LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-20-2001, 11:09 AM   #1
adamrau
Member
 
Registered: Sep 2001
Posts: 42

Rep: Reputation: 15
SYSLOG not writing messages from my firewall.


This is what i have done.

On firewall:
logging host inside 10.0.0.4
logging trap debugging
logging facility 20

On linux server
vi /etc/syslog.conf
I added this line
local4.* /var/log/firewall.log

I stop and restarted syslog both with and without -r option and still i get nothing written.
Does anyone have any idea on what I am doing wrong.
I am at a loss here
Thanks
Adam
 
Old 12-20-2001, 01:19 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,987
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Iptables and ipchains both use the "KERN" facility not "LOCAL#", iptables at loglevel "WARN", and ipchains at loglevel "INFO", so for ipt your line should be: "kern.warn<tab><logfile>".
Variations in loglevel are possible, or can be replaced by an asterix, depending on what you log, please consult the syslog(d|.conf) manual.
 
Old 12-20-2001, 05:38 PM   #3
adamrau
Member
 
Registered: Sep 2001
Posts: 42

Original Poster
Rep: Reputation: 15
Hi,
IPchains and iptables is not running. This is on a server on my internal network.

Im not sure if that helps
 
Old 12-20-2001, 06:00 PM   #4
adamrau
Member
 
Registered: Sep 2001
Posts: 42

Original Poster
Rep: Reputation: 15
This is my syslog.conf.

FYI: I installed kiwi on my laptop and it worked great. Im not so sure why linux is being stubborn about this.


# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* /var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages, plus log them on another
# machine.
*.emerg *

# Save mail and news errors of level err and higher in a
# special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log


local4.* /var/log/firewall.log
 
Old 12-21-2001, 12:58 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,987
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
If you don't have a firewall, it can't log, right? :-]
Btw1, you commented out the "KERN" facility. IMO if you don't want that on your console, you can raise the loglevel to something like "EMERG", or have it log to a file. You never know when you'll need this.
Btw2, the "LOCAL#" facility is only used by apps that can use it by changing a var in their config, or at compile time.
OTOH if you mean syslogd should log messages from fw's from other machines you'll have to redirect them in the syslog.conf on that machine, and have syslogd listen on this machine on 514/UDP.
 
Old 12-21-2001, 04:59 AM   #6
adamrau
Member
 
Registered: Sep 2001
Posts: 42

Original Poster
Rep: Reputation: 15
Hi,

Thanks for all your time. I think I was unclear from the beginning. The firewall is hardware and its logging messages and should send them to my linux syslog server. I setup a windows syslog server as a test and it worked.

Sorry




Adam:smash:
 
Old 01-08-2002, 03:36 PM   #7
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Rep: Reputation: 30
Does anyone have any more info on this. I have been working on this and have done these exact steps. I have no idea why linux syslog doesnt want to write my messages
 
Old 01-08-2002, 04:27 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,987
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
On the box you send syslog *from* specify a line
"*.*<tab>@hostname" (w/o quotes, change hostname).
On the *receiving* box you need syslog started with the "-r" flag so it will listen on UDP port 514 for messages from remote servers. This ain't on by default in distro's.
Also add the line "syslog 514/udp" (if its not there) to the /etc/services.

Shake the chicken bones 3 times, sprinkle with penny-royale oil, do some admin voodoo chants, and presto, remote logging...
 
Old 01-08-2002, 05:23 PM   #9
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Rep: Reputation: 30
Thanks unSpawn but i still have problems. Im logging from a cisco firewall. If i setup kiwi on my windows workstation it works great. Its not logging to my linux workstation. I have syslog udp/514 in the /etc/services. I have it running with the -r. Still nada.......

Both devices can ping each other/etc/
It just doesnt want to work.
Any ideas on how to debug?
 
Old 01-09-2002, 01:13 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,987
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
How does your logging look in Config on the Cisco?
Should be something along the lines of:

logging <address>
logging <facility> (local0 to local7)
logging trap <logging_level> (? or like "informational">
logging source-interface <interface>
logging on

On the Linux box:
in /etc/syslog.conf add line with the logging facility specified on the Cisco:
<facility>.*<tab><logfilename>
Restart syslogd.
Else; Not blocking from /etc/hosts.(deny|allow) from that address? Not blocking by fw? Does tcpdump show up anything from the Cisco address?
 
