syslog to accept logs from remote source on 9.1

plisken · 07-17-2013, 02:12 AM

I’m trying to get syslog to accept logs from another source, my router as it happens but I’m not having much luck and going round in circles I think.

Here is what I’ve tried and found so far.

In

Code:

/etc/rc.d/rc.syslog

I thought I simply had to add the

Code:

–r

, this hasn’t really made any difference.

When I

Code:

nmap –p 514 192.168.254.199

(server address from server) I’m informed that the port is closed. I thought adding the

Code:

-r

option to the syslogd at startup would have opened up this port?

I also understand that I need to have an entry in the syslog.conf file for this and from googling, the most common thing I’ve found is along the lines of:

Code:

+192.168.254.254
*.* /var/log/router.log

(router IP)

All help appreciated

mancha · 07-17-2013, 02:41 AM

Hi. First of all, you're using nmap in default syn-scan method. syslogd listens on UDP/514. Use:

Code:

$ nmap -sU –p 514 192.168.254.199

Secondly, you can see if syslogd is indeed listening on your box by running:

Code:

$ ss -uln

or

Code:

$ netstat -uln

Let me know if this helps you along.

--mancha

plisken · 07-17-2013, 04:25 AM

Code:

netstat -uln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
udp        0      0 0.0.0.0:512             0.0.0.0:*
udp        0      0 0.0.0.0:514             0.0.0.0:*
udp        0      0 0.0.0.0:10000           0.0.0.0:*
udp        0      0 0.0.0.0:37              0.0.0.0:*

so I'm guessing it is running.

what should I be looking for in my syslog.conf file
when I tried

Code:

+192.168.254.254
*.* -/var/log/router.log

I simply ended up with everything being logged to router.log LOL

mancha · 07-17-2013, 11:44 AM

If the router generating the logs is at 192.168.1.1 then /etc/syslog.conf should have:

Code:

+192.168.1.1
*.*     -/var/log/router.log

--mancha

plisken · 07-17-2013, 01:58 PM

When I done that, all logs went to that file, all local logs

ljb643 · 07-17-2013, 07:01 PM

Where did you see use of "+" in syslog.conf? I don't think the version of syslogd in Slackware does that - maybe some other implementation does?

If it is ignored, that would explain all messages going to that file.

I don't think you can separate log messages based on their source host. (Perhaps by running more than one syslogd, listening on different sockets?) If your router lets you configure the 'facility' it logs messages under, like using one of the 'local*' names, that would be ideal, and you could use syslog.conf to send those messages to their own log file.

Finally, are you sure your router is sending out the messages? Wireshark is a good tool for this sort of thing.

mancha · 07-17-2013, 08:44 PM

Quote:

Originally Posted by plisken

When I done that, all logs went to that file, all local logs

You're doing nothing wrong. As it turns out, Linux's sysklogd doesn't support host-level filtering as do some other syslog daemons and OSes. But it should!

So, your use-case inspired me to review code logic in other projects and adapt something similar for use on Slackware's sysklogd. I was greatly inspired by
BSD's codebase for how to achieve this.

I make this alpha implementation available to the Slackware community via two patches that apply to either sysklogd-1.4.1 or sysklogd-1.5.

The syntax is very simple.

+<host/ip> all following rules apply only if host matches
-<host/ip> all following rules apply only if host doesn't match

Note: the "%" host stands for the local machine name and a + or - host directive remains active until the next + or - host directive is found. Not
specifying any +/- host directives in /etc/syslog.conf means syslog operates as it would without the patch.

I welcome testers and bug reporters and I hope others find this useful.

There are a few limitations in this alpha. First, one can only specify one originating host at a time. However, clever rule ordering should minimize this limitation.
Also, there's no name resolution, so the host or ip has to match exactly.

For example, if the messages from the router come in as follows, the match has to be against "192.168.1.1".

Code:

Jul 17 15:03:07 192.168.1.1 -- MARK --

If you've added an entry to /etc/hosts though and the messages appear as below then the match has to be against "router".

Code:

Jul 17 15:03:07 router -- MARK --

--mancha

Below is an example /etc/syslog.conf for the OP's specific requirement (additions to the stock Slackware conf file in blue):

Code:

# /etc/syslog.conf
# For info about the format of this file, see "man syslog.conf"
# and /usr/doc/sysklogd/README.linux.  Note the '-' prefixing some
# of these entries;  this omits syncing the file after every logging.
# In the event of a crash, some log information might be lost, so
# if this is a concern to you then you might want to remove the '-'.
# Be advised this will cause a performation loss if you're using
# programs that do heavy logging.

# Set the permitted hostname for the following rules to 
# the local machine name
+%

# Uncomment this to see kernel messages on the console.
#kern.*							/dev/console

# Log anything 'info' or higher, but lower than 'warn'.
# Exclude authpriv, cron, mail, and news.  These are logged elsewhere.
*.info;*.!warn;\
	authpriv.none;cron.none;mail.none;news.none	-/var/log/messages

# Log anything 'warn' or higher.
# Exclude authpriv, cron, mail, and news.  These are logged elsewhere.
*.warn;\
	authpriv.none;cron.none;mail.none;news.none	-/var/log/syslog

# Debugging information is logged here.
*.=debug						-/var/log/debug

# Private authentication message logging:
authpriv.*						-/var/log/secure

# Cron related logs:
cron.*							-/var/log/cron

# Mail related logs:
mail.*							-/var/log/maillog

# Emergency level messages go to all users:
*.emerg							*

# This log is for news and uucp errors:
uucp,news.crit						-/var/log/spooler

# Uncomment these if you'd like INN to keep logs on everything.
# You won't need this if you don't run INN (the InterNetNews daemon).
#news.=crit					-/var/log/news/news.crit
#news.=err					-/var/log/news/news.err
#news.notice					-/var/log/news/news.notice

# Log all messages (all facilities and priorities) from
# 192.168.1.1 to /var/log/router.log
+192.168.1.1
*.*						-/var/log/router.log

plisken · 07-20-2013, 02:20 PM

Getting a bit over my head now LOL

How do i apply this change/diff file? How do I see what has changed? (partial curious and partial security concious)

mancha · 07-20-2013, 03:33 PM

From your response it seems rebuilding a package might be a difficult task for you. If that's true I recommend you just ignore my post as you could end up messing up your logging facility. That said, if you're up to it, here is what you would have to do:

Download Pat's source files for Slackware 9.1 sysklogd from here.
Download my patch for sysklogd 1.4.1 to the same directory.

Edit sysklogd.Slackbuild by increasing the build number up top from 9 to 10 and by adding a line (in red) to apply my patch:

Code:

cd $TMP
tar xzvf $CWD/sysklogd-$VERSION.tar.gz
cd sysklogd-$VERSION
zcat $CWD/sysklogd-1.4.1-owl-syslogd-crunch_list.diff.gz | patch -p1 --verbose
patch -p1 --verbose < $CWD/sysklogd-1.4.1-host.diff || exit 1
chown -R root.root .

Execute sysklogd.Slackbuild to generate a new package
Upgrade the package with: upgradepkg /tmp/sysklogd-1.4.1-i486-10.tgz

As far as seeing what is getting changed, my diff file is a regular text file which shows exactly what is getting changed in sysklogd's source. You can open it in your favorite text editor.

--mancha

plisken · 07-22-2013, 01:40 PM

I'll give this a go later and report back.

I guess I can always reinstall original package if I run into problems...