Back to the fwlogwatch home page.
SETTING UP AN ELSA (LANCOM-SYSTEMS) OFFICE ROUTER FOR USAGE WITH FWLOGWATCH
(c) 2002/08/07 by Mirko Zeibig <mirko@zeibig.net>
DISCLAIMER: I am not responsible if your machine explodes etc.
I. INTRODUCTION
As I recently acquired a LanCom Office 1000 router produced by the now
"late" ELSA company, I wanted to use my favorite firewall log tool to
work as well with it. As I am using Linux on my machine I first had to
update the firmware of the router to get a) the improved functionality of
a web interface for setup and b) the possibility to send log messages to a
remote syslogd. I then took the Windows XP module as template and adapted it
to the LanCOM-output, sent the resulting patch to Boris, he corrected my bad C
and promised to include it in a new release :-).
In the text I assume your router has the IP 192.168.73.254, this may vary of
course :-).
II. REQUIREMENTS
II.a Checking your Firmware version
The easiest way is to use SNMP:
[mirko@romulan mirko]$ snmpget -c public 192.168.73.254 sysDescr
SNMPv2-MIB::sysDescr.0 = STRING: ELSA LANCOM 1000 Office 2.70.0023 ...
will return a string which includes the Firmware version (here it is
2.70.0023).
Otherwise telnet to your router and enter:
ls /Firmware/Version-table
Ifc Module Version Serial-number
----------------------------------------------------------------------
Ifc LANCOM 1000 Office 2.70.0023 / 02.08.2002 0551.003.528
You have to have at least version 2.50.
II.b Getting a new Firmware
The former router division of ELSA is now an independant company called
LANCOM SYSTEMS (http://www.lancom-systems.de), which offers paid support
for devices produced by ELSA.
The good message: they develop firmware for their routers, which is compatible
with that for ELSA devices and they offer it for free.
I would suggest you use at least firmware version 2.50 and up.
Goto ftp://ftp.lancom.de/Lancom/LANCOM_ISDN_Office/LC_1000/FIRMWARE/ and
download version 2.50 of the firmware (I use the beta-version (2.70.xxx
without any problems right now).
For usage with the webinterface you may download the documentation at
ftp://ftp.lancom.de/Lancom/HTMLDOC/ as well.
II.c Installing a new Firmware
Unzip the firmware.zip. Included is the firmware and a liesmich.txt (README).
An easy way is to use tftp:
[mirko@romulan tmp]$ tftp 192.168.73.254
tftp> verbose
Verbose mode on.
tftp> bin
mode set to octet
tftp> put LC_1000u.270 writeflash
Hint: if you have set a password on your router you may invoke the
put command like this
tftp> put LC_1000u.270 PASSWORDwriteflash
II.d Checking the new Firmware
Reboot your router, then check the firmware-version via SNMP or telnet. Now
you should be able to reach your router via a webbrowser as well. Point your
browser to http://192.168.73.254/ and you should see the configuration
screen. The language depends a bit on the settings of your browser, the menus
are available in German and English.
III. SETTING UP THE SYSLOG-MODULE
III.a Prepare your logging host
Edit your /etc/syslog.conf and add sth. like:
local5.* -/var/log/router
Then restart your syslogd (e.g. /etc/init.d/syslog restart).
Make sure your syslog-daemon is configured to accept messages from other
hosts (Option -r, on RedHat-Linux you may edit /etc/sysconfig/syslog), I
use:
SYSLOGD_OPTIONS="-r -m 0 -s picard.inka.de:zeibig.net"
Lookup the man-page of syslog.conf for the actual meaning of the options or
if you do not use
III.b On the Router
All browser-settings are beneath Expert-configuration. In braces you will find
the telnet-path
- Point your browser to http://192.168.73.254/config/2/22/
(/Setup/SYSLOG-module)
- Set Operating to on (/Setup/SYSLOG-module/Operating).
- In http://192.168.73.254/config/2/22/3/
(/Setup/SYSLOG-module/Facility-mapper)
map all Sources to local5 or whatever channel you reserved in III.a
- In http://192.168.51.254/config/2/22/2/
(/Setup/SYSLOG-module/Table-SYSLOG)
add an entry e.g. PAKA with the IP-address of your logging host, as source
enter 80 (for PACKET-messages) and as level at least 01. Have a look at the
tables below for the bits which may be set:
Source Bit Value
SYSTEM 0 0x01
CONN-LOGIN 1 0x02
CRON 2 0x04
ADMIN LOGIN 3 0x08
CONNECTION 4 0x10
ACCOUNTING 5 0x20
ADMIN 6 0x40
PACKET 7 0x80
Level Bit Value
ALERT 0 0x01
ERROR 1 0x02
WARNING 2 0x04
INFO 3 0x08
DEBUG 4 0x10
That's it.
IV. USING FWLOGWATCH
Change your fwlogwatch.conf to include 'l' as parser option and to use
/var/log/router as input file, the parser will look for entries like:
Aug 7 14:21:31 router PACKET_ALERT: Dst: 192.168.51.254:37 {router}, Src: 192.168.51.8:37631 {romulan} (TCP): connection refused
If you are sure no other program will utter such messages you may direct
the logs to /var/log/messages as well of course :-).
Back to the fwlogwatch home page.
© 2000-2010 Boris Wesslowski