splunk.com/ or even a SIEM, OSSIM --> https://www.alienvault.com/products/ossim --> https://forum.ipfire.org/viewtopic.php?f=50&t=15597 might be a solution too, so it depends there clearly what you want to do with this data and for what purposes you want to collect them.
nDPI --> viewtopic.php?t=18372 . Which is a kind of backend for ntopng which is currently not available in that thread but as i have seen nDPI should provide a ndpiReader which is currently only for testing purposes but do also stuff like this.

Long story short, i think IPFire lacks there a little with a nice in between solution.

Greetings,

UE
Image
Image
Image

Hellfire
Posts: 282
Joined: November 8th, 2015, 8:54 am

Re: How to monitor and log traffic from /to user

Post by Hellfire » August 12th, 2017, 11:43 am

Huh! Gerade nichts zu tun gehabt? ;) Are you bored at the moment :P

I was attempted to press the "Report this post" button 'cause I thought: again such a bloody spammer, but fortunately I did read on and discovered many many information between the lines ^^

Danke für die umfangreichen Infos!

Thanks,
Michael
Image

ummeegge
Community Developer
Community Developer
Posts: 4122
Joined: October 9th, 2010, 10:00 am

Re: How to monitor and log traffic from /to user

Post by ummeegge » August 12th, 2017, 1:53 pm

Moin moin,
Hellfire wrote:
August 12th, 2017, 11:43 am
Huh! Gerade nichts zu tun gehabt
in der Tat und was mach ich da dann wieder ? Setz mich von einem Bildschirm zum anderen :-X .
Hellfire wrote:
August 12th, 2017, 11:43 am
Are you bored at the moment :P
The "Community Developer" project work and the community developed topics and their testing results in here leaves a lot of time in space :D .
Hellfire wrote:
August 12th, 2017, 11:43 am
I was attempted to press the "Report this post" button 'cause I thought: again such a bloody spammer,
Well done, more eyes see more then less ;) .
Hellfire wrote:
August 12th, 2017, 11:43 am
but fortunately I did read on and discovered many many information between the lines ^^

Danke für die umfangreichen Infos!
Your welcome.

Grüssle,

UE
Image
Image
Image

kamilk
Posts: 2
Joined: August 11th, 2017, 12:25 pm

Re: How to monitor and log traffic from /to user

Post by kamilk » August 16th, 2017, 12:59 pm

OK thanks for your answers, but mayby i can log this connections when i use iptables rules with state new ?
I must log every connections in background

ummeegge
Community Developer
Community Developer
Posts: 4122
Joined: October 9th, 2010, 10:00 am

Re: How to monitor and log traffic from /to user

Post by ummeegge » August 18th, 2017, 10:26 am

Hi,
IPTables is surely also a possibility beneath all already mentioned things, it depends on what you want to do with that data and therefor what kind of structure do you need.

UE
Image
Image
Image

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 2 guests