Operating System - Linux
1839204 Members
4397 Online
110137 Solutions
New Discussion

setting up remote syslogging from router to linux

 
Dave Dewar
Trusted Contributor

setting up remote syslogging from router to linux

Hi,

I have setup a linux router/firewall/mail server using a custom distro called clarkconnect which is based on redhat 7.3. This seemed like the easier way to get up and running while I got some more experience with Linux to have some confidence in building up my own firewall using the redhat 8 distro I have.

I have the following setup:

adsl router -> eth 0 clarkconnect
clarkconnect eth 1 -> switch -> my lan 1
clarkconnect eth 2 -> wap -> my lan 2

my router, a zyxel 650R, supports unix syslog and can send messages to a syslog server.

I would like to set things up to send zyxel messages to my cc box.

I read up on the subject and have done the following so far.

1. setup the router to send its syslog output to my eth0 ip as local1

2. modified the syslog.conf to include the line
local1.* /var/log/zyxel.log

3. edited the syslog file in /etc/rc.d/init.d to add a -r option with the -m 0 option when it starts.

4. checked in /etc/services that the syslog process was using 514/udp

5. restarted my syslog process using /etc/rc.d/init.d/syslog restart.

I checked with ps that syslog is now using -r -m 0 as options and the file zyxel.log has been created in /var/log/

However, after about 5 hours of constant internet use, the file was still empty,

First, what am I doing wrong? I guess since the cc eth0 connection is firewalled is it refusing the syslog messages from my router? I am assuming I need to modify the firewall rules to allow access on 514/udp for my router internal IP. Can I use IPTABLES to do this? Where would I put the IPTABLES line? in /etc/firewall? Any suggestion ons a suitable IPTABLES command. I was reading the IPTABLES man page last nigt and was get very confused :-)

Secondly, the man page for syslog mentioned that this remote logging could be insecure and that I could take steps to make it more secure. I didn't really understand the suggestions to fix it though. I am assuming setting up an IPTABLE instuction to traffic on 514 from only my router IP would sort this out.

I have another linux box in my internal lan, a redhat 8 build. Would it be better to send all of my clarkconnect logs to this and also use port forwarding on the cc box to send the router logs to this as well. I am not sure that having the log server and the gateway as the same machine makes much sense from a security standpoint.

Any help, much apprecipated.

Cheers,

Dave Dewar
1 REPLY 1
Vitaly Karasik_1
Honored Contributor

Re: setting up remote syslogging from router to linux

1) your setup should work, try to denied FW for some time - it'll work IMHO

2) if you want *very secure" logserver, this article may help:

http://www.linuxjournal.com/article.php?sid=6222

(how to set log server without IP)


Regards,
Vitaly