Old 01-09-2002, 04:57 PM   #11
iamnotherbert
Member
 
Registered: May 2001
Posts: 74

Rep: Reputation: 15
Did you touch /var/log/firewall.log..

I have had stubborn syslogd's before on a new conf. I had to run touch then restart syslogd.

1. If alls well with kiwi then the cisco ends ok. 2. If you did what unspawn said then the ports there.


-iamnotherbert
 
Old 01-09-2002, 06:18 PM   #12
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Rep: Reputation: 30
Junk I tell ya.

Cisco:
Syslog logging: enabled
Trap logging: level debugging, facility 20, 21978 messages logged
Logging to inside 10.0.0.4

syslog.conf:

local4.* /var/log/firewall.log
*.* /var/log/firewall.log

I added the *.* as show above and kernel messages showed up in my firewall.log. I did it as a test after touching the file to make sure syslog could write to it. hosts.allow and hosts.deny are both empty. /usr/sbin/tcpdump --> Cant read...Must be an executable or something. iptables/ipchains is not running.
What else am i suppossed to do? This should be working.
I start syslog via /etc/rc.d/init.d/syslog start -r

Any more suggestions?
Thanks so much
 
Old 01-10-2002, 01:02 AM   #13
iamnotherbert
Member
 
Registered: May 2001
Posts: 74

Rep: Reputation: 15
I noticed your cisco is set to use
facility 20. Does that = local4?

The reason it works with kiwi is kiwi shows all syslog messages. It doesn't care what the facility is. Syslogd does..

Check for what 20 means.. and make sure you have your conf setup right.

Hope it helps
 
Old 01-10-2002, 05:24 AM   #14
ForumKid
Member
 
Registered: Dec 2001
Posts: 195

Rep: Reputation: 30
Hi,
facility20 does equal local 4. Someone told me that its always offset by 16. ANyhow my kiwi syslog priority comes up as local4.notice........

Cant we eliminate the facility because i have entered *.* in my syslog.conf. Also im not running xinetd. Im not sure if some other process should be running.

So i think we can eliminate these:
1) facility ---> due to *.* in syslog.conf even though facility 20 is correct.
2) firewall.log --> This is writeable due to kernal messages showing up here due to *.* in syslog.conf.

Is there a way to test some more? Im not sure what else to do.
Thanks for everyones help.
 
Old 01-10-2002, 12:23 PM   #15
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,987
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Reading back I noticed you said you start syslog as "/etc/rc.d/init.d/syslog start -r". unless some wacky distro decides otherwise and mucked up SYSV stylee starting of daemons this can't be good, cuz I'm quite sure it won't pick up parameters on the cmdline else than start|stop|status and the like.
You will have to edit /etc/rc.d/init.d/syslog to add the "-r" parameter, then kill and start it.
Use netstat or socklist, and ps to verify its using UDP/514, and the flags include "-r" (ps ax).
Then I would like to suggest you try setting the Cisco facility line to specifically read anything starting with local like:
"logging facility local4".
Also note syslog *is* picky about tabs or spaces between the facility.priority and the logfile. Make sure your syslog.conf ends up with *all* tabs or *all* spaces, no mixing.

If this all won't work, and the kiwi box ain't the same IP as the Linux box, I would suggest you use tcpdump to see if the stream is there (w/o quotes):
"tcpdump -a -vv -i <interface> -p -c 1000 > tcpdump.log"
this will set the <interface> to promiscuous mode so itll receive all messages, log in ascii format with increased verbosity to the tcpdump.log and exit after 1000 packets are logged.
now do
"cat tcpdump.log | grep -v "\^" | grep udp"
and it should show lines like
<timestamp> <cisco_address>.<port> > <linux_address>.514 udp <packet flags>.
If this works we definately know the error's on the syslog side, then we can opt to use logger(local) or netcat(remote) to test syslog further.
If this doesnt work, review your Cisco's conf (facility name and other logging options) or post the relevant logging lines here.

HTH somehow
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
dnsmasq. syslog and console messages kevmccor Slackware 2 11-13-2005 06:46 AM
Syslog messages... stevemad Slackware 4 10-15-2005 03:45 PM
syslog messages on SLES9 console MrHPUX Linux - Software 0 10-13-2005 01:44 PM
Can't get syslog to record messages from my router ec3042 Linux - Networking 3 02-24-2004 12:10 PM
syslog and firestarter - log messages to another file than messages mule Linux - Newbie 0 08-07-2003 03:35 AM


All times are GMT -5. The time now is 09:01 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration