8. Logging

Logging is your router's way of telling you what it's been up to, and more importantly what the folks using it have been doing. Most consumer-class routers have fairly simple logging features and little or no way to "drill down" into the data to look at a particular user's activity.

The three main types of data that are logged are administrative, "hack attempts", and user traffic. Administrative activity includes things like router startup, shutdown, and reboots. You'll also find admin interface logins, too. "Hack attempt" logs usually include any attempt to access your router from a machine on the WAN or Internet side of the router. These attempts are usually not aimed at your router specifically, but result from broad network (or subnet) wide port scans from any number of sources. Routers with SPI based firewalls can also interpret and log more potentially damaging attacks such as Denial of Service (DoS), fragmented packet, and other nasty stuff. Finally, user traffic logs keep track of the website, FTP, and other data requests that users make for Internet services.

As mentioned earlier, many routers provide a simple log interface, usually consisting of a page in the admin interface where you can just view a raw list of the logged activities. Some routers allow you to clear and/or save the list to a file, while others just keep a certain number of logged events, discarding the oldest ones as new events are added. Another kind of simple log is a URL or web traffic log, which may just show the number of visits to a specific web domain, without keeping track of the specific pages visited. If you're interested in keeping track of what a specific user is doing, or need other cuts at the logged data, you should look for products that support external logging.

There are two methods used for external logging. Syslog support lets you specify the IP address of a machine on your LAN that runs a syslog daemon or server. This handy service originated in the unix community and can be added to a Windows or MacOS systems by installing one of the number of programs available to receive the logging information sent via this method.