On Wed, 2006-03-08 at 08:44 -0500, Gene Heskett wrote: > On Wednesday 08 March 2006 08:28, Craig White wrote: > >On Wed, 2006-03-08 at 01:43 -0500, Gene Heskett wrote: > >> On Wednesday 08 March 2006 01:03, Craig White wrote: > >> >On Wed, 2006-03-08 at 00:50 -0500, Gene Heskett wrote: > >> >> Greetings all; > >> >> > >> >> My router has the ability to send access logs to an ip address, > >> >> which is assignable. > >> >> > >> >> My thoughts are to setup a virtual eth0:1 at an unused local > >> >> addresss in the 192.168.1 block, and simply copy everything that > >> >> comes into that port off to a logfile, plugging that logfile into > >> >> logrotates schedule and thereby keeping a log for forensic > >> >> purposes. > >> >> > >> >> I've tried the usual culprits, like cat </dev/eth0:1, or dd > >> >> if=/dev/eth0:1 but neither of those seems to work, lack of a > >> >> device, and sure enough when I look in /devs on that old RH7.3 > >> >> box, there are no eth* entries. > >> >> > >> >> I'm probably in one of those situations where I can't see the > >> >> tree for all this forest in the way, so could someone toss me a > >> >> clue please? > >> > > >> >---- > >> >don't bother with all that nonsense...your syslog has the ability > >> > to accept, log, rotate, etc. from network devices... > >> > > >> >man syslogd /support for remote logging > >> > > >> >unless you feel like doing unnecessary gymnastics > >> > > >> >Craig > >> > >> Ok, I've inserted that line in services thats needed for that to > >> work, syslog 514/udp > >> > >> And added the -r option to OPTIONS in the syslog file in > >> /etc/sysconfig, SIGHUPed syslogd, and turned the routers forwarding > >> of the access log to the main 192.168.x.x address of that machine. > >> But nothing is appearing in either all.log or any other log with a > >> recent timestamp. > >> > >> Did I miss something? Or is the linksys BEFSR41 routers logging to > >> some other unk (udp/tcp) port besides 514? > > > >---- > >Let's keep this on list OK? > > Sorry. > > >Firewall on Linux system blocking port 514 protocol UDP? > > Not that I'm aware of, and if it blocked it, it would log it I believe. > > >Logging will go into /var/log/messages unless you redirect it via > >syslog.conf # man syslog.conf > > No redirections that I'm aware of, watching the directory for growing > files, and tail of all.log only shows a bunch of New not SYN stuff > being dropped. > > >Is there actually traffic ? you can use something like ethereal to > > trace activity between router & Linux system > > I can see traffic being logged by the router itself by clicking on its > incoming and outgoing buttons, then clicking each's refresh to update > the display. Incoming is all torrent related as I'm seeding ubuntu, > outgoing is showing much more, but none of it is making it to a logfile > that I can find. Perhaps /etc/syslog.conf isn't the place to add that > -r? ---- I suppose if that were the proper place to put it, the command would be listed in the man pages for syslog.conf of course it's not the correct place to put the '-r', the proper place is in the command used to launch syslogd which would generally be the sysconfig for syslogd but on a RH 7.3, that may not exist and you might have to insert it into /etc/init.d/ - I don't know, I've long since retired all my RH 7.x systems ---- > > >The RH 7.3 system may have a very different version of syslogd and > >behave differently > > Yes, I'm afraid of that myself. I could maybe, port forward 514 to this > box, but I've no idea if that would work for messages generated in the > router as opposed to incoming stuff from the dsl modem. That would > also require a rule similar to the one that lets bittorrent thru I > assume. Does that look feasable? ---- no Craig