|
Linksys RV042 to Red Hat Syslog
I'm currently running a Linksys RV042 router with syslog capabilities enabled. The router is set to send all logs to an external Red Hat server, however, there are no logs on either boxes showing that a connection attempt was made to send those logs nor do the Linksys logs showup on the red hat box. I've followed Cisco's documentation on setting up the router to forward the logs and it looks like they are being sent on port 162.
On the Red Hat box (Fedora 3), I have syslog configured as follows: /etc/syslog.conf source r_source { udp(ip("xxx.xxx.xxx.xxx") port(162)); }; destination r_all { file("/var/log/router.log") } /etc/sysconfig/syslog SYSLOGD_OPTIONS ="-m 0 -r" KLOGD_OPTIONS="-2" on the Linksys router: Syslog Enabled Syslog server: xxx.xxx.xxx.xxx Log Settings enabled: Syn Flooding, IP Spoofing, Win Nuke, Ping Of Death Unauthorized Login Attempt, General Log, System Error Messages, Deny Policies Allow Policies, Configuration Changes, Authorized Login I didn't think I needed an SNMP trap interpreter but would this be the case? Or should I create a firewall rule allowing all ports to be open from the router to the syslog server? |
Syslog is supposed to be port 514.
|
Linksys RV082 to Red Hat Syslog
Read your post while fighting with this on my RV082, here' the solution....
Your /etc/sysconf/syslog format looks correct but the lines you quoted for /etc/syslog.conf are not the right syntax for this configuration file. I started by dumping the udp 514 records to the console... #tcpdump -nvvX udp port 514 -s 1500 tcpdump: listening on eth0 14:25:46.286299 192.168.0.1.1026 > 192.168.0.17.syslog: [udp sum ok] udp 104 (DF) (ttl 64, id 0, len 132) 0x0000 4500 0084 0000 4000 4011 b906 c0a8 0001 E.....@.@....... 0x0010 c0a8 0011 0402 0202 0070 87e0 3c33 303e .........p..<30> 0x0020 4a75 6c20 3237 2031 393a 3235 3a34 3020 Jul.27.19:25:40. 0x0030 3230 3035 206f 6666 6963 6520 5247 4657 2005.office.RGFW 0x0040 2d49 4e3a 2041 4343 4550 5420 2854 4350 -IN:.ACCEPT.(TCP 0x0050 2036 312e 3134 332e 3830 2e32 373a 3332 .61.143.80.27:32 0x0060 3236 2d3e 3139 322e 3136 382e 302e 3637 26->192.168.0.67 0x0070 3a38 3020 6f6e 2069 7870 3129 205b 3230 :80.on.ixp1).[20 0x0080 302c 305d 0,0] You'll notice that the RV082 is setting a Priority value of <30>. this computes to binary 11110 which breaks down to 11 and 110 (binary) which is a facility of decimal 3 (daemon) and a severity of decimal 6 (info) (See http://www.faqs.org/rfcs/rfc3164.html section 4.1.1 for more info) So the correct syslog.conf filter for the Linksys RV082 is daemon.info Here are the configuration settings that worked for me on Redhat 9 (you may need to adjust for your distro) /etc/syslog.conf #add daemon.info /var/log/router.log #if you have *.info set for /var/log/messages then add !daemon.info to the end of the line... *.info;mail.none;authpriv.none;cron.none;!daemon.info /var/log/messages /etc/sysconf/syslog SYSLOGD_OPTIONS="-rm 0" KLOGD_OPTIONS="-x" /etc/sysconf/iptables -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 514 -j ACCEPT /etc/logrotate.d/syslog # Add /var/log/router.log to insure that it doesn't clobber your disk! /var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron /var/log/router.log { sharedscripts postrotate /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true endscript } Restart iptables and syslog and you should be set. --David Bennett Bensoft Inc. |
| All times are GMT -5. The time now is 02:52 PM. |