WAP54G remote log

Hello!
I've got problem with logging my AP activity to remote host. I'm
particulary interested in events such as positive clients attachments to
Access Point. My AP is Linksys WAP54G v3 EU, firmware 3.05.

Web interface log window displays entries like: "Wireless PC connected
00:13:02:XX:XX:XX" - this is what I would like to log on remote host.
However, AP is only sending stop/start entries to syslog port: (received
via ng-syslog)
"Feb 25 20:01:31 192.168.1.2 syslogd started: BusyBox v0.60.0
(2005.12.28-06:45+0000)"
"Feb 25 23:05:22 192.168.1.2 System log daemon exiting."
There are no SNMP traps (I've sniffed AP's ethernet interface during PC
attachment that resulted in appropriate entry in log window); SNMP walk
also doesn't show anything interesting :/
Is it even possible to log such events remotely with official firmware?
Or do Linksys prepared SNMP&syslog "implementations" only for providing
such important infos as contact name (from SNMP walk) and syslog start/stop?

Thanks in advance for any info...
--
Marek Zawirski [zawir]
marek.zawirski@gmail.com

ZaWiR <zawirek@interia.pl> hath wroth:

>I've got problem with logging my AP activity to remote host. I'm
>particulary interested in events such as positive clients attachments to
>Access Point. My AP is Linksys WAP54G v3 EU, firmware 3.05.
>
>Web interface log window displays entries like: "Wireless PC connected
>00:13:02:XX:XX:XX" - this is what I would like to log on remote host.
>However, AP is only sending stop/start entries to syslog port: (received
>via ng-syslog)
>"Feb 25 20:01:31 192.168.1.2 syslogd started: BusyBox v0.60.0
>(2005.12.28-06:45+0000)"
>"Feb 25 23:05:22 192.168.1.2 System log daemon exiting."

>There are no SNMP traps (I've sniffed AP's ethernet interface during PC
>attachment that resulted in appropriate entry in log window); SNMP walk
>also doesn't show anything interesting :/

What does sniffing with WireShark or your sniffer show? Do you see
the desired connect events? Can you see anything else related? If
not, there's not much that can be done with the WAP54G unless you want
to hack the firmware.

If you've sniffed the traffic, and it seems to show the "appropriate"
entries, then it's not the WAP54G that needs to be configured. It's
your syslogd monitor, which I guess is really syslog-ng, not
ng-syslog. It's apparently filtering out the desired events. Look
into the file:
syslog-ng.conf
and see if there's anything that might be screwed up in the WAP54G
entries filter statement. This might help if you just started setting
up syslog-ng:
<http://www.campin.net/syslog-ng/faq.html>
<http://www.campin.net/newlogcheck.html#syslog-ng>
<http://www.balabit.com/products/syslog_ng/>

You might also want to try a less complex syslog viewer for initial
troubleshooting. Under Windoze, that's Kiwi:
<http://www.kiwisyslog.com/syslog-info.php>

>Is it even possible to log such events remotely with official firmware?
>Or do Linksys prepared SNMP&syslog "implementations" only for providing
>such important infos as contact name (from SNMP walk) and syslog start/stop?
>
>Thanks in advance for any info...

You're correct that the WAP54G does NOT send SNMP traps. I use Log
Viewer 2.1:
<http://svs.sv.funpic.de/index.php?option=com_content&task=view&id=1&Itemid =63>
for monitoring those routers that support this feature, but the WAP54G
is apparently not among them.

You might also want to try different firmware:
<http://www.hyperwap.org>
<http://www.hyperwap.org/forum/viewtopic.php?id=53>
However, it does not add any additional syslogd or SNMP features so
that won't really help.



--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Jeff Liebermann:
> What does sniffing with WireShark or your sniffer show? Do you see
> the desired connect events? Can you see anything else related? If
> not, there's not much that can be done with the WAP54G unless you want
> to hack the firmware.
>
> If you've sniffed the traffic, and it seems to show the "appropriate"
> entries, then it's not the WAP54G that needs to be configured. It's
> your syslogd monitor, which I guess is really syslog-ng, not
> ng-syslog. It's apparently filtering out the desired events. Look
> into the file:
> syslog-ng.conf
> and see if there's anything that might be screwed up in the WAP54G
> entries filter statement. This might help if you just started setting
> up syslog-ng:
> <http://www.campin.net/syslog-ng/faq.html>
> <http://www.campin.net/newlogcheck.html#syslog-ng>
> <http://www.balabit.com/products/syslog_ng/>
>
> You might also want to try a less complex syslog viewer for initial
> troubleshooting. Under Windoze, that's Kiwi:
> <http://www.kiwisyslog.com/syslog-info.php>

Hi,
thanks for an answer.
I've sniffed it with tcpdump and it doesn't show any syslog traffic from
AP after client attachment (that resulted in log entry in web log
viewer), while it shows syslog "start message" during AP boot-up. So I
guess that AP is a problem, not my syslog daemon. Yes, syslog-ng.
Anyway, it is configured without any filter for that source.

