On 03/19/2016 10:42 AM, jbk wrote:
On 03/19/2016 01:48 AM, Matthew Gillen wrote:
On 3/18/2016 9:52 PM, jbk wrote:
I have a netgear modem with log export capability that I
would like to
monitor on my server. The server is running SL6.7. I
presume that I need
to open ports on the firewall and associated protocol.
The modem has simple choices that allow me to point the
output to a
specific ip address but not a port.
I need to tell syslog or maybe its rsyslog to listen for
the log
broadcasts.
So any hints would be helpful.
Run wireshark/tcpdump and see what port it is trying to
connect to.
pcap comes in before your machine's local firewall, so
don't worry about
disabling that.
# tcpdump -i eth0 host modem-ip-address
HTH,
Matt
Well I am still trying to figure out how to receive the
remote logs with rsyslog.
On the log server I used tcpdump as suggested:
# tcpdump -P inout -i eth1 host 10.251.227.6
and after awhile and many requests for who has I got this
output:
19:26:32.924614 IP modem > all-systems.mcast.net: igmp query
v3 [max resp time 10s]
19:27:39.046803 IP modem.filenet-obrok >
10.251.227.4.syslog: SYSLOG auth.info, length: 52
19:27:44.037418 ARP, Request who-has 10.251.227.4 tell
modem, length 46
19:37:10.451896 IP modem > all-systems.mcast.net: igmp query
v3 [max resp time 10s]
19:37:46.536009 IP modem.filenet-obrok >
10.251.227.4.syslog: SYSLOG syslog.info, length: 46
19:37:51.533377 ARP, Request who-has 10.251.227.4 tell
modem, length 46
So it looks like I get a auth.info and then a syslog.info
about 10 minutes apart.
In rsyslog.conf I've added some templates, rules and enabled
listening on the udp port.
###############################
### Per-Host Templates for Remote Systems ###
$template TmplAuthpriv,
"/var/log/remote/auth/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
$template TmplMsg,
"/var/log/remote/msg/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
### end of user added lines
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
### jbk added lines per SysAdminGuideF23 20160319
# Provides TCP syslog reception
#$ModLoad imtcp
# Adding this ruleset to process remote messages
$RuleSet remote1
authpriv.* ?TmplAuthpriv
*.info;mail.none;authpriv.none;cron.none ?TmplMsg
$RuleSet RSYSLOG_DefaultRuleset #End the rule set by
switching back to the default rule set
$InputUDPServerBindRuleset remote1 #Define a new input and
bind it to the "remote1" rule set
#$InputTCPServerRun 514
###################end of rsyslog edits############
I've opened the tcp and udp port 514 on the firewall and
I've created the remote/auth and remote/msg directories in
/var/log
Note the template definitions are one line.
So there it is. What is hindering the log reception?
--
Jim Kelly-Rand
[email protected]
_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss
