I have setup syslog to an internal device on the network but can't get any output to the server. running nmap from the syslog server shows the router does not have port 514 open. I have set the remote ip address field to my server on the webui
I have setup syslog to an internal device on the network but can't get any output to the server. running nmap from the syslog server shows the router does not have port 514 open. I have set the remote ip address field to my server on the webui
Kong build 26500 on R7000
Please assist?
Run something like ps -l | grep syslogd | grep -v grep on the router and make sure the output is what you expect - probably similar to the following (the numbers may change):
One potential gotcha: Although remote-syslog messages can be sent via either TCP or UDP, the syslogd in DD-WRT seems only to handle UDP. Ensure you've set up your log server to accept UDP remote syslog messages, and not just TCP.
Running nmap on the log server to check for open ports on your router won't show port UDP 514 open. However, running nmap somewhere else to check that port UDP 514 is open on your log server would be a good test. Be sure to include the "-sU" option when running nmap to do a UDP scan - nmap by default does TCP scans.
Another test would be to run a netstat on your log server to confirm something is listening on UDP port 514, like netstat -lnp | grep 514. In my case I see something like the following, because I use rsyslogd:
If all these tests pass - e.g. remote logging is correctly running on the router, and your log server is correctly listening on UDP 514 for remote messages, then you might have something interfering, like the firewall or selinux on your log server.
however, netstat doesn't show it. Where am I looking to fix this now?
netstat -ln | grep 514
netstat: /proc/net/tcp6: No such file or directory
netstat: /proc/net/udp6: No such file or directory
netstat: /proc/net/raw6: No such file or directory
without grep, I see udp ports, but don't see 514
I just upgraded hardware/software (older ASUS RT-N16 used to show drops).
I upgraded to an ASUS RT-N66U with Firmware: DD-WRT v3.0-r34777 big (01/31/1
What's next?
As an example, I can show you that my syslog server (splunk) is receiving other events, but not denies nor drops. Is that a new behavior?
1 » 2/13/18
10:12:47.000 PM
Feb 13 22:12:47 192.168.74.1 Feb 14 03:12:45 : Authentication fail
2 » 2/13/18
8:49:46.000 PM
Feb 13 20:49:46 192.168.74.1 Feb 14 01:49:44 : httpd : https daemon successfully started
3 » 2/13/18
8:49:46.000 PM
Feb 13 20:49:46 192.168.74.1 Feb 14 01:49:44 : httpd server (ssl support) started at port 443
4 » 2/13/18
8:49:46.000 PM
Feb 13 20:49:46 192.168.74.1 Feb 14 01:49:44 : httpd server started at port 80
5 » 2/13/18
8:49:46.000 PM
Feb 13 20:49:46 192.168.74.1 Feb 14 01:49:44 : httpd server shutdown
6 » 2/13/18
8:49:46.000 PM
Feb 13 20:49:46 192.168.74.1 Feb 14 01:49:44 : httpd server shutdown
7 » 2/13/18
8:49:46.000 PM
Feb 13 20:49:46 192.168.74.1 Feb 14 01:49:44 : httpd : http daemon successfully stopped
8 » 2/13/18
8:49:45.000 PM
Feb 13 20:49:45 192.168.74.1 Feb 14 01:49:43 : vpn modules : nf_nat_pptp successfully loaded _________________ --
Dito
Joined: 26 Mar 2013 Posts: 1855 Location: Hung Hom, Hong Kong
Posted: Wed Feb 14, 2018 13:15 Post subject: Re: syslog remote touble
jebise101 wrote:
I have setup syslog to an internal device on the network but can't get any output to the server. running nmap from the syslog server shows the router does not have port 514 open. I have set the remote ip address field to my server on the webui
PC config & OS of that "internal device"?
Did you forget to open the rsyslog port at the target device?
When sending log entries from DD-WRT to that internal device, DD-WRT does NOT open port 514! It's the internal device (aka the server) to open the proper port to accept DD-WRT log entries (just a client). _________________ Router: Asus RT-N18U (rev. A1)
Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!