[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Logging from remote sources



On Monday 02 March 2009, Roberto Ragusa wrote:
>Gene Heskett wrote:
>> I want to set up rsyslog on this machine to be a receiver, and log to a
>> separate file, the data it should be capturing on port 514.  Right now, it
>> looks like a pretty good imitation of /dev/null. :)
>>
>> I have the manpages and docs installed for rsyslog, and they seem to
>> contain nice examples of sending the logs someplace else, but nothing on
>> the reverse, where it is to log from another source.
>
>Well, I just had a look at the man pages and conf files and found this:
>
># Provides UDP syslog reception
>#$ModLoad imudp.so
>#$UDPServerRun 514
>
># Provides TCP syslog reception
>#$ModLoad imtcp.so
>#$InputTCPServerRun 514

This, after removing the appropriate # comments, and restarting rsyslog seems 
to have worked, however the messages are being intermixed with this machines 
messages.  They are marked as coming from the 'router', I presume by a 
gethostbynumber call someplace.

This gives a nice trigger if I can figure out how to use it:

Mar  2 19:41:12 router syslog: syslogd : syslog daemon successfully stopped
Mar  2 19:41:12 router kernel: klogd started: BusyBox v1.11.1 (2008-07-26 11:32:32 CEST)
Mar  2 19:41:12 router syslog: klogd : klog daemon successfully started

I would like to put those in their own log.  Is that possible?

>which appears to be what you have to uncomment to receive messages.
>Do you want to receive TCP or UDP?

Not sure, so I enabled both. :)

>Try to understand if data is coming to your machine with
>
>tcpdump -i eth0 -n -n

That was very informative, the major portion of the net traffic here is
being generated by arp, scanning the local subnet asking whohas, getting 
to .254 and resuming at 1.  That was so noisy if I saw anything from the 
router it scrolled offscreen so fast I couldn't read it. That could be 
turned off because I use host files here for the majority of my stuff.

AFAIKT from the services config there is no arp daemon running.  htop also 
doesn't show it.  FWIW, dnsmasq is running, but not bind nor nscd.

How can I turn that off?

>and do not forget to make a hole in the firewall to avoid
>discarding these packets.

No firewalls in use on the local net, dd-wrt seems to handle that very
well.  In 2 years, the only people who got through it, were given the 
passwd to do so by me.

Thank You, Roberto.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
In Greene, New York, it is illegal to eat peanuts and walk backwards on
the sidewalks when a concert is on.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]