syslog remote touble

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
jebise101
DD-WRT Guru


Joined: 25 Sep 2009
Posts: 594

PostPosted: Mon Apr 06, 2015 19:55    Post subject: syslog remote touble Reply with quote
I have setup syslog to an internal device on the network but can't get any output to the server. running nmap from the syslog server shows the router does not have port 514 open. I have set the remote ip address field to my server on the webui

Kong build 26500 on R7000

Please assist?
Sponsor
wirerydr
DD-WRT Novice


Joined: 30 Nov 2013
Posts: 26

PostPosted: Tue Apr 07, 2015 14:40    Post subject: Re: syslog remote touble Reply with quote
jebise101 wrote:
I have setup syslog to an internal device on the network but can't get any output to the server. running nmap from the syslog server shows the router does not have port 514 open. I have set the remote ip address field to my server on the webui

Kong build 26500 on R7000

Please assist?


Run something like ps -l | grep syslogd | grep -v grep on the router and make sure the output is what you expect - probably similar to the following (the numbers may change):

S 0 1494 1 1164 208 0:0 00:41 00:00:00 syslogd -L -R 192.168.1.110

One potential gotcha: Although remote-syslog messages can be sent via either TCP or UDP, the syslogd in DD-WRT seems only to handle UDP. Ensure you've set up your log server to accept UDP remote syslog messages, and not just TCP.

Running nmap on the log server to check for open ports on your router won't show port UDP 514 open. However, running nmap somewhere else to check that port UDP 514 is open on your log server would be a good test. Be sure to include the "-sU" option when running nmap to do a UDP scan - nmap by default does TCP scans.

Another test would be to run a netstat on your log server to confirm something is listening on UDP port 514, like netstat -lnp | grep 514. In my case I see something like the following, because I use rsyslogd:

udp 0 0 0.0.0.0:514 0.0.0.0:* 526/rsyslogd
udp6 0 0 :::514 :::* 526/rsyslogd


If all these tests pass - e.g. remote logging is correctly running on the router, and your log server is correctly listening on UDP 514 for remote messages, then you might have something interfering, like the firewall or selinux on your log server.

Hope this helps a bit...
dito
DD-WRT Novice


Joined: 22 Jan 2007
Posts: 4

PostPosted: Wed Feb 14, 2018 6:03    Post subject: Reply with quote
Ok jebise101, I have been having troubles logging denies and drops to remote syslog, but other events show up fine.

I didn't find many posts about it so, here I found you.

my first step shows syslogd running:

ps | grep syslogd | grep -v grep
7361 root 1180 S syslogd -L -R 192.168.74.210
7659 root 1180 S syslogd


however, netstat doesn't show it. Where am I looking to fix this now?

netstat -ln | grep 514
netstat: /proc/net/tcp6: No such file or directory
netstat: /proc/net/udp6: No such file or directory
netstat: /proc/net/raw6: No such file or directory

without grep, I see udp ports, but don't see 514

I just upgraded hardware/software (older ASUS RT-N16 used to show drops).
I upgraded to an ASUS RT-N66U with Firmware: DD-WRT v3.0-r34777 big (01/31/1Cool

What's next?

As an example, I can show you that my syslog server (splunk) is receiving other events, but not denies nor drops. Is that a new behavior?


1 » 2/13/18
10:12:47.000 PM
Feb 13 22:12:47 192.168.74.1 Feb 14 03:12:45 : Authentication fail
2 » 2/13/18
8:49:46.000 PM
Feb 13 20:49:46 192.168.74.1 Feb 14 01:49:44 : httpd : https daemon successfully started
3 » 2/13/18
8:49:46.000 PM
Feb 13 20:49:46 192.168.74.1 Feb 14 01:49:44 : httpd server (ssl support) started at port 443
4 » 2/13/18
8:49:46.000 PM
Feb 13 20:49:46 192.168.74.1 Feb 14 01:49:44 : httpd server started at port 80
5 » 2/13/18
8:49:46.000 PM
Feb 13 20:49:46 192.168.74.1 Feb 14 01:49:44 : httpd server shutdown
6 » 2/13/18
8:49:46.000 PM
Feb 13 20:49:46 192.168.74.1 Feb 14 01:49:44 : httpd server shutdown
7 » 2/13/18
8:49:46.000 PM
Feb 13 20:49:46 192.168.74.1 Feb 14 01:49:44 : httpd : http daemon successfully stopped
8 » 2/13/18
8:49:45.000 PM
Feb 13 20:49:45 192.168.74.1 Feb 14 01:49:43 : vpn modules : nf_nat_pptp successfully loaded

_________________
--
Dito
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Wed Feb 14, 2018 13:15    Post subject: Re: syslog remote touble Reply with quote
jebise101 wrote:
I have setup syslog to an internal device on the network but can't get any output to the server. running nmap from the syslog server shows the router does not have port 514 open. I have set the remote ip address field to my server on the webui

PC config & OS of that "internal device"?

Did you forget to open the rsyslog port at the target device?

When sending log entries from DD-WRT to that internal device, DD-WRT does NOT open port 514! It's the internal device (aka the server) to open the proper port to accept DD-WRT log entries (just a client). Smile

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum