ZyXEL Prestige / Netgear setup for Link Logger

The sample shown here will log all inbound and outbound TCP connections, all other traffic regardless of protocol and yet bypass the UDP port 53 traffic (normal DNS traffic which tends to fill the logs).

Note screen shots from Zywall 10, your screen might have small differences.

If your filter setup is more complex and includes dropping traffic then Link Logger will show those items as being dropped.  Another excellent source for filter setup would be an article posted on DSLReports by SYNACK, or from NetGear.

1.Download and Install Prestige/Netgear version of Link Logger

2. Enable Syslog in the Router

Set 'Active' to Yes, set the Syslog IP address to the LAN IP of the PC running Link Logger and set the 'Filter log' equal to 'Yes'. Everything else is optional. If your logging system changes it's IP Address often then you might consider entering 192.168.1.255 in the Syslog IP address as then it will broadcast the log information to every system on your network (behind the router). This means it doesn't matter what the IP address of your logging system is, it will receive the logging information from your router. Using a static IP address for the system running Link Logger would be another possible suggestion.

NOTE IP Address

default for ZyXEL is 192.168.1.xxx
default for Netgear is 192.168.0.xxx

3.Configure the Logging Filters

Next you need to setup some filters to log. Note that these filters are directional in nature.

WAN_to_LAN (Inbound)

Rule 1 catches all the TCP connection requests.

Rule 2 forwards all the data with a LAN destination address. 

Rule 3 logs all the remaining data, except UDP with a SP=53

LAN_to_WAN (Outbound)

Rule 1 catches all the TCP connection requests. 

Rule 2 forwards all the other TCP data. 

Rule 3 logs all the remaining data, except UDP with a SP=53

Next you must set the direction the filters operate in. To do this set the 'Edit Filter Sets' equal yes and enter.

This is where you configure the direction of traffic the filter applies to. In our sample 11, is inbound and 12 is outbound traffic.

After Menu 11.5 is changed you're returned to Menu 11.1.
IMPORTANT:
YOU MUST ALSO <ENTER> ON MENU 11.1 OR CHANGES TO 11.5 DO NOT HAPPEN!

**NOTE**
If your running an older version of the firmware you might have a rule 3, or 5 configured by default for the protection of your system against WAN use of port 23, 21, 80 or 161). Please ensure that if you have one of these filters that it appears before the logging filters. You might want to modify these filters and set 'Log= Action Matched' and configure Link Logger that these filters are inbound (see the next step), so that attempted traffic to these ports is shown in Link Logger.  You will also need to set the last filter rule in these default filters to 'Action Not Matched = Next' from 'Action Not Matched = Forward' such that your logging rules are run.

***NOTE***
If have updated your firmware, check to ensure that you have also update the ROM if required (look for a *.rom file included with the firmware update).

4. Next Configure Link Logger

To find this screen select 'Edit' from the main menu and then select the 'Setup...' option and click on the 'Router' tab.  The Router Address is the internal LAN IP address of your router (192.168.1.1 by default for ZyXEL, 192.168.0.1 for Netgear).

In Link Logger you need to tell it what direction the filters are going. So in our example 11 is 'In' and 12 is 'Out'.

6. Link Logger should start logging your traffic.

FAQ for Install Issues

• If you get an error when starting Link Logger, please make sure that you don't have other logging software running when you start Link Logger, as only one application can process Syslogs messages at a time on a system.

• If Link Logger doesn't work and your running ZoneAlarm or any similar product please ensure that it is allowing communication between Link Logger and your Router.  Link Logger does attempt to ping your router on startup, and your Router sends its logging information to Link Logger via Syslog messages (UDP port 514).  If the ping is blocked then Link Logger displays a message stating that it couldn't communicate with the Router.  If the Syslog messages are blocked then Link Logger doesn't log anything as it doesn't receive any logging information.

• Link Logger does have an uninstall program for easy removal.  You can remove Link Logger using 'Remove Programs' in the Windows Control Panel.

If Link Logger is still not working email Link Logger Support