>> Is it even possible to log such events remotely with official firmware?
>> Or do Linksys prepared SNMP&syslog "implementations" only for providing
>> such important infos as contact name (from SNMP walk) and syslog start/stop?
>>
>> Thanks in advance for any info...
>
> You're correct that the WAP54G does NOT send SNMP traps. I use Log
> Viewer 2.1:
> <http://svs.sv.funpic.de/index.php?option=com_content&task=view&id=1&Itemid =63>
> for monitoring those routers that support this feature, but the WAP54G
> is apparently not among them.
>
> You might also want to try different firmware:
> <http://www.hyperwap.org>
> <http://www.hyperwap.org/forum/viewtopic.php?id=53>
> However, it does not add any additional syslogd or SNMP features so
> that won't really help.

So I would ask question in another way: does anybody log (remotely) such
events (clients attachments via syslog) from WAP54G successfully?

Regards,
Marek Zawirski

ZaWiR wrote:
> Hello!
> I've got problem with logging my AP activity to remote host. I'm
> particulary interested in events such as positive clients attachments to
> Access Point. My AP is Linksys WAP54G v3 EU, firmware 3.05.
>
> Web interface log window displays entries like: "Wireless PC connected
> 00:13:02:XX:XX:XX" - this is what I would like to log on remote host.
> However, AP is only sending stop/start entries to syslog port: (received
> via ng-syslog)
> "Feb 25 20:01:31 192.168.1.2 syslogd started: BusyBox v0.60.0
> (2005.12.28-06:45+0000)"
> "Feb 25 23:05:22 192.168.1.2 System log daemon exiting."

I presume from this that you have enabled logging, Log Tab, and set the
logviewer IP address to 192.168.1.2 .What s/ware have you loaded onto
192.168.1.2 to enable viewing of the logs?
Jeff provided this link to the Linksys one:-
http://svs.sv.funpic.de/index.php?op...id=1&Itemid=63
Have you tried it?

Check "The Administation-Log Tab" in the manual.
My cousin had an earlier version of this AP and used to do logging with it.

Kev <invalid@invalid.invalid> hath wroth:

>ZaWiR wrote:
>> Hello!
>> I've got problem with logging my AP activity to remote host. I'm
>> particulary interested in events such as positive clients attachments to
>> Access Point. My AP is Linksys WAP54G v3 EU, firmware 3.05.
>>
>> Web interface log window displays entries like: "Wireless PC connected
>> 00:13:02:XX:XX:XX" - this is what I would like to log on remote host.
>> However, AP is only sending stop/start entries to syslog port: (received
>> via ng-syslog)
>> "Feb 25 20:01:31 192.168.1.2 syslogd started: BusyBox v0.60.0
>> (2005.12.28-06:45+0000)"
>> "Feb 25 23:05:22 192.168.1.2 System log daemon exiting."

>I presume from this that you have enabled logging, Log Tab, and set the
>logviewer IP address to 192.168.1.2 .What s/ware have you loaded onto
>192.168.1.2 to enable viewing of the logs?

See:
<http://www.linksysdata.com/ui/WAP54G/v3/3.01/Administration-Log.htm>
for the setting.

>Jeff provided this link to the Linksys one:-
>http://svs.sv.funpic.de/index.php?op...id=1&Itemid=63
>Have you tried it?

Well, I screwed up again. The above log viewer MIGHT work even though
this Log Viewer does not show the WAP54G as supported. It uses SNMP
traps, which I wrongly thought the WAP54G does NOT support. Apparently
it does.

Linksys also has an awful SNMP trap receiver at:
<ftp://ftp.linksys.com/pub/utility/wap54g_logviewer.zip>
It's really crude, but should be sufficient for testing.

For Linux, just about any SNMP trap receiver will work. There's one
in NET-SNMP.
<http://www.die.net/doc/linux/man/man5/snmptrapd.conf.5.html>

A syslog monitor will only show WPA54G startup events, even though
syslogd is apparently functioning inside the WAP54G. Lame...

>Check "The Administation-Log Tab" in the manual.
>My cousin had an earlier version of this AP and used to do logging with it.

I just checked the configs on:
<http://www.linksysdata.com/ui/>
and all the various WAP54G mutations have the log viewer feature.

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Jeff Liebermann wrote:

> Linksys also has an awful SNMP trap receiver at:
> <ftp://ftp.linksys.com/pub/utility/wap54g_logviewer.zip>
> It's really crude, but should be sufficient for testing.
>
I think that is very similar to the one my cousin used, actually it was
probably even more basic as I don't remember the "Buttons".

On Tue, 27 Feb 2007 20:09:13 +0000, Kev <invalid@invalid.invalid>
wrote:

>Jeff Liebermann wrote:
>
>> Linksys also has an awful SNMP trap receiver at:
>> <ftp://ftp.linksys.com/pub/utility/wap54g_logviewer.zip>
>> It's really crude, but should be sufficient for testing.

>I think that is very similar to the one my cousin used, actually it was
>probably even more basic as I don't remember the "Buttons".

Buttons? Egad's... it is a new version even though it's labeled v1.0.
Looks somewhat less disgusting than the previous version.

I tried sending it some traps with NET-SNMP but couldn't get anything
to appear in the logs. I was able to see URL's (in SNMP traps) sent
by a BEFW11S4v4 router, which should be similar to the WAP54G.

I can also see URL's using SNMPUTIL as in:
snmputil trap
However, one needs to first configure SNMP on the machine that's
running the SNMPUTIL program. Once installed, you can also run:
evntwin
evntcmd
to send traps from the events log. See:
<http://www.securityfocus.com/infocus/1301>
Unfortunately, like almost all diagnostics from Microsoft, this one is
also slightly broken:
<http://support.microsoft.com/kb/q284255/>




--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@comix.santa-cruz.ca.us
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS

Jeff Liebermann wrote:
> On Tue, 27 Feb 2007 20:09:13 +0000, Kev <invalid@invalid.invalid>
> wrote:
>
>> Jeff Liebermann wrote:
>>
>>> Linksys also has an awful SNMP trap receiver at:
>>> <ftp://ftp.linksys.com/pub/utility/wap54g_logviewer.zip>
>>> It's really crude, but should be sufficient for testing.
>
>> I think that is very similar to the one my cousin used, actually it was
>> probably even more basic as I don't remember the "Buttons".
>
> Buttons?
I don't remember a toolbar with it's associated icons.

> Egad's... it is a new version even though it's labeled v1.0.
> Looks somewhat less disgusting than the previous version.
>
> I tried sending it some traps with NET-SNMP but couldn't get anything
> to appear in the logs. I was able to see URL's (in SNMP traps) sent
> by a BEFW11S4v4 router, which should be similar to the WAP54G.

What s/ware version?
http://www.dslreports.com/faq/2333

> Kev <invalid@invalid.invalid> hath wroth:
>
>> ZaWiR wrote:
>>> Hello!
>>> I've got problem with logging my AP activity to remote host. I'm
>>> particulary interested in events such as positive clients attachments to
>>> Access Point. My AP is Linksys WAP54G v3 EU, firmware 3.05.
>>>
>>> Web interface log window displays entries like: "Wireless PC connected
>>> 00:13:02:XX:XX:XX" - this is what I would like to log on remote host.
>>> However, AP is only sending stop/start entries to syslog port: (received
>>> via ng-syslog)
>>> "Feb 25 20:01:31 192.168.1.2 syslogd started: BusyBox v0.60.0
>>> (2005.12.28-06:45+0000)"
>>> "Feb 25 23:05:22 192.168.1.2 System log daemon exiting."
>
>> I presume from this that you have enabled logging, Log Tab, and set the
>> logviewer IP address to 192.168.1.2 .What s/ware have you loaded onto
>> 192.168.1.2 to enable viewing of the logs?
>
> See:
> <http://www.linksysdata.com/ui/WAP54G/v3/3.01/Administration-Log.htm>
> for the setting.
>
>> Jeff provided this link to the Linksys one:-
>> http://svs.sv.funpic.de/index.php?op...id=1&Itemid=63
>> Have you tried it?
>
> Well, I screwed up again. The above log viewer MIGHT work even though
> this Log Viewer does not show the WAP54G as supported. It uses SNMP
> traps, which I wrongly thought the WAP54G does NOT support. Apparently
> it does.
>
> Linksys also has an awful SNMP trap receiver at:
> <ftp://ftp.linksys.com/pub/utility/wap54g_logviewer.zip>
> It's really crude, but should be sufficient for testing.
>
> For Linux, just about any SNMP trap receiver will work. There's one
> in NET-SNMP.
> <http://www.die.net/doc/linux/man/man5/snmptrapd.conf.5.html>
>
> A syslog monitor will only show WPA54G startup events, even though
> syslogd is apparently functioning inside the WAP54G. Lame...
>
>> Check "The Administation-Log Tab" in the manual.
>> My cousin had an earlier version of this AP and used to do logging with it.
>
> I just checked the configs on:
> <http://www.linksysdata.com/ui/>
> and all the various WAP54G mutations have the log viewer feature.

Well... what are you talking about?;) I've claimed that what I want to
achieve is REMOTE logging. I've sniffed eth interface again, and there
is NO syslog/snmp traffic (for sure) during clients connection. So this
must be AP-only problem, not my logging software. I don't want to use
web-based log viewer on AP (at least, I can download this page regularly
by script). And there is no possibility and need for testing
"log-viewers" for Windows as there is no useful mgmt traffic from AP.
Answering directly: 192.168.1.1 is my server, not 192.168.1.2 (AP), and
there is no "viewer" software on this machine, there is only "logging"
software.
Page about enabling logging - which was provided by you - concerns
Linksys router, not AP.

Is there any WAP54G firmware version which is known (tested) to provide
working snmp or syslog implementation=that sends useful information?
Have you seen snmp traps or useful syslog entries on your eyes?:) Not my
eyes yet...

Best Regards,
Marek Zawirski / zawir