Find the answer to your Linux question:
Results 1 to 2 of 2
This mini Howto is about what I had to do to get my Netgear DG834GT router (Sky Broadband) sending its system log to my PC's syslog. I HAVE NOT DEALT ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Engineer Nerderello's Avatar
    Join Date
    Apr 2003
    Location
    North East England
    Posts
    1,190

    Router syslog entries to your syslog - Howto


    This mini Howto is about what I had to do to get my Netgear DG834GT router (Sky Broadband) sending its system log to my PC's syslog.

    I HAVE NOT DEALT WITH THE SECURITY ISSUES THAT THIS CAN CAUSE.

    First things first, I run Suse 10.1 Linux on my PC, with a Belkin Wireless (WiFi) card, so the following steps are for Suse linux. But if you run a different Linux or Mac's OSX then you should be able to get something out of them. And even if you run that strange program loader called Windows, you may get something out of this, as you can get Syslog for that as well (see http://www.kiwisyslog.com/index.php ).

    The steps that I had to take were in two parts - the PC stuff and the router stuff.

    PC configuration steps
    Firewall
    First I set up my PC's firewall so as to allow the System Log (I'll call it syslog from now on) messages are allowed in. These messages come from the router using a standard network method called UDP port 514 (if you want to understand what that is, I suggest that you search for it with your favourite internet search engine). To allow these messages in I did:

    1) Start YAST (this is in Menu > System), you will need the root/admin password.
    2) Select Security and Users, then select Firewall (icon looks like an orange padlock in front of a brick wall).
    3) I set the firewall to start at boot up, and I added the Belkin WiFi card (interface) - which is known as 'ra0' - to be in the External Zone.
    4) Then, having set up my basic firewall stuff, I selected 'Allowed Services', and for the External Zone (ie. the zone that my WiFi card, and therefore the router, live in) I selected the the 'Advanced...' button (bottom right) and entered 514 into the UDP field. Then pressed Okay and then Next, which brought me to a Firewall Summary Screen. This screen said "Start the firewall when booting", that the Internal and Demilitarized Zones had no interfaces assigned, but that the External zone had 'ra0' (the name of my WiFi card), plus 'any' plus 'wlan0' (although I don't remember putting either of those in) assigned. It also says under the heading 'Open Services, Ports, and Protocols' 'UDP ports: 514'.
    5) Press 'Accept' and the firewall was setup and started (restarted).

    Syslog
    Older versions of Linux use the 'syslogd' program to do their syslogging, Suse 10.1 uses the newer 'syslog-ng' (the 'ng' stands for something 'trekie' like New Generation). Having said that, I still had to add the "-r" start up option that syslog used to accept remote data (nb. if you don't do this, syslog-ng will NOT start once you have configured it (syslog-ng) for remote input). But I'm getting ahead of myself, first the configuring of syslog-ng.

    Syslog-ng is configured using the /etc/syslog-ng/syslog-ng.conf file. But, Suse doesn't like you editing this file, so they give you a copy to edit instead, called /etc/syslog-ng/syslog-ng.conf.in . I opened this in my favourite editor (kedit) as the root/admin user (for those who don't know, either logon as the root user, or login as your normal self and then open a terminal/console and make yourself root user (enter 'su -' followed by the root/admin user's password) and then enter 'kedit') and :

