Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Receiving router log information in rsyslog?

  1. #1

    Default Receiving router log information in rsyslog?

    Hi,

    I would like to receive log information from my router at my SuSE 13.1 64bit workstation.
    I have been able to turn on the router log output and I can see the TCP packages from it, using Wireshark.

    However, up to now I have not been able to receive this data at my workstation.
    Wireshark says that there is no open port at my rsyslog destination.
    This is confirmed with Zenmap - I have no port (514) open on my workstation.

    I have tried reading/editing my /etc/rsyslog/remote.conf - with no success!
    I have no firewall or AppArmour running on this lab net.

    Regards, Martin

  2. #2
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Receiving router log information in rsyslog?

    On 2014-01-29 11:26, martinprowe wrote:
    >
    > Hi,
    >
    > I would like to receive log information from my router at my SuSE 13.1
    > 64bit workstation.
    > I have been able to turn on the router log output and I can see the TCP
    > packages from it, using Wireshark.


    TCP? Not UDP?


    > I have tried reading/editing my /etc/rsyslog/remote.conf - with no
    > success!


    You do not say what you edited.

    This is how I do mine:

    /etc/rsyslog.d/remote.conf

    Code:
    # UDP Syslog Server:
    $ModLoad imudp.so         # provides UDP syslog reception
    ##$UDPServerAddress 10.10.0.1 # force to listen on this IP only,
    ##                            # needs SYSLOG_REQUIRES_NETWORK=yes.
    $UDPServerRun 514         # start a UDP syslog server at
    # standard port 514

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

  3. #3

    Default Re: Receiving router log information in rsyslog?

    Hi Robin,

    TCP/UDP? I wouldn't mind either. Once I have something working, I can fine tune later. However, I think I am seeing TCP conversations in Wireshark.
    The router is using the DD_WRT code.
    So I have been trying to enable both in /etc/rsyslog/remote.conf. I have not seen any clues to suggest that they are mutually exclusive?

    remote.conf? Yep, mine is just like yours. But still no go? Do I need to do anything else?

    The only additional information I can think of adding is the (very limited) information I am see in the log files.

    /var/log/messages: When I stop and restart the rsyslog service.
    Code:
    2014-01-29T13:30:10.993487+00:00 gzunder systemd[1]: Stopping System Logging Service...
    2014-01-29T13:30:10.994873+00:00 gzunder systemd[1]: Stopped System Logging Service.
    2014-01-29T13:30:12.013319+00:00 gzunder systemd[1]: [/usr/lib/systemd/system/klog.service:26] Unknown lvalue 'Names' in section 'Unit'
    2014-01-29T13:30:31.283658+00:00 gzunder systemd[1]: [/usr/lib/systemd/system/klog.service:26] Unknown lvalue 'Names' in section 'Unit'
    2014-01-29T13:30:52.149803+00:00 gzunder systemd[1]: Reloading.
    Does that tell us anything?

    Oh and there's this:
    Code:
    gzunder:~ # lsmod | grep ^i
    iptable_nat            13011  0 
    iptable_mangle         12695  0 
    iptable_filter         12810  0 
    ip_tables              27239  3 iptable_nat,iptable_mangle,iptable_filter
    iTCO_wdt               13480  0 
    iTCO_vendor_support    13718  1 iTCO_wdt
    i7core_edac            28216  0 
    i2c_i801               22444  0 
    gzunder:~ #
    No imudp.so or imtcp.so?

    Regards, Martin
    Last edited by martinprowe; 29-Jan-2014 at 06:58. Reason: More info added

  4. #4
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Receiving router log information in rsyslog?

    On 2014-01-29 14:56, martinprowe wrote:
    >
    > Hi Robin,
    >
    > *-TCP/UDP?-* I wouldn't mind either. Once I have something working, I
    > can fine tune later. However, I think I am seeing TCP conversations in
    > Wireshark.


    Curious. Syslog is normally UDP. It is your router who decides.

    > The router is using the DD_WRT code.
    > So I have been trying to enable both in /etc/rsyslog/remote.conf. I have
    > not seen any clues to suggest that they are mutually exclusive?


    Dunno.


    > *-remote.conf?-* Yep, mine is just like yours. But still no go? Do I
    > need to do anything else?


    In "/etc/rsyslog.conf" there is this comment:

    Code:
    ## === When you're using remote logging, enable on-disk queues ===
    ## === in rsyslog.d/remote.conf. When neccesary also set the   ===
    ## === SYSLOG_REQUIRES_NETWORK=yes in /etc/sysconfig/syslog,   ===
    ## === e.g. when rsyslog has to receive on a specific IP only. ===
    12.3 removed that entry, but rsyslog still says it is needed. Go figure.


    You also need entries to pick messages from the router and write them
    somewhere. In my case:

    Code:
    if      ($source == 'router') then \
    -/var/log/router
    & ~
    which works because my dns server does reverse resolution on the router IP.

    But I don't think that's your issue yet.


