Geek Pop Quiz.

[theweaselking]

I have a network.

I want to know who is surfing the web, to where, and, if possible, how long they spend doing it. With records and hopefully a nice happy interface where I can see "John refreshed livejournal.com, like, 40 times today"

What's the best way to set something up to monitor this?

Squid proxy with some kind of log reader? Got a link on how to set that up?

This is, right now, purely a "hmm, how can I do this?" exercise.

(Oh, and: I *can* block all traffic that doesn't go past my monitor, if I feel like it. So it's not like people can break my proxy by just removing it, if I go with a proxy.)

Comments

[anivair.livejournal.com]

I say squid proxy with some perl scripts for the log output to translate it into something easy to read. I'm actually working on something similar for my office.

[theweaselking.livejournal.com]

No pre-made thing I can just slot in and not have to write myself?

[anivair.livejournal.com]

that I don't know. but if I run across anything, I'll let you know.

[anivair.livejournal.com]

so far cacti looks promising, but I'm upgrading my system before I set it up, so I'll let you know.

[flemco.livejournal.com]

I used to use a dedicated box running Ethereal and monitoring all traffic twixt the gateway and the ISP. (The box was a retired server that was kicking around the closet.) On the one hand, you can get some severe logfile bloat. On the other, that sucker is very good at tracking everything, and if you have enough drive space for the logs, you can filter the shit out of them when it comes time to see what's up.

[theweaselking.livejournal.com]

That involves writing scripts to parse the output. And I hate doing that. Does nobody have an out-of-the-box FOSS snoopware project I can just bogart? Like, "snort but only cares about the web"?

(I have a snort box insystem already. I *could* have it log non-alerts on every bit of web traffic and parse those - but, again, PITA.)

[elffin.livejournal.com]

Writing scripts to parse the output is all of the fun, man. SliceNDice.

[flemco.livejournal.com]

Actually, no. The Ethereal client comes with Filter capability. Pretty keen, too.

[jsbowden.livejournal.com]

There are products to do this, but they are Not Cheap (TM).

[theweaselking.livejournal.com]

I, however, am cheap(tm). And lazy, wrt writing one myself.

[pope-guilty.livejournal.com]

I just want to be able to see who's all connected to my router.

I seem to recall my old Windows 98 box, back in the days when everybody on campus was hooked into the network and sharing their media folders, had an application that showed who was connected to my computer and doing what in what folder.

[zastrazzi.livejournal.com]

Squid for the proxy, splunk for sifting through logs.

I'm suggesting splunk because I suspect you might be under the threshold of volume that would move you into the paying for it category :)

[theweaselking.livejournal.com]

Splunk: neat.

Paying for it: HOLY SHIT STARTS AT $15K!

[zastrazzi.livejournal.com]

Like I said, I'm assuming you fall under there usage :) And if you think that's outrageous you should see our licensing for the SIEM/SIM product we use *grin*