    1) Removed the comment symbol (#) from the line 'udp(ip("0.0.0.0") port(514));' , which is in the src (source) block near the top. This says accept messages from anybody on port 514 - the syslog port.
    2) Added, below the other 'filter' statements the line 'filter f_router { host(192.168.0.1); };' . The IP address 192.168.0.1 is what this router calls itself on the local/WiFi network. Obviously, the single quotes ' around these lines were NOT entered.
    3) Added, at the bottom of the file, the line 'destination routermsg { file("/var/log/router.log"); };' . This says that all messages coming from "routermsg" (see below) should be sent to a file called /var/log/router.log (this file will be created if not present), which is in the folder that all of the various logging files get put.
    4) Added, after the above line, the line 'log { source(src); filter(f_router); destination(routermsg); };' . This ties everything together, it takes messages from the source called "src" that have passed the filter called "f_router" (ie. are from the router) and passes them to the destination called "routermsg", which was just set up.
    5) I then saved and closed this file. Now to get it put in live.
    6) In YAST again, I selected System, and then '/etc/sysconfig Editor' (the icon looks like a crossed hammer and spanner).
    7) I expanded 'System' (clicked on the little cross + next to it) and then expanded 'Logging', which gave me six meaningless upper case options.
    8 ) I clicked on 'SYSLOGD_PARAMS' and entered '-r' into the "Setting of:SYSLOGD_PARAMS" field (again, the single quotes ' were not entered). This is to allow the syslogd, which we don't use, to accept remote input (failure to do this will stop syslog-ng from starting).
    9) I then clicked on "SYSLOG_NG_CREATE_CONFIG" , and changed the "Yes" to a "No" in the pulled down option list for "Setting of: SYSLOG_NG_CREATE_CONFIG". Now this may seem odd, as we DO want this to happen, but you'll see why in a moment.
    10) Then, with nothing else to change, I clicked on "Finish", and Okayed variables changed screen.
    11) I then went back into '/etc/sysconfig Editor' and back into "SYSLOG_NG_CREATE_CONFIG", but this time I changed it back to "Yes", and clicked on "Finish" and Okayed the variable change. This forced SuseConfig, which runs behind YAST, to take the contents of the '/etc/syslog-ng/syslog-ng.conf.in' file and put them into the live '/etc/syslog-ng/syslog-ng.conf' file, and then restart syslog-ng.

    Note: if the syslog-ng doesn't restart, try entering (as the root/admin user) 'service syslog restart' and see what messages you get.

    Router Configuration
    eMail
    For reasons best known to itself, you must define an email address for the router to send alerts to, before you can define where it is to send its syslog entries to.

    I logged onto my router (http : // 192.168.0.1 in your favourite internet browser, userid 'admin' password 'sky' - change that now) and selected "E-Mail", here I:
    1) Clicked on "Turn E-mail Notification On".
    2) Entered my root/admin user in the "Send to this e-mail address" - 'root@linux-g55o.site' . The "linux-g55o" is the name of my Linux PC (shows on the command line in any terminal/console).
    3) Entered the IP address of my Linux PC (more of this in a moment) - 192.168.0.3
    4) Clicked on "My Mail server requires authentification".
    5) Entered my normal username (the one that I use all the time, rather than my root/ admin user) and password.
    6) Left the three "Send email alerts immediately" options crossed, and clicked on "Apply".

    syslog
    Then it was time to tell the router where to put its log entries. I clicked on "Log" and then :
    1) Under "Syslog" I clicked on "Send to the Syslog server IP address" and entered my Linux PC's IP address (more later) - 192.168.00.003 .
    2) Clicked on "Apply"

    To create some quick syslog messages, I clicked on Router Status, the Connection Status, and then deliberately Disconnect. This causes a load of LCP (Line Control Protocol) style messages, which ended up on my Linux PC's logs (I use the system log viewer in Menu > System to view the newly created /var/log/router.log file (do a quick file/open on it)).

    PC's IP address
    As promised more on the IP address of my Linux PC. Normally IP addresses are handed out by the router on a dynamic first come first served basis, but you can reserve addresses, and so make them fixed. You do this by:

    1) While still logged onto the router, click LAN IP Setup (near the bottom left)
    2) Under "Address Reservation" click "Add", then click the radio button next to your PC's address, which will fill the bottom part of the screen for you. Amend the IP address as you see fit, give it a meaningful name (instead of UNKNOWN), and "Add" then "Apply" it.

    From then on your PC will always have the same IP address, so the router will always be abel to find it and send its syslog entries to it.

    Wow, well that's about it. Now all I've got to do is work out why this router keeps dropping its IP connection (I suspect that the telephone line isn't good enough to sustain the high connection speeds).

    have fun

    Tony

    Use Suse 10.1 and occasionally play with Kubuntu
    Also have Windows 98SE and BeOS

  2. #2
    Linux Engineer Nerderello's Avatar
    Join Date
    Apr 2003
    Location
    North East England
    Posts
    1,190
    since posting the above on this and the skyusers forum, I've been hit by denial of service attacks. I'm sure that it is pure coincedence that they started shortyly after the postings.

    I have, therefore, turned off the "Log DoS attacks" and the " Send emails when you get a DoS attack", as it was filling my logs up with rubbish.

    For those who are interested the messages looked like this:-
    Code:
    20/10/06 19:20:44	192.168.0.1	TCP Packet - Source	6.108.124.122,2782 Destination:90.194.xxx.xxx,59073 - [DOS]
    have fun

    Tony

    Use Suse 10.1 and occasionally play with Kubuntu
    Also have Windows 98SE and BeOS

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •