On Wednesday 08 March 2006 08:53, Craig White wrote: >On Wed, 2006-03-08 at 08:44 -0500, Gene Heskett wrote: >> On Wednesday 08 March 2006 08:28, Craig White wrote: >> >On Wed, 2006-03-08 at 01:43 -0500, Gene Heskett wrote: >> >> On Wednesday 08 March 2006 01:03, Craig White wrote: >> >> >On Wed, 2006-03-08 at 00:50 -0500, Gene Heskett wrote: >> >> >> Greetings all; >> >> >> >> >> >> My router has the ability to send access logs to an ip >> >> >> address, which is assignable. >> >> >> >> >> >> My thoughts are to setup a virtual eth0:1 at an unused local >> >> >> addresss in the 192.168.1 block, and simply copy everything >> >> >> that comes into that port off to a logfile, plugging that >> >> >> logfile into logrotates schedule and thereby keeping a log for >> >> >> forensic purposes. >> >> >> >> >> >> I've tried the usual culprits, like cat </dev/eth0:1, or dd >> >> >> if=/dev/eth0:1 but neither of those seems to work, lack of a >> >> >> device, and sure enough when I look in /devs on that old RH7.3 >> >> >> box, there are no eth* entries. >> >> >> >> >> >> I'm probably in one of those situations where I can't see the >> >> >> tree for all this forest in the way, so could someone toss me >> >> >> a clue please? >> >> > >> >> >---- >> >> >don't bother with all that nonsense...your syslog has the >> >> > ability to accept, log, rotate, etc. from network devices... >> >> > >> >> >man syslogd /support for remote logging >> >> > >> >> >unless you feel like doing unnecessary gymnastics >> >> > >> >> >Craig >> >> >> >> Ok, I've inserted that line in services thats needed for that to >> >> work, syslog 514/udp >> >> >> >> And added the -r option to OPTIONS in the syslog file in >> >> /etc/sysconfig, SIGHUPed syslogd, and turned the routers >> >> forwarding of the access log to the main 192.168.x.x address of >> >> that machine. But nothing is appearing in either all.log or any >> >> other log with a recent timestamp. >> >> >> >> Did I miss something? Or is the linksys BEFSR41 routers logging >> >> to some other unk (udp/tcp) port besides 514? >> > >> >---- >> >Let's keep this on list OK? >> >> Sorry. >> >> >Firewall on Linux system blocking port 514 protocol UDP? >> >> Not that I'm aware of, and if it blocked it, it would log it I >> believe. >> >> >Logging will go into /var/log/messages unless you redirect it via >> >syslog.conf # man syslog.conf >> >> No redirections that I'm aware of, watching the directory for >> growing files, and tail of all.log only shows a bunch of New not SYN >> stuff being dropped. >> >> >Is there actually traffic ? you can use something like ethereal to >> > trace activity between router & Linux system >> >> I can see traffic being logged by the router itself by clicking on >> its incoming and outgoing buttons, then clicking each's refresh to >> update the display. Incoming is all torrent related as I'm seeding >> ubuntu, outgoing is showing much more, but none of it is making it >> to a logfile that I can find. Perhaps /etc/syslog.conf isn't the >> place to add that -r? > >---- >I suppose if that were the proper place to put it, the command would > be listed in the man pages for syslog.conf > >of course it's not the correct place to put the '-r', the proper place >is in the command used to launch syslogd which would generally be the >sysconfig for syslogd but on a RH 7.3, that may not exist and you > might have to insert it into /etc/init.d/ - I don't know, I've long > since retired all my RH 7.x systems I've now inserted it into the OPTIONS line of /etc/init.d/syslog and restarted it, with no visible effect other than the restart noted in the logs. tcpdump -i eth0 -p udp is picking up some 'snmptrap' stuff though. See my other msg from 5 minutes ago. [...] -- Cheers, Gene People having trouble with vz bouncing email to me should add the word 'online' between the 'verizon', and the dot which bypasses vz's stupid bounce rules. I do use spamassassin too. :-) Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2006 by Maurice Eugene Heskett, all rights reserved.
