How to enable / access USG 110 detailed logs

Milos
Milos Posts: 20  Freshman Member
Friend Collector First Comment
edited April 2021 in Security
We're using an USG 110 as main router and firewall. On the Traffic Statistics page, I can se one external IP address with Tx to of 65 GB. We would like to investigate more what kind of file transfer was done with this address. Where can we access those logs?

In the Log menu, we can only see 1024 log lines, and they are all from today.

Looking forward to hearing from you. Thank you!
«1

Comments

  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    @Milos

    Exactly, the log page only keep 1024. For this issue, we can monitor the session on "Monitor > System > Session Monitor". we can see the connection IP and service port.

    If you would like to know the traffic content, we can investigate more information by packets capture. Go to "Maintenance > Diagnostics > Packets capture",  set the fitter to capture packets for analysis.

    eg. host ip = external IP address with Tx to of 65 GB .

  • Milos
    Milos Posts: 20  Freshman Member
    Friend Collector First Comment
    Thank you Zyxel_Cooldia, appreciate!

    Just one question about the packets capture, it only captures the packets once launched. For example, if this Rx was one time, I cannot analyze the backlogs?
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,426  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    @Milos

    It only can analysis current traffic by packets capture. we are unable to know the past traffic.

  • Milos
    Milos Posts: 20  Freshman Member
    Friend Collector First Comment
    Roger that, thank you!
  • Ian31
    Ian31 Posts: 165  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    You can send traffic log to external syslog server for tracking.

    The log information is like this,
    src="192.168.111.37:52136" dst="178.32.169.230:80" msg="Traffic Log" note="Traffic Log" user="unknown" devID="cc5d4e5159cf" cat="Traffic Log" duration=5 sent=398 rcvd=1042 dir="lan1:wan1" protoID=6 proto="http" client_mac="00:30:18:C5:1C:6C"

    You can got the sent/rcvd Bytes count of each session.
    Be aware, enable traffic log might consume some CPU power depend on how many traffic volumes pass through your USG.
  • Milos
    Milos Posts: 20  Freshman Member
    Friend Collector First Comment
    Thank you @Ian31 , how about matching traffic logs with actual websites? For example, let's assume someone exchanged a lot with dropbox, how to associate the traffic to dropbox?
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited October 2018

    Hi @Milos

    Current design the traffic statistics function shows information separately.

    e.g. User upload/download usage. or How many times the WebSite been hit .

     

    So I would like to add it into idea to combining all of these information together.

    -> User accesses to Dropbox and Tx/Rx Bytes.


  • Milos
    Milos Posts: 20  Freshman Member
    Friend Collector First Comment
    -> User accesses to Dropbox and Tx/Rx Bytes.
    Thank you, but how to connect those two, by matching the log time?
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,361  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @Milos  

    I have add idea to combining all of information in traffic statistics:

    --> User name, TxRx, timestamp.


  • Milos
    Milos Posts: 20  Freshman Member
    Friend Collector First Comment
    edited October 2018
    Hi @Zyxel_Stanley , I do not understant your comment / the new topic you have added.
    Shall I follow up on this? What's the usage of creating the idea topic?

    As Zyxel USG is producing a lot of logs, I'm sure we can analyze those and get a detailed report. My question is: how to match accessed websites and traffic logs so that we can export statistics about:

    User X accessed Y times the website Z and had a traffic of A Tx and B Rx.

Security Highlight