On Wed, 2006-03-08 at 09:34 -0500, Gene Heskett wrote: > On Wednesday 08 March 2006 08:28, Craig White wrote: > >On Wed, 2006-03-08 at 01:43 -0500, Gene Heskett wrote: > >> On Wednesday 08 March 2006 01:03, Craig White wrote: > >> >On Wed, 2006-03-08 at 00:50 -0500, Gene Heskett wrote: > >> >> Greetings all; > >> >> > >> >> My router has the ability to send access logs to an ip address, > >> >> which is assignable. > >> >> > >> >> My thoughts are to setup a virtual eth0:1 at an unused local > >> >> addresss in the 192.168.1 block, and simply copy everything that > >> >> comes into that port off to a logfile, plugging that logfile into > >> >> logrotates schedule and thereby keeping a log for forensic > >> >> purposes. > >> >> > >> >> I've tried the usual culprits, like cat </dev/eth0:1, or dd > >> >> if=/dev/eth0:1 but neither of those seems to work, lack of a > >> >> device, and sure enough when I look in /devs on that old RH7.3 > >> >> box, there are no eth* entries. > >> >> > >> >> I'm probably in one of those situations where I can't see the > >> >> tree for all this forest in the way, so could someone toss me a > >> >> clue please? > >> > > >> >---- > >> >don't bother with all that nonsense...your syslog has the ability > >> > to accept, log, rotate, etc. from network devices... > >> > > >> >man syslogd /support for remote logging > >> > > >> >unless you feel like doing unnecessary gymnastics > >> > > >> >Craig > >> > >> Ok, I've inserted that line in services thats needed for that to > >> work, syslog 514/udp > >> > >> And added the -r option to OPTIONS in the syslog file in > >> /etc/sysconfig, SIGHUPed syslogd, and turned the routers forwarding > >> of the access log to the main 192.168.x.x address of that machine. > >> But nothing is appearing in either all.log or any other log with a > >> recent timestamp. > >> > >> Did I miss something? Or is the linksys BEFSR41 routers logging to > >> some other unk (udp/tcp) port besides 514? > > > >---- > >Let's keep this on list OK? > > > >Firewall on Linux system blocking port 514 protocol UDP? > > > >Logging will go into /var/log/messages unless you redirect it via > >syslog.conf # man syslog.conf > > > >Is there actually traffic ? you can use something like ethereal to > > trace activity between router & Linux system > > I couldn't make sense out of the ethereal output, but I am seeing quite > a bit of this when I run: > > tcpdump -i eth0 -p udp > > and scattered amonst the dns queries is a few of these: > ======== > 09:27:09.106059 router.coyote.den.16139 > 192.168.1.100.snmptrap: > Trap(35) E:3093.2.2.1 192.168.1.1 > enterpriseSpecific[specific-trap(1)!=0] 25922015 [|snmp] > ======== > but this router doesn't do the mrtg thing that I'm aware of. Its a > linksys BEFSR41, latest firmware. > > But, is this the data I want? In case yes, how do I go about logging it > to a unique logfile? I don't see it being rejected or dropped in > iptables. > > > >The RH 7.3 system may have a very different version of syslogd and > >behave differently ---- I don't understand the '-p' in tcpdump but it would seem that if you are gonna use tcpdump, that filtering it down by 'dst port 514' would make sense because so much traffic makes it hard to find what you want to filtering it would be good...ethereal does have some nice tools in the gui tool. Also, you should verify how syslogd is running (i.e., is it now using the -r option)... ps aux|grep syslog Craig