    > The only additional information I can think of adding is the (very
    > limited) information I am see in the log files.
    >
    > *-/var/log/messages:-* When I stop and restart the rsyslog service.
    >
    > Code:
    > --------------------
    > 2014-01-29T13:30:10.993487+00:00 gzunder systemd[1]: Stopping System Logging Service...
    > 2014-01-29T13:30:10.994873+00:00 gzunder systemd[1]: Stopped System Logging Service.
    > 2014-01-29T13:30:12.013319+00:00 gzunder systemd[1]: [/usr/lib/systemd/system/klog.service:26] Unknown lvalue 'Names' in section 'Unit'
    > 2014-01-29T13:30:31.283658+00:00 gzunder systemd[1]: [/usr/lib/systemd/system/klog.service:26] Unknown lvalue 'Names' in section 'Unit'
    > 2014-01-29T13:30:52.149803+00:00 gzunder systemd[1]: Reloading.
    > --------------------
    >
    >
    > Does that tell us anything?


    No, that's irrelevant. I guess that systemd changed some syntax; some
    units use "Names" and apparently it is not recognized.

    What says this:

    Code:
    systemctl status rsyslog.service
    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

  5. #5

    Default Re: Receiving router log information in rsyslog?

    In "/etc/rsyslog.conf" there is this comment:
    Code:
    ## === When you're using remote logging, enable on-disk queues ===
    ## === in rsyslog.d/remote.conf. When neccesary also set the   ===
    ## === SYSLOG_REQUIRES_NETWORK=yes in /etc/sysconfig/syslog,   ===
    ## === e.g. when rsyslog has to receive on a specific IP only. ===
    Yep. Seen it. And tried it. No difference!

    You also need entries to pick messages from the router and write them
    somewhere. In my case:
    Code:
    if      ($source == 'router') then \
    -/var/log/router
    & ~
    Is that in /etc/rsyslog.conf?

    But I don't think that's your issue yet.
    No. I agree. I need to get imudp.so loaded and a port open before I can worry about where to put the incoming info!
    Between these overs, I have just done a fresh install of 13.1 64bit, and there must be more than just editing remote.conf - because this new build doesn’t open port 514 either?

    What says this:
    Code:
    systemctl status rsyslog.service
    Code:
    gzunder:~ # systemctl status rsyslog.service
    rsyslog.service - System Logging Service
       Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled)
       Active: active (running) since Wed 2014-01-29 13:30:52 GMT; 2h 33min ago
      Process: 6989 ExecStartPre=/usr/sbin/rsyslog-service-prepare (code=exited, status=0/SUCCESS)
     Main PID: 6993 (rsyslogd)
       CGroup: /system.slice/rsyslog.service
               └─6993 /usr/sbin/rsyslogd -n
    
    Jan 29 13:30:52 gzunder systemd[1]: Started System Logging Service.
    Jan 29 13:34:28 gzunder systemd[1]: Started System Logging Service.
    Jan 29 14:06:28 gzunder systemd[1]: Started System Logging Service.
    gzunder:~ #
    Also, I have just renamed /etc/rsyslog.d/remote.conf in the hope that if I stop/start rsyslog, it will throw an error. Thus proving that remote.conf is being read.
    But no. Thus, I'm wondering that the reason that the additional modules (imudp.so & imtcp.so) are not being loaded is that remote.conf is not being read?

    Significant? How is remote.conf invoked?

    Regards, Martin

  6. #6
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,642
    Blog Entries
    3

    Default Re: Receiving router log information in rsyslog?

    Quote Originally Posted by martinprowe View Post
    remote.conf? Yep, mine is just like yours. But still no go? Do I need to do anything else?
    I do the same as Carlos. That is, I uncomment two lines in "remote.conf".

    I also have to modify the firewall to allow UDP port 514. That with the "Allowed Services" option of the firewall settings. I have to click the "Advanced" button to allow port 514.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  7. #7
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Receiving router log information in rsyslog?

    On 2014-01-29 17:36, martinprowe wrote:

    > Is that in /etc/rsyslog.conf?


    Yes.

    >> But I don't think that's your issue yet.

    >
    > No. I agree. I need to get imudp.so loaded and a port open before I can
    > worry about where to put the incoming info!
    > Between these overs, I have just done a fresh install of 13.1 64bit, and
    > there must be more than just editing remote.conf - because this new
    > build doesn’t open port 514 either?


    Huh?

    I tried:

    Code:
    nmap -sS -sU -T4 -A localhost"
    ....
    514/udp   open|filtered syslog
    So it is open on my 12.3. I'm not using it on 13.1 (yet)


    >> What says this:


    > Code:
    > --------------------
    > gzunder:~ # systemctl status rsyslog.service
    > rsyslog.service - System Logging Service
    > Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled)
    > Active: active (running) since Wed 2014-01-29 13:30:52 GMT; 2h 33min ago
    > Process: 6989 ExecStartPre=/usr/sbin/rsyslog-service-prepare (code=exited, status=0/SUCCESS)
    > Main PID: 6993 (rsyslogd)
    > CGroup: /system.slice/rsyslog.service
    > └─6993 /usr/sbin/rsyslogd -n
    >
    > Jan 29 13:30:52 gzunder systemd[1]: Started System Logging Service.
    > Jan 29 13:34:28 gzunder systemd[1]: Started System Logging Service.
    > Jan 29 14:06:28 gzunder systemd[1]: Started System Logging Service.
    > gzunder:~ #
    > --------------------


    Well, so it is running.


