Results 1 to 10 of 10

Thread: UBUNTU 9.10 - using rsyslog to log router activity in separate file

  1. #1
    Join Date
    Mar 2009
    Beans
    14
    Distro
    Ubuntu 11.04 Natty Narwhal

    Question UBUNTU 9.10 - using rsyslog to log router activity in separate file

    Hey,

    I've enabled the syslog daemon to receive external comms (-r).
    I'm getting my router activity show up in the /var/log/syslog file.

    Now all i want to do is separate out these logs into /var/log/router.log

    I added
    local0.debug /var/log/router.log
    to my rsyslog.conf, but to no avail.

    using the logger util, i can successfully post to local0 and it appears in my router.log.

    So it just sounds like i need to find the right facility to use for my D-LINK DIR-635 router, right?

    I've had no luck in google or official docs.

    So my two questions are:
    1. anyone know what facility these messages are sent with or how i would find out?
    2. Am I even on the right path here?

    Thanks in advance to anyone that can help..

  2. #2
    Join Date
    May 2009
    Beans
    17

    Re: UBUNTU 9.10 - using rsyslog to log router activity in separate file

    This is already assuming you modified your router to send logging to a remote server.

    In /etc/rsyslog.conf uncomment the following lines

    Code:
    # provides UDP syslog reception
    $ModLoad imudp
    $UDPServerRun 514
    
    # provides TCP syslog reception
    $ModLoad imtcp
    $InputTCPServerRun 514
    Then append into the end of /etc/rsyslog.conf or into /etc/rsyslog.d/50-default.conf

    Code:
    # Router logging
    :source, isequal, "router_address" /var/log/<log_file_name>
    & ~
    Finally,
    Code:
    sudo restart rsyslog
    Last edited by encore2097; January 27th, 2010 at 02:41 AM.

  3. #3
    Join Date
    Mar 2009
    Beans
    14
    Distro
    Ubuntu 11.04 Natty Narwhal

    Thumbs down Re: UBUNTU 9.10 - using rsyslog to log router activity in separate file

    Hey,

    Thanks for your reply. I added the following to my rsyslog.conf

    Code:
    # Router logging
    :source, isequal, "192.168.11.1" /var/log/router.log
    :source, isequal, "192.168.11.1" ~
    but it still didn't seem to work. Thankfully though, your tip gave me the lead i was looking for and managed to track down other examples in the documentation.
    in the end i've managed to use

    :msg, contains, "routername", /var/log/router.log

    This works well as my router sends its name with every message and is now writing to the router.log.

    My bad news is that it's still also writing to syslog. Any idea how to stop this? In the meantime i'll go back to the documentation and see if i can spot the answer.

    Thanks again for your help.

  4. #4
    Join Date
    Mar 2009
    Beans
    14
    Distro
    Ubuntu 11.04 Natty Narwhal

    Smile Re: UBUNTU 9.10 - using rsyslog to log router activity in separate file

    Hey,

    I now understand the ~ on the second line you gave me.

    It seems that the default conf files are read in first, so i just had to add that stuff to the top of that file so that we logged to router.log and then discarded the message from further processing.

    You've been most helpful. Thank you.

  5. #5
    Join Date
    May 2009
    Beans
    17

    Re: UBUNTU 9.10 - using rsyslog to log router activity in separate file

    The second line should have been
    Code:
    & ~
    I updated the original post.

    It seems you got it working, if you want you can also try
    Code:
    :fromhost-ip, isequal, "router_address" /var/log/<log_file_name>
    This page is also extremely helpful
    http://www.rsyslog.com/doc-multi_ruleset.html

    You also should look into adding a logrotate script, here's mine.
    Code:
    /var/log/<log_file_name>
    {
            rotate 12
            monthly
            missingok
            notifempty
            compress
            delaycompress
            postrotate
                    reload rsyslog >/dev/null 2>&1 || true
            endscript
    }
    Last edited by encore2097; January 27th, 2010 at 04:28 AM.

  6. #6
    Join Date
    Jul 2008
    Location
    Buenos Aires, Argentina
    Beans
    15
    Distro
    Ubuntu 9.10 Karmic Koala

    Re: UBUNTU 9.10 - using rsyslog to log router activity in separate file

    Hi,
    I did this but it seems that I am not being able to log all events.

