Prev: Fry's cheapie: Airlink AWL5025 $15
Next: funny linksys firmware rev/dates on WRT54G
From: ZaWiR on 25 Feb 2007 19:32
Hello!
I've got problem with logging my AP activity to remote host. I'm
particulary interested in events such as positive clients attachments to
Access Point. My AP is Linksys WAP54G v3 EU, firmware 3.05.

Web interface log window displays entries like: "Wireless PC connected
00:13:02:XX:XX:XX" - this is what I would like to log on remote host.
However, AP is only sending stop/start entries to syslog port: (received
via ng-syslog)
"Feb 25 20:01:31 192.168.1.2 syslogd started: BusyBox v0.60.0
(2005.12.28-06:45+0000)"
"Feb 25 23:05:22 192.168.1.2 System log daemon exiting."
There are no SNMP traps (I've sniffed AP's ethernet interface during PC
attachment that resulted in appropriate entry in log window); SNMP walk
also doesn't show anything interesting :/
Is it even possible to log such events remotely with official firmware?
Or do Linksys prepared SNMP&syslog "implementations" only for providing
such important infos as contact name (from SNMP walk) and syslog start/stop?

Thanks in advance for any info...
--
Marek Zawirski [zawir]
marek.zawirski(a)gmail.com
From: Jeff Liebermann on 25 Feb 2007 21:24
ZaWiR <zawirek(a)interia.pl> hath wroth:

>I've got problem with logging my AP activity to remote host. I'm
>particulary interested in events such as positive clients attachments to
>Access Point. My AP is Linksys WAP54G v3 EU, firmware 3.05.
>
>Web interface log window displays entries like: "Wireless PC connected
>00:13:02:XX:XX:XX" - this is what I would like to log on remote host.
>However, AP is only sending stop/start entries to syslog port: (received
>via ng-syslog)
>"Feb 25 20:01:31 192.168.1.2 syslogd started: BusyBox v0.60.0
>(2005.12.28-06:45+0000)"
>"Feb 25 23:05:22 192.168.1.2 System log daemon exiting."

>There are no SNMP traps (I've sniffed AP's ethernet interface during PC
>attachment that resulted in appropriate entry in log window); SNMP walk
>also doesn't show anything interesting :/

What does sniffing with WireShark or your sniffer show? Do you see
the desired connect events? Can you see anything else related? If
not, there's not much that can be done with the WAP54G unless you want
to hack the firmware.

If you've sniffed the traffic, and it seems to show the "appropriate"
entries, then it's not the WAP54G that needs to be configured. It's
your syslogd monitor, which I guess is really syslog-ng, not
ng-syslog. It's apparently filtering out the desired events. Look
into the file:
syslog-ng.conf
and see if there's anything that might be screwed up in the WAP54G
entries filter statement. This might help if you just started setting
up syslog-ng:
<http://www.campin.net/syslog-ng/faq.html>
<http://www.campin.net/newlogcheck.html#syslog-ng>
<http://www.balabit.com/products/syslog_ng/>

You might also want to try a less complex syslog viewer for initial
troubleshooting. Under Windoze, that's Kiwi:
<http://www.kiwisyslog.com/syslog-info.php>

>Is it even possible to log such events remotely with official firmware?
>Or do Linksys prepared SNMP&syslog "implementations" only for providing
>such important infos as contact name (from SNMP walk) and syslog start/stop?
>
>Thanks in advance for any info...

You're correct that the WAP54G does NOT send SNMP traps. I use Log
Viewer 2.1:
<http://svs.sv.funpic.de/index.php?option=com_content&task=view&id=1&Itemid=63>
for monitoring those routers that support this feature, but the WAP54G
is apparently not among them.

You might also want to try different firmware:
<http://www.hyperwap.org>
<http://www.hyperwap.org/forum/viewtopic.php?id=53>
However, it does not add any additional syslogd or SNMP features so
that won't really help.



--
Jeff Liebermann jeffl(a)comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
From: Marek Zawirski on 26 Feb 2007 15:30
Jeff Liebermann:
> What does sniffing with WireShark or your sniffer show? Do you see
> the desired connect events? Can you see anything else related? If
> not, there's not much that can be done with the WAP54G unless you want
> to hack the firmware.
>
> If you've sniffed the traffic, and it seems to show the "appropriate"
> entries, then it's not the WAP54G that needs to be configured. It's
> your syslogd monitor, which I guess is really syslog-ng, not
> ng-syslog. It's apparently filtering out the desired events. Look
> into the file:
> syslog-ng.conf
> and see if there's anything that might be screwed up in the WAP54G
> entries filter statement. This might help if you just started setting
> up syslog-ng:
> <http://www.campin.net/syslog-ng/faq.html>
> <http://www.campin.net/newlogcheck.html#syslog-ng>
> <http://www.balabit.com/products/syslog_ng/>
>
> You might also want to try a less complex syslog viewer for initial
> troubleshooting. Under Windoze, that's Kiwi:
> <http://www.kiwisyslog.com/syslog-info.php>

Hi,
thanks for an answer.
I've sniffed it with tcpdump and it doesn't show any syslog traffic from
AP after client attachment (that resulted in log entry in web log
viewer), while it shows syslog "start message" during AP boot-up. So I
guess that AP is a problem, not my syslog daemon. Yes, syslog-ng.
Anyway, it is configured without any filter for that source.

>> Is it even possible to log such events remotely with official firmware?
>> Or do Linksys prepared SNMP&syslog "implementations" only for providing
>> such important infos as contact name (from SNMP walk) and syslog start/stop?
>>
>> Thanks in advance for any info...
>
> You're correct that the WAP54G does NOT send SNMP traps. I use Log
> Viewer 2.1:
> <http://svs.sv.funpic.de/index.php?option=com_content&task=view&id=1&Itemid=63>
> for monitoring those routers that support this feature, but the WAP54G
> is apparently not among them.
>
> You might also want to try different firmware:
> <http://www.hyperwap.org>
> <http://www.hyperwap.org/forum/viewtopic.php?id=53>
> However, it does not add any additional syslogd or SNMP features so
> that won't really help.

So I would ask question in another way: does anybody log (remotely) such
events (clients attachments via syslog) from WAP54G successfully?

Regards,
Marek Zawirski
From: Kev on 27 Feb 2007 04:35
ZaWiR wrote:
> Hello!
> I've got problem with logging my AP activity to remote host. I'm
> particulary interested in events such as positive clients attachments to
> Access Point. My AP is Linksys WAP54G v3 EU, firmware 3.05.
>
> Web interface log window displays entries like: "Wireless PC connected
> 00:13:02:XX:XX:XX" - this is what I would like to log on remote host.
> However, AP is only sending stop/start entries to syslog port: (received
> via ng-syslog)
> "Feb 25 20:01:31 192.168.1.2 syslogd started: BusyBox v0.60.0
> (2005.12.28-06:45+0000)"
> "Feb 25 23:05:22 192.168.1.2 System log daemon exiting."

I presume from this that you have enabled logging, Log Tab, and set the
logviewer IP address to 192.168.1.2 .What s/ware have you loaded onto
192.168.1.2 to enable viewing of the logs?
Jeff provided this link to the Linksys one:-
http://svs.sv.funpic.de/index.php?option=com_content&task=view&id=1&Itemid=63
Have you tried it?

Check "The Administation-Log Tab" in the manual.
My cousin had an earlier version of this AP and used to do logging with it.
From: Jeff Liebermann on 27 Feb 2007 13:19
Kev <invalid(a)invalid.invalid> hath wroth:

>ZaWiR wrote:
>> Hello!
>> I've got problem with logging my AP activity to remote host. I'm
>> particulary interested in events such as positive clients attachments to
>> Access Point. My AP is Linksys WAP54G v3 EU, firmware 3.05.
>>
>> Web interface log window displays entries like: "Wireless PC connected
>> 00:13:02:XX:XX:XX" - this is what I would like to log on remote host.
>> However, AP is only sending stop/start entries to syslog port: (received
>> via ng-syslog)
>> "Feb 25 20:01:31 192.168.1.2 syslogd started: BusyBox v0.60.0
>> (2005.12.28-06:45+0000)"
>> "Feb 25 23:05:22 192.168.1.2 System log daemon exiting."

>I presume from this that you have enabled logging, Log Tab, and set the
>logviewer IP address to 192.168.1.2 .What s/ware have you loaded onto
>192.168.1.2 to enable viewing of the logs?

See:
<http://www.linksysdata.com/ui/WAP54G/v3/3.01/Administration-Log.htm>
for the setting.

>Jeff provided this link to the Linksys one:-
>http://svs.sv.funpic.de/index.php?option=com_content&task=view&id=1&Itemid=63
>Have you tried it?

Well, I screwed up again. The above log viewer MIGHT work even though
this Log Viewer does not show the WAP54G as supported. It uses SNMP
traps, which I wrongly thought the WAP54G does NOT support. Apparently
it does.

Linksys also has an awful SNMP trap receiver at:
<ftp://ftp.linksys.com/pub/utility/wap54g_logviewer.zip>
It's really crude, but should be sufficient for testing.

For Linux, just about any SNMP trap receiver will work. There's one
in NET-SNMP.
<http://www.die.net/doc/linux/man/man5/snmptrapd.conf.5.html>

A syslog monitor will only show WPA54G startup events, even though
syslogd is apparently functioning inside the WAP54G. Lame...

>Check "The Administation-Log Tab" in the manual.
>My cousin had an earlier version of this AP and used to do logging with it.

I just checked the configs on:
<http://www.linksysdata.com/ui/>
and all the various WAP54G mutations have the log viewer feature.

--
Jeff Liebermann jeffl(a)comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
 |  Next  |  Last
Pages: 1 2
Prev: Fry's cheapie: Airlink AWL5025 $15
Next: funny linksys firmware rev/dates on WRT54G