    > Also, I have just renamed /etc/rsyslog.d/remote.conf in the hope that if
    > I stop/start rsyslog, it will throw an error. Thus proving that
    > remote.conf is being read.
    > But no. Thus, I'm wondering that the reason that the additional modules
    > (imudp.so & imtcp.so) are not being loaded is that remote.conf is not
    > being read?


    I doubt it. You can insert a syntax error instead.


    > Significant? How is remote.conf invoked?


    I don't remember...

    Another thing to consider is apparmour interfering.


    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

  8. #8

    Default Re: Receiving router log information in rsyslog?

    Hi again,

    Okay, after sleeping on this problem and checking your advice, my state of play is this;

    1. Clean install of SuSE/KDE 13.1 from openSUSE-13.1-DVD-x86_64.iso. Add Packman repo and full upgrade.
    2. Disable Firewall and AppArmour using YaST2.
    Code:
    gzunder:~ # iptables -L -n -v
    Chain INPUT (policy ACCEPT 37392 packets, 12M bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
     pkts bytes target     prot opt in     out     source               destination         
    
    Chain OUTPUT (policy ACCEPT 43556 packets, 5784K bytes)                                          
     pkts bytes target     prot opt in     out     source               destination                  
    gzunder:~ #
    Uncomment two lines in /etc/rsyslog.d/remote.conf
    Code:
    # ######### Receiving Messages from Remote Hosts ########## 
    # TCP Syslog Server:
    # provides TCP syslog reception and GSS-API (if compiled to support it)
    #$ModLoad imtcp.so             # mpr load module
    #$UDPServerAddress 192.168.0.1 # mpr 10.10.0.1 # force to listen on this IP only,
    #                            # needs SYSLOG_REQUIRES_NETWORK=yes.
    #$InputTCPServerRun 514        # mpr <port> # Starts a TCP server on selected port
    
    # UDP Syslog Server:
    $ModLoad imudp.so                    # edited by mpr ## provides UDP syslog reception
    #$UDPServerAddress 192.168.0.1 #edited by mpr ## force to listen on this IP only,
    ##                                              # needs SYSLOG_REQUIRES_NETWORK=yes.
    $UDPServerRun 514                    # edited by mpr ##start a UDP syslog server at standard port 514
    No errors that I can find when starting/restarting rsyslog, so I assume imudp.so has loaded okay?
    Any Idea how to test?

    But has it worked? Is port 514 open? No...
    Code:
    gzunder:~ # nmap -sS -sU localhost
    
    Starting Nmap 6.40 ( http://nmap.org ) at 2014-01-30 10:31 GMT
    Nmap scan report for localhost (127.0.0.1)
    Host is up (0.0000060s latency).
    Not shown: 1990 closed ports
    PORT      STATE         SERVICE
    25/tcp    open          smtp
    111/tcp   open          rpcbind
    631/tcp   open          ipp
    5901/tcp  open          vnc-1
    10000/tcp open          snet-sensor-mgmt
    111/udp   open          rpcbind
    177/udp   open          xdmcp
    631/udp   open|filtered ipp
    5353/udp  open|filtered zeroconf
    Other udp ports are open. So I'm guessing that IF imudp.so has loaded and that there are no filters or other services blocking port 514, there MUST be a problem with 13.1? I guess I need to do a test build of 12.3.
    Incidentally, have played with alternative udp ports (disables zeroconf and setting remote.conf to use 5353) with no luck.

    I have no idea how to raise a bug report, so I'll wait. I guess it will get fixed sometime? If anyone running 13.1 can confirm, I'd appreciate it.

    Regards, Martin

  9. #9
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,642
    Blog Entries
    3

    Default Re: Receiving router log information in rsyslog?

    Quote Originally Posted by martinprowe View Post
    I have no idea how to raise a bug report, so I'll wait. I guess it will get fixed sometime? If anyone running 13.1 can confirm, I'd appreciate it.
    I don't have "nmap" installed here. I check with:
    Code:
     % netstat -u -a | grep 514
    udp        0      0 0.0.0.0:514             0.0.0.0:*
    udp        0      0 :::514
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

  10. #10
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Receiving router log information in rsyslog?

    On 2014-01-30 15:16, nrickert wrote:

    > I don't have "nmap" installed here. I check with:
    >
    > Code:
    > --------------------
    >
    > % netstat -u -a | grep 514
    > udp 0 0 0.0.0.0:514 0.0.0.0:*
    > udp 0 0 :::514
    >
    > --------------------


    On my 12.3, where remote logging is working, that command produces zero
    output. Weird. Ah, no, it appears as:

    Code:
    udp        0      0 *:syslog                *:*

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 12.3 x86_64 "Dartmouth" at Telcontar)

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •