On Wednesday 08 March 2006 08:28, Craig White wrote: >On Wed, 2006-03-08 at 01:43 -0500, Gene Heskett wrote: >> On Wednesday 08 March 2006 01:03, Craig White wrote: >> >On Wed, 2006-03-08 at 00:50 -0500, Gene Heskett wrote: >> >> Greetings all; >> >> >> >> My router has the ability to send access logs to an ip address, >> >> which is assignable. >> >> >> >> My thoughts are to setup a virtual eth0:1 at an unused local >> >> addresss in the 192.168.1 block, and simply copy everything that >> >> comes into that port off to a logfile, plugging that logfile into >> >> logrotates schedule and thereby keeping a log for forensic >> >> purposes. >> >> >> >> I've tried the usual culprits, like cat </dev/eth0:1, or dd >> >> if=/dev/eth0:1 but neither of those seems to work, lack of a >> >> device, and sure enough when I look in /devs on that old RH7.3 >> >> box, there are no eth* entries. >> >> >> >> I'm probably in one of those situations where I can't see the >> >> tree for all this forest in the way, so could someone toss me a >> >> clue please? >> > >> >---- >> >don't bother with all that nonsense...your syslog has the ability >> > to accept, log, rotate, etc. from network devices... >> > >> >man syslogd /support for remote logging >> > >> >unless you feel like doing unnecessary gymnastics >> > >> >Craig >> >> Ok, I've inserted that line in services thats needed for that to >> work, syslog 514/udp >> >> And added the -r option to OPTIONS in the syslog file in >> /etc/sysconfig, SIGHUPed syslogd, and turned the routers forwarding >> of the access log to the main 192.168.x.x address of that machine. >> But nothing is appearing in either all.log or any other log with a >> recent timestamp. >> >> Did I miss something? Or is the linksys BEFSR41 routers logging to >> some other unk (udp/tcp) port besides 514? > >---- >Let's keep this on list OK? > >Firewall on Linux system blocking port 514 protocol UDP? > >Logging will go into /var/log/messages unless you redirect it via >syslog.conf # man syslog.conf > >Is there actually traffic ? you can use something like ethereal to > trace activity between router & Linux system I couldn't make sense out of the ethereal output, but I am seeing quite a bit of this when I run: tcpdump -i eth0 -p udp and scattered amonst the dns queries is a few of these: ======== 09:27:09.106059 router.coyote.den.16139 > 192.168.1.100.snmptrap: Trap(35) E:3093.2.2.1 192.168.1.1 enterpriseSpecific[specific-trap(1)!=0] 25922015 [|snmp] ======== but this router doesn't do the mrtg thing that I'm aware of. Its a linksys BEFSR41, latest firmware. But, is this the data I want? In case yes, how do I go about logging it to a unique logfile? I don't see it being rejected or dropped in iptables. >The RH 7.3 system may have a very different version of syslogd and >behave differently > >Craig -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2006 by Maurice Eugene Heskett, all rights reserved.
