[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Probably silly Q

On Wednesday 08 March 2006 08:28, Craig White wrote:
>On Wed, 2006-03-08 at 01:43 -0500, Gene Heskett wrote:
>> On Wednesday 08 March 2006 01:03, Craig White wrote:
>> >On Wed, 2006-03-08 at 00:50 -0500, Gene Heskett wrote:
>> >> Greetings all;
>> >>
>> >> My router has the ability to send access logs to an ip address,
>> >> which is assignable.
>> >>
>> >> My thoughts are to setup a virtual eth0:1 at an unused local
>> >> addresss in the 192.168.1 block, and simply copy everything that
>> >> comes into that port off to a logfile, plugging that logfile into
>> >> logrotates schedule and thereby keeping a log for forensic
>> >> purposes.
>> >>
>> >> I've tried the usual culprits, like cat </dev/eth0:1, or dd
>> >> if=/dev/eth0:1 but neither of those seems to work, lack of a
>> >> device, and sure enough when I look in /devs on that old RH7.3
>> >> box, there are no eth* entries.
>> >>
>> >> I'm probably in one of those situations where I can't see the
>> >> tree for all this forest in the way, so could someone toss me a
>> >> clue please?
>> >
>> >----
>> >don't bother with all that nonsense...your syslog has the ability
>> > to accept, log, rotate, etc. from network devices...
>> >
>> >man syslogd /support for remote logging
>> >
>> >unless you feel like doing unnecessary gymnastics
>> >
>> >Craig
>> Ok, I've inserted that line in services thats needed for that to
>> work, syslog          514/udp
>> And added the -r option to OPTIONS in the syslog file in
>> /etc/sysconfig, SIGHUPed syslogd, and turned the routers forwarding
>> of the access log to the main 192.168.x.x address of that machine. 
>> But nothing is appearing in either all.log or any other log with a
>> recent timestamp.
>> Did I miss something?  Or is the linksys BEFSR41 routers logging to
>> some other unk (udp/tcp) port besides 514?
>Let's keep this on list OK?


>Firewall on Linux system blocking port 514 protocol UDP?

Not that I'm aware of, and if it blocked it, it would log it I believe.

>Logging will go into /var/log/messages unless you redirect it via
>syslog.conf # man syslog.conf

No redirections that I'm aware of, watching the directory for growing 
files, and tail of all.log only shows a bunch of New not SYN stuff 
being dropped.

>Is there actually traffic ? you can use something like ethereal to
> trace activity between router & Linux system

I can see traffic being logged by the router itself by clicking on its 
incoming and outgoing buttons, then clicking each's refresh to update 
the display.  Incoming is all torrent related as I'm seeding ubuntu, 
outgoing is showing much more, but none of it is making it to a logfile 
that I can find.  Perhaps /etc/syslog.conf isn't the place to add that 

>The RH 7.3 system may have a very different version of syslogd and
>behave differently

Yes, I'm afraid of that myself.  I could maybe, port forward 514 to this 
box, but I've no idea if that would work for messages generated in the 
router as opposed to incoming stuff from the dsl modem.  That would 
also require a rule similar to the one that lets bittorrent thru I 
assume.  Does that look feasable?


Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules.  I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]