We'll see here the use of a Syslog Server and Mail Notifications to enhance the security of a network, with a special focus over IPv6.
We'll be using a Dlink DIR-626L and a Cisco Small Business RV110W to see their settings and possibilities in this field.
Using an IPv6 Syslog Server
Using a Syslog Server is an invaluable tool for the security of a network.
The Syslog Server will centrally collect and log datas from the network routers, including system activity, computers joining Lans ( including Wifi ), packets dropped by firewalls, logins to the admin webpage of any of the routers, debugging informations, ...
Unauthorised access to the Lan ( including a neighbor unlawfully using a mistakenly un-protected wifi ) are saved in the Syslog Server Log, so trace-cleaning for intruders is really hardened ( it would need them accessing the Syslog Server Computer ).
Let's see a free, lightweight, Syslog Server software : TFTPD32
TFTPD32 is free, lightweight, IPv6 compatible and portable ( no installation ). Its homepage is here ( http://tftpd32.jounin.net/ ). There is a service version too.
Virustotal lists this software with a 4-6/47 risk. I believe this is because being so leightweight, the binaries have been used by viruses. TFTP32 is often labeled as a 'riskware' or 'PUP' ( Potentially unwanted program ). Anyway, use it with mind.
Here are the basic step of TFTP32D Syslog Server setup :
1. uncheck the unneeded services :
2. enable logging :
3. select the listening interface in the drop-down menu :
This is it!
You can view real-time syslog messages, or you can browse to check the recorded log ( syslog.txt, located in the installation folder ). Please note that the recorded log ( syslog.txt ) is appended with time, as tftpd32 is running, so you can go back in time.
Do notice too that when the software isn't running, the logging is suspended. When the software is restarted, it restarts appending to the syslog.txt file. That's why for a real 24H protection, we need to run this on a 24H machine ( a light server ... or a RaspberryPI running Linux... ? )
DIR-626L Syslog service
Setting up the syslog server on the DIR-626L is pretty straightforward.
( Do tick Debug Information only temporary, for debugging of a particular situation, because it is way too verbose for daily use ). Here is the Syslog Server in action :
This is quite all there is to know about the DIR-626L Syslog Server functionning. Do notice that we have to use an IPv4 address for the Syslog Server, and that IPv6 dropped packets are not logged, so on the IPv6 side we're pretty limited to IPv6 Wifi access / System functionning / Admin login logging. But this is still a valuable security asset.
DIR-626L EMail notifications
The DIR-626L do allow email notifications. A few things to note :
. The 626L uses IPv4 only for email notifications.
. The 626L doesn't support SSL ( so using a WebMail like Gmail or Outlook.com may prove impossible )
. The email notification can be triggered either/both on schedule or log full. No cycling notifications ( daily, hourly, ... ) or triggered notifications ( Syslog warning, ... )
Here is an example setup, using hMail Server ( See this post, for hMail Server tutorial ) :
RV110W Syslog Server
Setting up the RV110W Syslog service is very easy.
We just have to :
. enable logging
. set the Log Severity for Local Log and Email
. add a row in the Remote Log Server Table, with a Log Severity Level
Three things to note :
. The RV110W can only log to an IPv4 Syslog Server
. Only Wifi join is fully logged ( MAC address ), Lan join only logs physical ports connect/disconnect
. Several Rows, thus several Syslog Server with distinct Severity Levels can be set up :
RV110W EMail Notifications
The RV110W do allow Email notifications too.
Here is a basic setup, using hMail Server with SSL ( see this post for a hMail Server tutorial ) :
A few things to note :
. The RV110W uses only IPv4 for EMail notifications
. The RV110W does support SSL
. The RV110W Email Notification can be triggered either/both cycling ( hourly, daily ), scheduled or triggered ( syslog-level triggered )
. There is a very convinient ' Test ' to easily test the mail good delivery
. As for now, I haven't yet managed to trigger an Email notification ( either having Firewall dropping packets, Intensive Zenmap scan over the RV110W Wan Interface or unplugging the its Wan port, no Email was sent ).
Here is a sum up of the RV110W capabilities :
Professionnal Syslog Servers softwares
Pro-grade Syslog Servers softwares offer lots of functionnalities :
. syslog messages filters can trigger email notifications
. log messages can be sorted by source IP, severity, ...
They offer free, personnal licences, with some limitations ( number of source IPs, daily messages volume, ... ).
Here are some interesting one you may want to check :
. Syslog Watcher 4
. Kiwi Syslog Server
A few conclusion notes
First, here is a comparaison chart of the DIR-626L and RV110W capabilities ( although they don't belong to the same audience profile and price-zone ) :
The Syslog Server is an invaluable tool for a network security, and works very well with these two models.
As for email notifications, the options offered by these two entry-level routers ( DIR-626L and RV110W ) don't allow real-time security, they only automate the logs transferts.basic remote logging. The use of a professionnal syslog server is the only way to have real-time email notifications of network events.
As for IPv6 support, we're still at the dawn of ages : no IPv6 dropped packets for the DIR-626L, no logging to an IPv6 Syslog Server for both, no IPv6 email notification for both. There is still a long way to go for full IPv6 Support.