RVS4000 - Syslog with mac adress

Unanswered Question
Jun 22nd, 2010

Hello,

I have a lan with many PCs, i want to log all internet access so i have installed a syslog server. My router is a Cisco RVS4000 which have syslog possibilities.

Some PCs have fixed IP adress but others are in DHCP.

I activate log into the RVS4000 and i collect all informations (level 0 to 7) concerning the outgoing traffic but i have only the IP adress source in the log.

My problem is that if an user change is IP adress, i can't make the relation between the PCs of the lan and the informations in the log.

My idea is to collect the mac adress in the log to etablish this link between log and computer, how can I collect the mac adress in the log?

Sincerely

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Julien Paleni Tue, 06/22/2010 - 07:14

Regarding my project, your configuration is not so easy to deploy and more expansive.

My project is the installation of a wifi-bridge between an building with a DSL connection and an isolated building. The aim is to connect to internet the isolated building which is not eligible to a classic DSL connection. In this building, I have 3 companies which have 2 PC's each one.

My idea is to share the wifi bridge between the 3 companies and to have only one internet access in the first building in order to decrease the installation costs. If I don't want problem with law, justice... i must log all the connections so i need a syslog server with mac address...

Maybe the RVS4000 is not the router what i need but which model allow the log of mac address?

I only turned on all levels of the log once on my RVS-4000 and then turned it off as soon as I could... The sear amount of data was too much for my little brain to deal with.

And I had no automated way to process this amount of log data from one RVS-4000. Yes, I too could have sent it to a Log Server. However, A Log Server only works if you know what it is you are looking for. And the search string has to reflect that knowledge as well.

Turning on all of the Log functions also seemed to slow the router way down as well.

This was also on a little network with only 4 machines... 2 pc and one iMac on the same base subnet. And one more pc on a wireless subnet using another wireless router/AP.

As far as Windows 2008 you can use any flavor of Linux/Unix you prefer instead of Windows Server for cost savings...

Bruce

How about two Wireless Bridges and a Router for VLAN's on each to each company. Just so they don't access or see each others data.

Or one Wireless AP with one Wireless brridge and a Router with VLAN's.

Gateway connected to DSL on WAN Port

LAN Address: xx.xx.1.1

Port 1 VLAN 0

Port 2 VLAN 0

Port 3 VLAN 0

Port 4 VLAN 1 to Wireless Bridge #1 Static IP Address xx.xx.1.254 VLAN for Isolation of other company's. SID Building2

Wireless Bridge # 2

LAN Port 1 cable to Router # 2 Address xx.xx.1.254

SID Building2

Router # 2

WAN Port: Static port 4 on Router # 1 Static IP Address xx.xx.1.254

LAN Address: xx.xx.2.1

Port 1  VLAN 0 Company # 1. Each Company on own VLAN for isolation & Each port to own switch for thier pc's.

Port 2  VLAN 1

Port 3  VLAN 2

Port 4 Empty

Each Wireless bridge can be any where from $ 50 each x 2 = $ 100.

Switch's can be as low as $ 40. each. x 3 = 120.    10/100/1000

Router $ 100.

Project cost $ 320 or so.

I have no idea where you want your log server...

You can send an email to ask me where to send my check... LOLL Just Kidding...

Bruce

Julien Paleni Thu, 06/24/2010 - 01:49

I have thought about vlan for blocking access to datas but this is not my first problem.

In fact, the wireless bridge will be 5 kilometers of length because the isolated building is on a mountain.

I'm in France, and in France authorities consider that the responsible on internet in the owner of the DSL connection.

Example, if someone post racist message... on internet, the authorities ask the IP which have post the message to the internet provider then they consider that the responsible is the person who has suscribe the DSL access. After this person can prove her innocence by providing some informations which permit to identify the PC source of the message and so the responsible become the owner of the PC.

In my case, we want to share an internet access, so if a problem happened, the responsible will be the owner of the internet access. So i want a log server in order to determine with PC is responsible.

The RVS4000 isn't convenient because only the IP address don't allow to identify with precision the PC responsible.

I will study a solution with a linux server which maybe can log more information, maybe a proxy could be the solution.

Julien Paleni Wed, 06/23/2010 - 06:48

I can't suscribe to a Microsoft map because the project is not for me but for one of my customer (i'm a service provider in computer technology and network).

The problem is to find a router which allow log with mac address, so i have to contact my cisco sales manager to have more informations.

No, I was only explaining what I did for my self.  Not for any customers...

You are right that software would have to stay in house.

However, I did say early you could use Linux/Unix for a log server and that would be free.

Since, I'm not adding anything to this conversation. I should back out and see if anyone else has any suggestions.

Sorry, I could not help more.

Bruce

How about using one of those many PC's and installing Windows Sever and then installing the DNS service? If you allow non-secure changes the DNS names will always be correct for the new IP Address.

This is what I do.

Besides which the server can be used for many other things as well... Including as a Log Server. LOLL

Bruce

danilo.jorge Thu, 06/24/2010 - 17:26

The isolated building is your client? Why not to take another DSL hired by your client and install in your address and then just make the wireless connection to the build?

Julien Paleni Fri, 06/25/2010 - 04:40

It's not so eay because in the isolated building, there are my client and two others companies. The installation of the wifi bridge have a cost, so my client purposes to share this bridge and his internet access in order to decrease the cost.

I have found a solution with my cisco sales agent, if i replace the RVS4000 by a SA500, i can have vlan information in logs files so if i give a vlan by company, i can identify each internet access with a vlan so i can determinate the company.

Actions

This Discussion