    If I compare my router's web configuration against the log in my PC I find that I am missing some lines. For example:

    INSIDE ROUTER:
    Mon Apr 19 20:46:10 2010 Unallowed access from WLAN 00-05-CD-14-4F-57

    Mon Apr 19 20:46:10 2010 Unallowed access from WLAN 00-05-CD-14-4F-57

    Mon Apr 19 20:46:14 2010 Unallowed access from WLAN 00-05-CD-14-4F-57

    Mon Apr 19 20:46:22 2010 Unallowed access from WLAN 00-05-CD-14-4F-57

    Mon Apr 19 20:46:25 2010 ICMP: type 3 code 1 from 115.163.251.157
    Mon Apr 19 20:46:26 2010 Unallowed access from WLAN 00-05-CD-14-4F-57

    Mon Apr 19 20:46:26 2010 Unallowed access from WLAN 00-05-CD-14-4F-57

    Mon Apr 19 20:46:38 2010 Unallowed access from WLAN 00-05-CD-14-4F-57

    INSIDE LOG:
    Apr 19 21:21:55 192.168.0.1 ICMP: type 3 code 1 from 90.28.156.212#015
    Apr 19 21:23:55 192.168.0.1 ICMP: type 3 code 1 from 115.163.251.157#015
    Apr 19 21:26:55 192.168.0.1 ICMP: type 3 code 1 from 86.28.225.204#015
    Apr 19 21:27:10 192.168.0.1 ICMP: type 3 code 1 from 88.223.0.119#015


    I find that:
    1) time stamps are different (check the event with IP 115.163.251.156)
    2) No unallowed access is registered in LOG (and that's what I need).

    Any thoughts?

    Thank you!

  7. #7
    Join Date
    Feb 2005
    Location
    Melbourne, Australia
    Beans
    13,503
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: UBUNTU 9.10 - using rsyslog to log router activity in separate file

    Quote Originally Posted by el.demiurgo View Post
    Hi,
    I did this but it seems that I am not being able to log all events.
    ......
    Any thoughts?

    Thank you!
    Most systems have different settings for internal and external logging.

    Telnet into your router and see if you can access the external logging setup.
    Regards, David.
    Please use the Forum search and Wiki search for immediate help
    Please mark your thread as Solved when appropriate.
    New to technical forums?: How To Ask Questions The Smart Way

  8. #8
    Join Date
    Mar 2009
    Beans
    14
    Distro
    Ubuntu 11.04 Natty Narwhal

    Re: UBUNTU 9.10 - using rsyslog to log router activity in separate file

    My router always sends its name in each message, so i was able to follow encore's suggestion.

    It looks like your router is always sending its IP, so could you not filter on that?

    Code:
    # Router logging
    :msg, contains, "192.168.0.1" /var/log/router.log
    :msg, contains, "192.168.0.1" ~
    Adding the above to your /etc/rsyslog.d/50-default.conf file might then work (although you might want to change the log path to suit your needs..)

  9. #9
    Join Date
    Mar 2007
    Beans
    1

    Re: UBUNTU 9.10 - using rsyslog to log router activity in separate file

    thanks for this! this also works for 11.10.

    this is what I added to /etc/rsyslog.d/40-router.conf:

    Code:
    :msg, contains, "DIR-655" /var/log/router.log
    & ~
    notice I used 40-router.conf. the number prefix needs to be below 50 to apply before 50-default.conf which will log your router logs into /var/log/syslog

    hope this helps someone

    Quote Originally Posted by bionicdude View Post
    My router always sends its name in each message, so i was able to follow encore's suggestion.

    It looks like your router is always sending its IP, so could you not filter on that?

    Code:
    # Router logging
    :msg, contains, "192.168.0.1" /var/log/router.log
    :msg, contains, "192.168.0.1" ~
    Adding the above to your /etc/rsyslog.d/50-default.conf file might then work (although you might want to change the log path to suit your needs..)

  10. #10
    Join Date
    Jul 2007
    Location
    Magic City of the Plains
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: UBUNTU 9.10 - using rsyslog to log router activity in separate file

    Closed, necromancy.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •