[Discuss] Monitor Modem Log On Server

[jbk at kjkelra.com (jbk)]

On 03/19/2016 10:42 AM, jbk wrote:
> On 03/19/2016 01:48 AM, Matthew Gillen wrote:
>> On 3/18/2016 9:52 PM, jbk wrote:
>>> I have a netgear modem with log export capability that I 
>>> would like to
>>> monitor on my server. The server is running SL6.7. I 
>>> presume that I need
>>> to open ports on the firewall and associated protocol.
>>> The modem has simple choices that allow me to point the 
>>> output to a
>>> specific ip address but not a port.
>>> I need to tell syslog or maybe its rsyslog to listen for 
>>> the log
>>> broadcasts.
>>> So any hints would be helpful.
>> Run wireshark/tcpdump and see what port it is trying to 
>> connect to.
>> pcap comes in before your machine's local firewall, so 
>> don't worry about
>> disabling that.
>>
>> # tcpdump -i eth0 host modem-ip-address
>>
>>
>> HTH,
>> Matt
Well I am still trying to figure out how to receive the 
remote logs with rsyslog.

On the log server I used tcpdump as suggested:

# tcpdump -P inout -i eth1 host 10.251.227.6

and after awhile and many requests for who has I got this 
output:

19:26:32.924614 IP modem > all-systems.mcast.net: igmp query 
v3 [max resp time 10s]
19:27:39.046803 IP modem.filenet-obrok > 
10.251.227.4.syslog: SYSLOG auth.info, length: 52
19:27:44.037418 ARP, Request who-has 10.251.227.4 tell 
modem, length 46
19:37:10.451896 IP modem > all-systems.mcast.net: igmp query 
v3 [max resp time 10s]
19:37:46.536009 IP modem.filenet-obrok > 
10.251.227.4.syslog: SYSLOG syslog.info, length: 46
19:37:51.533377 ARP, Request who-has 10.251.227.4 tell 
modem, length 46

So it looks like I get a auth.info and then a syslog.info 
about 10 minutes apart.

In rsyslog.conf I've added some templates, rules and enabled 
listening on the udp port.

###############################
### Per-Host Templates for Remote Systems ###
$template TmplAuthpriv, 
"/var/log/remote/auth/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
$template TmplMsg, 
"/var/log/remote/msg/%HOSTNAME%/%PROGRAMNAME:::secpath-replace%.log"
### end of user added lines

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

### jbk added lines per SysAdminGuideF23 20160319
# Provides TCP syslog reception
#$ModLoad imtcp
# Adding this ruleset to process remote messages
$RuleSet remote1
authpriv.*   ?TmplAuthpriv
*.info;mail.none;authpriv.none;cron.none   ?TmplMsg
$RuleSet RSYSLOG_DefaultRuleset   #End the rule set by 
switching back to the default rule set
$InputUDPServerBindRuleset remote1  #Define a new input and 
bind it to the "remote1" rule set
#$InputTCPServerRun 514
###################end of rsyslog edits############

I've opened the tcp and udp port 514 on the firewall and 
I've created the remote/auth and remote/msg directories in 
/var/log

Note the template definitions are one line.

So there it is. What is hindering the log reception?

-- 
Jim Kelly-Rand
jbk at kjkelra.com