Probably silly Q

Wed Mar 8 14:34:05 UTC 2006

On Wednesday 08 March 2006 08:28, Craig White wrote:
>On Wed, 2006-03-08 at 01:43 -0500, Gene Heskett wrote:
>> On Wednesday 08 March 2006 01:03, Craig White wrote:
>> >On Wed, 2006-03-08 at 00:50 -0500, Gene Heskett wrote:
>> >> Greetings all;
>> >>
>> >> My router has the ability to send access logs to an ip address,
>> >> which is assignable.
>> >>
>> >> My thoughts are to setup a virtual eth0:1 at an unused local
>> >> addresss in the 192.168.1 block, and simply copy everything that
>> >> comes into that port off to a logfile, plugging that logfile into
>> >> logrotates schedule and thereby keeping a log for forensic
>> >> purposes.
>> >>
>> >> I've tried the usual culprits, like cat </dev/eth0:1, or dd
>> >> if=/dev/eth0:1 but neither of those seems to work, lack of a
>> >> device, and sure enough when I look in /devs on that old RH7.3
>> >> box, there are no eth* entries.
>> >>
>> >> I'm probably in one of those situations where I can't see the
>> >> tree for all this forest in the way, so could someone toss me a
>> >> clue please?
>> >
>> >----
>> >don't bother with all that nonsense...your syslog has the ability
>> > to accept, log, rotate, etc. from network devices...
>> >
>> >man syslogd /support for remote logging
>> >
>> >unless you feel like doing unnecessary gymnastics
>> >
>> >Craig
>>
>> Ok, I've inserted that line in services thats needed for that to
>> work, syslog          514/udp
>>
>> And added the -r option to OPTIONS in the syslog file in
>> /etc/sysconfig, SIGHUPed syslogd, and turned the routers forwarding
>> of the access log to the main 192.168.x.x address of that machine. 
>> But nothing is appearing in either all.log or any other log with a
>> recent timestamp.
>>
>> Did I miss something?  Or is the linksys BEFSR41 routers logging to
>> some other unk (udp/tcp) port besides 514?
>
>----
>Let's keep this on list OK?
>
>Firewall on Linux system blocking port 514 protocol UDP?
>
>Logging will go into /var/log/messages unless you redirect it via
>syslog.conf # man syslog.conf
>
>Is there actually traffic ? you can use something like ethereal to
> trace activity between router & Linux system

I couldn't make sense out of the ethereal output, but I am seeing quite 
a bit of this when I run:

tcpdump -i eth0 -p udp

and scattered amonst the dns queries is a few of these:
========
09:27:09.106059 router.coyote.den.16139 > 192.168.1.100.snmptrap:  
Trap(35)  E:3093.2.2.1 192.168.1.1 
enterpriseSpecific[specific-trap(1)!=0] 25922015 [|snmp]
========
but this router doesn't do the mrtg thing that I'm aware of.  Its a 
linksys BEFSR41, latest firmware.

But, is this the data I want?  In case yes, how do I go about logging it 
to a unique logfile?  I don't see it being rejected or dropped in 
iptables.

>The RH 7.3 system may have a very different version of syslogd and
>behave differently
>
>Craig

-- 
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules.  I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.