LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 07-17-2013, 02:12 AM   #1
plisken
Member
 
Registered: Dec 2001
Location: Scotland
Distribution: Slackware 9.1/13.37/14 RedHat 6.2/7/EL6.5 SuSE 8.2/11.1
Posts: 455

Rep: Reputation: 30
syslog to accept logs from remote source on 9.1


Iím trying to get syslog to accept logs from another source, my router as it happens but Iím not having much luck and going round in circles I think.

Here is what Iíve tried and found so far.

In
Code:
/etc/rc.d/rc.syslog
I thought I simply had to add the
Code:
Ėr
, this hasnít really made any difference.

When I
Code:
nmap Ėp 514 192.168.254.199
(server address from server) Iím informed that the port is closed. I thought adding the
Code:
-r
option to the syslogd at startup would have opened up this port?

I also understand that I need to have an entry in the syslog.conf file for this and from googling, the most common thing Iíve found is along the lines of:

Code:
+192.168.254.254
*.* /var/log/router.log
(router IP)

All help appreciated
 
Old 07-17-2013, 02:41 AM   #2
mancha
Member
 
Registered: Aug 2012
Posts: 279

Rep: Reputation: Disabled
Hi. First of all, you're using nmap in default syn-scan method. syslogd listens on UDP/514. Use:

Code:
$ nmap -sU Ėp 514 192.168.254.199
Secondly, you can see if syslogd is indeed listening on your box by running:

Code:
$ ss -uln
or
Code:
$ netstat -uln
Let me know if this helps you along.

--mancha

Last edited by mancha; 07-17-2013 at 02:45 AM.
 
Old 07-17-2013, 04:25 AM   #3
plisken
Member
 
Registered: Dec 2001
Location: Scotland
Distribution: Slackware 9.1/13.37/14 RedHat 6.2/7/EL6.5 SuSE 8.2/11.1
Posts: 455

Original Poster
Rep: Reputation: 30
Code:
netstat -uln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
udp        0      0 0.0.0.0:512             0.0.0.0:*
udp        0      0 0.0.0.0:514             0.0.0.0:*
udp        0      0 0.0.0.0:10000           0.0.0.0:*
udp        0      0 0.0.0.0:37              0.0.0.0:*
so I'm guessing it is running.

what should I be looking for in my syslog.conf file
when I tried
Code:
+192.168.254.254
*.* -/var/log/router.log
I simply ended up with everything being logged to router.log LOL
 
Old 07-17-2013, 11:44 AM   #4
mancha
Member
 
Registered: Aug 2012
Posts: 279

Rep: Reputation: Disabled
If the router generating the logs is at 192.168.1.1 then /etc/syslog.conf should have:

Code:
+192.168.1.1
*.*     -/var/log/router.log
--mancha
 
Old 07-17-2013, 01:58 PM   #5
plisken
Member
 
Registered: Dec 2001
Location: Scotland
Distribution: Slackware 9.1/13.37/14 RedHat 6.2/7/EL6.5 SuSE 8.2/11.1
Posts: 455

Original Poster
Rep: Reputation: 30
When I done that, all logs went to that file, all local logs
 
Old 07-17-2013, 07:01 PM   #6
ljb643
Member
 
Registered: Nov 2003
Posts: 269

Rep: Reputation: Disabled
Where did you see use of "+" in syslog.conf? I don't think the version of syslogd in Slackware does that - maybe some other implementation does?

If it is ignored, that would explain all messages going to that file.

I don't think you can separate log messages based on their source host. (Perhaps by running more than one syslogd, listening on different sockets?) If your router lets you configure the 'facility' it logs messages under, like using one of the 'local*' names, that would be ideal, and you could use syslog.conf to send those messages to their own log file.

Finally, are you sure your router is sending out the messages? Wireshark is a good tool for this sort of thing.
 
Old 07-17-2013, 08:44 PM   #7
mancha
Member
 
Registered: Aug 2012
Posts: 279

Rep: Reputation: Disabled
Quote:
Originally Posted by plisken View Post
When I done that, all logs went to that file, all local logs
You're doing nothing wrong. As it turns out, Linux's sysklogd doesn't support host-level filtering as do some other syslog daemons and OSes. But it should!

So, your use-case inspired me to review code logic in other projects and adapt something similar for use on Slackware's sysklogd. I was greatly inspired by
BSD's codebase for how to achieve this.

I make this alpha implementation available to the Slackware community via two patches that apply to either sysklogd-1.4.1 or sysklogd-1.5.

The syntax is very simple.

+<host/ip> all following rules apply only if host matches
-<host/ip> all following rules apply only if host doesn't match

Note: the "%" host stands for the local machine name and a + or - host directive remains active until the next + or - host directive is found. Not
specifying any +/- host directives in /etc/syslog.conf means syslog operates as it would without the patch.

I welcome testers and bug reporters and I hope others find this useful.

There are a few limitations in this alpha. First, one can only specify one originating host at a time. However, clever rule ordering should minimize this limitation.
Also, there's no name resolution, so the host or ip has to match exactly.

For example, if the messages from the router come in as follows, the match has to be against "192.168.1.1".

Code:
Jul 17 15:03:07 192.168.1.1 -- MARK --
If you've added an entry to /etc/hosts though and the messages appear as below then the match has to be against "router".

Code:
Jul 17 15:03:07 router -- MARK --
--mancha

Below is an example /etc/syslog.conf for the OP's specific requirement (additions to the stock Slackware conf file in blue):

Code:
# /etc/syslog.conf
# For info about the format of this file, see "man syslog.conf"
# and /usr/doc/sysklogd/README.linux.  Note the '-' prefixing some
# of these entries;  this omits syncing the file after every logging.
# In the event of a crash, some log information might be lost, so
# if this is a concern to you then you might want to remove the '-'.
# Be advised this will cause a performation loss if you're using
# programs that do heavy logging.

# Set the permitted hostname for the following rules to 
# the local machine name
+%

# Uncomment this to see kernel messages on the console.
#kern.*							/dev/console

# Log anything 'info' or higher, but lower than 'warn'.
# Exclude authpriv, cron, mail, and news.  These are logged elsewhere.
*.info;*.!warn;\
	authpriv.none;cron.none;mail.none;news.none	-/var/log/messages

# Log anything 'warn' or higher.
# Exclude authpriv, cron, mail, and news.  These are logged elsewhere.
*.warn;\
	authpriv.none;cron.none;mail.none;news.none	-/var/log/syslog

# Debugging information is logged here.
*.=debug						-/var/log/debug

# Private authentication message logging:
authpriv.*						-/var/log/secure

# Cron related logs:
cron.*							-/var/log/cron

# Mail related logs:
mail.*							-/var/log/maillog

# Emergency level messages go to all users:
*.emerg							*

# This log is for news and uucp errors:
uucp,news.crit						-/var/log/spooler

# Uncomment these if you'd like INN to keep logs on everything.
# You won't need this if you don't run INN (the InterNetNews daemon).
#news.=crit					-/var/log/news/news.crit
#news.=err					-/var/log/news/news.err
#news.notice					-/var/log/news/news.notice

# Log all messages (all facilities and priorities) from
# 192.168.1.1 to /var/log/router.log
+192.168.1.1
*.*						-/var/log/router.log
 
Old 07-20-2013, 02:20 PM   #8
plisken
Member
 
Registered: Dec 2001
Location: Scotland
Distribution: Slackware 9.1/13.37/14 RedHat 6.2/7/EL6.5 SuSE 8.2/11.1
Posts: 455

Original Poster
Rep: Reputation: 30
Getting a bit over my head now LOL

How do i apply this change/diff file? How do I see what has changed? (partial curious and partial security concious)
 
Old 07-20-2013, 03:33 PM   #9
mancha
Member
 
Registered: Aug 2012
Posts: 279

Rep: Reputation: Disabled
From your response it seems rebuilding a package might be a difficult task for you. If that's true I recommend you just ignore my post as you could end up messing up your logging facility. That said, if you're up to it, here is what you would have to do:
  1. Download Pat's source files for Slackware 9.1 sysklogd from here.
  2. Download my patch for sysklogd 1.4.1 to the same directory.
  3. Edit sysklogd.Slackbuild by increasing the build number up top from 9 to 10 and by adding a line (in red) to apply my patch:
    Code:
    cd $TMP
    tar xzvf $CWD/sysklogd-$VERSION.tar.gz
    cd sysklogd-$VERSION
    zcat $CWD/sysklogd-1.4.1-owl-syslogd-crunch_list.diff.gz | patch -p1 --verbose
    patch -p1 --verbose < $CWD/sysklogd-1.4.1-host.diff || exit 1
    chown -R root.root .
  4. Execute sysklogd.Slackbuild to generate a new package
  5. Upgrade the package with: upgradepkg /tmp/sysklogd-1.4.1-i486-10.tgz

As far as seeing what is getting changed, my diff file is a regular text file which shows exactly what is getting changed in sysklogd's source. You can open it in your favorite text editor.

--mancha

Last edited by mancha; 07-20-2013 at 04:58 PM.
 
Old 07-22-2013, 01:40 PM   #10
plisken
Member
 
Registered: Dec 2001
Location: Scotland
Distribution: Slackware 9.1/13.37/14 RedHat 6.2/7/EL6.5 SuSE 8.2/11.1
Posts: 455

Original Poster
Rep: Reputation: 30
I'll give this a go later and report back.

I guess I can always reinstall original package if I run into problems...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Bfd logs to remote syslog-ng server Helptek Linux - Newbie 0 12-08-2009 08:18 AM
AIX audilt logs to a remote syslog server manikyam AIX 1 12-03-2009 01:47 AM
Remote syslog logging for apache logs linuxfia Linux - Software 2 02-02-2009 06:14 PM
syslog to accept remote messages ilnli Linux - Software 1 08-02-2006 06:19 AM
Getting logs from a remote syslog ganninu Linux - Newbie 4 09-10-2003 09:05 AM


All times are GMT -5. The time now is 03:13 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration