LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 01-30-2011, 04:22 PM   #1
dman777
Member
 
Registered: Dec 2010
Distribution: Gentoo
Posts: 232

Rep: Reputation: 8
Rsyslog not logging routers messages


I have a Asus RT-n12 router with DD-WRT v24-sp2 (12/19/10) mini(SVN revision 15943M NEWD-2 K2.6 Eko)


I can not get my rsyslog on my linux pc to log messages from the router. I did a netstat -arn and got:

Code:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:514 0.0.0.0:* 19102/rsyslogd


Should the addresses look like this?

I ran a tcp dump and got these scrolling messages:

Code:
05:34:52.269996 IP 192.168.1.1.32768 > 192.168.1.20.514: SYSLOG user.warning, length: 25


I have *.* -/var/log/messages in my /etc/rsyslog.conf.

$ModLoad imudp.so
$UDPServerRun 514



My rsyslog is working...just not logging any of the routers messages. Of course, I have logging enabled in the router along with syslog and the ipaddress of my pc(wired LAN).

No software firewall running on my pc.


Any suggestions, please?
 
Old 01-30-2011, 05:35 PM   #2
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 987
Blog Entries: 4

Rep: Reputation: 252Reputation: 252Reputation: 252
Greetingz!

By chance have you made sure your rsyslogd daemon is started with "-r" rather than the default "-m 0"?
Have you also added the folowing to your configuration file on your Gentoo box?
$UDPServerAddress 0.0.0.0
$UDPServerRun 514
 
Old 01-30-2011, 10:06 PM   #3
dman777
Member
 
Registered: Dec 2010
Distribution: Gentoo
Posts: 232

Original Poster
Rep: Reputation: 8
Hi,

Thank you for your response. Yes, I did use rsyslog -r although it gets rejected with the new versions of rsyslog that do not run in compatibility mode.

I tried to $UDPServerAddress 192.168.1.1 which is my routers ip address and $UDPServerRun 514 but still did not have success.
 
Old 01-30-2011, 10:26 PM   #4
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 911Reputation: 911Reputation: 911Reputation: 911Reputation: 911Reputation: 911Reputation: 911Reputation: 911
Is the router configured to talk on UDP/514 to your PC?



Cheers,
Tink
 
Old 01-30-2011, 10:32 PM   #5
dman777
Member
 
Registered: Dec 2010
Distribution: Gentoo
Posts: 232

Original Poster
Rep: Reputation: 8
Hi,

The router has dd-wrt which uses syslog which from my understanding uses udp 514. Also, tcpdump showed these scrolling continuously :

20:53:07.558947 IP 192.168.1.1.32768 > 192.168.1.20.514: SYSLOG user.warning, length: 206


localhost three # cat /etc/rsyslog.conf
# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modules are not found.
#$ModLoad imudp.so
#$UDPServerRun 514
#$AllowedSender UDP,127.0.0.1,192.168.1.20,192.168.1.1
#$ModLoad immark.so # provides --MARK-- message capability
$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so # kernel logging (formerly provided by rklogd)
#$UDPServerAddress 196.168.1.1
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!

#fileter out autofs timeout messages
:msg, contains, "remaining in /-" ~

:msg, contains, "Shorewall" /var/log/network/firewall

& ~

user.*;*.info;mail.none;authpriv.none;cron.none -/var/log/messages


# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog

# Log cron stuff
cron.* -/var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit -/var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log

# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /rsyslog/spool # where to place spool files
#$ActionQueueFileName uniqName # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinety retries if host is down
# remote host is: name/iport, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host


# ######### Receiving Messages from Remote Hosts ##########
# TCP Syslog Server:
# provides TCP syslog reception and GSS-API (if compiled to support it)
#$ModLoad imtcp.so # load module
# Note: as of now, you need to use the -t command line option to
# enable TCP reception (e.g. -t514 to run a server at port 514/tcp)
# This will change in later v3 releases.

# UDP Syslog Server:
$ModLoad imudp.so # provides UDP syslog reception
$UDPServerRun 514 # start a UDP syslog server at standard port 514
 
Old 01-31-2011, 02:57 AM   #6
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 987
Blog Entries: 4

Rep: Reputation: 252Reputation: 252Reputation: 252
Okay, quick question;
What happens when you uncomment the following line and restart rsyslogd?
Code:
#$AllowedSender UDP,127.0.0.1,192.168.1.20,192.168.1.1
 
Old 01-31-2011, 03:10 AM   #7
dman777
Member
 
Registered: Dec 2010
Distribution: Gentoo
Posts: 232

Original Poster
Rep: Reputation: 8
I figured it out. I took out shorewall(firewall) upon boot up. Then the router was able to communicate with the rsyslog fine. For some reason, when stopping shorewall rsyslog still could not receive messages from the router. A clean reboot had to be in order. I wish I knew why this was.
 
Old 01-31-2011, 03:48 AM   #8
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 987
Blog Entries: 4

Rep: Reputation: 252Reputation: 252Reputation: 252
Ah! Well it should be pretty straight-forward to configure ShoreWall to allow incoming data on 514.
ShoreWall uses iptables to restrict everything but allowed communication (typically).

/etc/shorewall/rules
Code:
#ACTION  SOURCE DEST PROTO DEST PORT(S)
ACCEPT   net    $DMZ*  udp   514
*= I don't know if you put your router in 'loc', 'dmz' or 'fw' elsewhere in the config, so this should be the same as that.
 
Old 01-31-2011, 04:12 AM   #9
dman777
Member
 
Registered: Dec 2010
Distribution: Gentoo
Posts: 232

Original Poster
Rep: Reputation: 8
Code:
localhost shorewall # cat zones 
#
# Shorewall version 3.4 - Zones File
#
# For information about this file, type "man shorewall-zones"
#
# For more information, see http://www.shorewall.net/3.0/Documentation.htm#Zones
#
###############################################################################
#ZONE	TYPE		OPTIONS		IN			OUT
#					OPTIONS			OPTIONS
fw	firewall
net     ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
localhost shorewall #
Would the source' be the router instead of net? And would the destination be the desktop(rsyslog accepting the messages)?

I don't think the router is defined in any zone. So, would the source be just the routers ip address and the destination the fw since the firewall is on the desktop?
 
Old 01-31-2011, 05:08 AM   #10
xeleema
Member
 
Registered: Aug 2005
Location: D.i.t.h.o, Texas
Distribution: Slackware 13.x, rhel3/5, Solaris 8-10(sparc), HP-UX 11.x (pa-risc)
Posts: 987
Blog Entries: 4

Rep: Reputation: 252Reputation: 252Reputation: 252
Quote:
Originally Posted by dman777 View Post
Would the source' be the router instead of net? And would the destination be the desktop(rsyslog accepting the messages)?
Yes, "source" is whatever is generating the data. "Destination" is where it's going (the PC with rsyslogd).

Quote:
Originally Posted by dman777 View Post
I don't think the router is defined in any zone. So, would the source be just the routers ip address and the destination the fw since the firewall is on the desktop?
The zone for "DEST" might be "$FW", as this is a local shorewall install.
You should only have "loc", "fw", and maybe "dmz" as valid 'zones', poke around and try them out.
(Restart the service between attempts.)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Using Rsyslog to redirect Shorewall messages but Shorewall is not a facility dman777 Linux - Software 3 06-22-2018 05:23 PM
Configure rsyslog to filter all messages from kdm ? charlweed Linux - Software 2 10-25-2009 05:27 AM
INACTIVE firewall blocks my rsyslog messages tbergfeld Fedora 0 06-26-2008 04:52 AM
LXer: Enhanced Logging With rsyslog On Debian Etch And phpLogcon For Viewing LXer Syndicated Linux News 0 10-03-2007 07:40 PM
logging with routers loganwva Linux - Networking 0 05-11-2003 09:05 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 04:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration