Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Kiwi Syslog Daemon with Linksys Router - Internet Security | DShield Kiwi Syslog Daemon with Linksys Router


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Your router must be installed and working. Go into the configuration panel ( http://192.168.1.1 ) and click on the "Log" tab.

Linksys Router Configuration screenshot

Check "Enable". Then set the IP address to the address of your computer. (192.168.1.255 will "broadcast" to all computers on your LAN.)

(If you don't have a "Log" tab, or if you can't get it to work, then you probably need to upgrade your router's firmware. Go to http://www.linksys.com and follow the directions there to upgrade your firmware.)

Then download and install the Kiwi Syslog Daemon (if needed.) When you start Kiwi Syslog Daemon you will see

Kiwi Syslog Daemon screenshot

Select File -> Properties.

Kiwi Syslog Daemon screenshot

Double click on the line that has Log to file.

Kiwi Syslog Daemon screenshot

This screen defines where Kiwi will write the log file that CVTWIN processes. Note the contents of the Path and file name of log file field. This is what you enter in CVTWIN's log file field.

The default is C:\Program Files\SyslogD\Logs\SyslogCatchAll.txt

Also make sure that Log file format is Kiwi format ISO yyyy-mm-dd (Tab delimited), so that CVTWIN doesn't get snarled up trying to decipher a different log format.

Click on OK when done. Then click on Log Archiving

Kiwi Syslog Daemon screenshot

This shows if any archiving is scheduled. Not scheduling archiving is good, because otherwise you'll have to juggle Kiwi's archiving and running CVTWIN, because you don't want Kiwi to archive logs before CVTWIN has a chance to process them. Read the Kiwi docs on archiving and figure this out yourself. I just wanted to point out the potential confilct.

Now click SNMP

Kiwi Syslog Daemon screenshot

Make sure that Listen to SNMP Traps is checked. The Linksys router uses SNMP to fling its logs out, so we need Kiwi configured to capture them.

Use Linksys Display filter is optional. This filters out some junk for the display version of Kiwi's log, but doesn't affect the log that is written to disk. CVTWIN only cares about the log file that is written to disk.

Click on OK. Kiwi should now be configured to save logs in a format that CVTWIN can process.

If I've bollixed up any of these descriptions, then write to info@dshield.org and set me straight.