Logging from remote sources

Gene Heskett gene.heskett at verizon.net
Tue Mar 3 06:07:23 UTC 2009 

On Monday 02 March 2009, Matthew Flaschen wrote:
>Gene Heskett wrote:
>>> I think it's something like:
>>> :hostname, isequal, "router"
>>>
>>> *.*             /var/log/DD_WRT_router.log
>>
>> I tried that, and it duplicated the host machines log to the target. :)
>
>Can you clarify?  You put it as three lines like that?
>
No, two lines, somewhere a blank got added that wasn't there when it left 
here.

>> So I'm now trying:
>> :msg, contains, "router"		/var/log/dd-wrt/router.log
>
>Counter-intuitively (but seemingly confirmed by some quick testing), I
>don't think hostname is part of the message.  I have another idea that
>DID appear to work (obviously I tested with my own hostname), though it
>
>didn't log as much as I expected ...</ominous>:
>:HOSTNAME, isequal, "router" /var/log/dd-wrt/router.log
I have that in there now.  But even disabled the router is silent at the 
moment.  Here is a sample of what one of its messages looks like as I rebooted 
it:

Mar  2 19:41:12 router syslog: syslogd : syslog daemon successfully stopped                                                          
Mar  2 19:41:12 router kernel: klogd started: BusyBox v1.11.1 (2008-07-26 
11:32:32 CEST)                                             
Mar  2 19:41:12 router syslog: klogd : klog daemon successfully started

Note the 'router' identifier

>All one line, capitalized HOSTNAME.  Also, just to be safe make sure
>/var/log/dd-wrt/router.log already exists with the same permissions
>(user/group/mode) as /var/log/messages before you restart rsyslogd.

I did.
>
>> If I put it on two lines, it fussed on the restart because there was a
>> line without an action.
>
>Right, my mistake.
>
>> Is it an absolute requirement?  If not, how to stop it?
>
>You /might/ be able to disable it if you hard-coded the MAC address of
>every machine (including routers, firewalls, etc.) on your LAN.
>However, I highly advise against attempting this.

Yeah, but its only this machine I'm seeing, and there a 2 other ubuntu 
machines on this network that don't do that.  And it just keeps hammering 
away, probably 90% of the local traffic here, and that is counting fetchmail 
checking 3 servers at 90 second intervals.  I have attached a 60 second 
tcpdump -i eth0 -nn capture.  This cannot be right.

>Matt Flaschen

Thanks Matt

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
I have seen these EGG EXTENDERS in my Supermarket ... I have read the
INSTRUCTIONS ...

-------------- next part --------------
00:58:01.976932 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:02.976933 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:03.220801 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:03.976933 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:04.977930 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:05.220979 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:05.977931 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:06.977933 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:07.221185 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:09.221389 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:10.979932 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:11.221552 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:11.979928 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:12.979932 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:13.221664 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:13.980929 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:14.980928 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:15.221957 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:15.752717 IP 192.168.71.3.123 > 64.247.17.251.123: NTPv4, Client, length 48
00:58:15.801091 IP 64.247.17.251.123 > 192.168.71.3.123: NTPv4, Server, length 48
00:58:15.980933 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:17.222061 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:18.365728 IP 192.168.71.3.631 > 192.168.71.255.631: UDP, length 193
00:58:19.222231 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:19.365728 IP 192.168.71.3.631 > 192.168.71.255.631: UDP, length 191
00:58:19.982932 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:20.365728 IP 192.168.71.3.631 > 192.168.71.255.631: UDP, length 192
00:58:20.982933 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:21.222424 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:21.365726 IP 192.168.71.3.631 > 192.168.71.255.631: UDP, length 196
00:58:21.703697 IP 192.168.71.3.123 > 207.182.224.4.123: NTPv4, Client, length 48
00:58:21.818522 IP 207.182.224.4.123 > 192.168.71.3.123: NTPv4, Server, length 48
00:58:21.982933 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:22.983930 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:23.222552 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:23.983930 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:24.700706 IP 192.168.71.3.123 > 64.247.17.252.123: NTPv4, Client, length 48
00:58:24.751029 IP 64.247.17.252.123 > 192.168.71.3.123: NTPv4, Server, length 48
00:58:24.983933 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:25.222731 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:27.222944 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:28.985921 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:29.223089 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:29.700681 arp who-has 192.168.71.1 tell 192.168.71.3
00:58:29.700802 arp reply 192.168.71.1 is-at 00:0f:b5:fa:9c:54
00:58:29.985922 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:30.985928 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:31.223309 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:31.986930 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:32.986922 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:33.223424 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:33.986933 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:35.223648 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:37.223841 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:37.988932 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:38.988933 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:39.223968 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:39.988933 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:40.989919 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:41.224197 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:41.989933 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:42.989933 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:43.224293 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:45.224536 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:46.991932 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:47.224680 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:47.991933 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:48.991934 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:49.224854 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:49.365854 IP 192.168.71.3.631 > 192.168.71.255.631: UDP, length 193
00:58:49.992928 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:50.366720 IP 192.168.71.3.631 > 192.168.71.255.631: UDP, length 191
00:58:50.992931 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:51.225052 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:51.366727 IP 192.168.71.3.631 > 192.168.71.255.631: UDP, length 192
00:58:51.992932 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:52.366726 IP 192.168.71.3.631 > 192.168.71.255.631: UDP, length 196
00:58:53.225234 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:55.225422 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:55.994932 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:56.994933 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:57.225571 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:57.994933 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:58.995921 arp who-has 192.168.71.4 tell 192.168.71.3
00:58:59.225762 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43
00:58:59.995933 arp who-has 192.168.71.4 tell 192.168.71.3
00:59:00.995933 arp who-has 192.168.71.4 tell 192.168.71.3
00:59:01.225978 STP 802.1d, Config, Flags [none], bridge-id 8000.00:0f:b5:fa:9c:54.8001, length 43

More information about the fedora-list mailing list