[logs] Ref: Syslog Remote Logging

From: Sujit (skproject23@private)
Date: Sat Mar 26 2005 - 22:51:51 PST


Hi,

Thanks for replying to my earlier mail. All the replies I got suggested using the -r argument in the SYSLOG_OPTIONS in the /etc/sysconfig/syslog file.

However we have already made that change. Also the iptables command used  are:

At the server side:

iptables -A INPUT -s <client ip> -d <server ip> -j ACCEPT  
iptables -t filter -A INPUT -j LOG

At the client side:

iptables -A OUTPUT -s <client ip> -d <server ip> -j ACCEPT

No other iptables rule is present as shown by the iptables --list command.

Still the problem persists, i.e.packets from client to server only are getting logged but not the actual log messages from the client, for e.g. the authorization messages and other messages.

Just a question have any changes to be made in the client/server's hosts.allow file? If yes, what?

Are there any other changes to be made in any of the linux files, apart from the ones previously mentioned?

Can you please suggest a comprehensive online tutorial for syslog remote logging, which covers even the trivial aspects and also all linux file modifications that are required for successful remote logging?

I'm sending the syslog.conf files again for your convenience.

Thanks in advance,

Sujit.


# client's syslog.conf

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*							/var/log/kern.txt

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none		/var/log/messages
*.info;mail.none;authpriv.none;cron.none		@192.168.7.142           #This is the server ip address

		
# The authpriv file has restricted access.
authpriv.*						/var/log/secure

# Log all the mail messages in one place.
mail.*							/var/log/maillog


# Log cron stuff
cron.*							/var/log/cron

# Everybody gets emergency messages
*.emerg							*

# Save news errors of level crit and higher in a special file.
uucp,news.crit						/var/log/spooler

# Save boot messages also to boot.log
local7.*						/var/log/boot.log

#server's syslog.conf

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*							/dev/console
# Log anything (except mail) of level info or higher.# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none		/var/log/messages


# The authpriv file has restricted access.
authpriv.*						/var/log/secure
# Log all the mail messages in one place.
mail.*							/var/log/maillog
# Log cron stuff
cron.*							/var/log/cron
# Everybody gets emergency messages
*.emerg							*
# Save news errors of level crit and higher in a special file.
uucp,news.crit						/var/log/spooler
# Save boot messages also to boot.log
local7.*						/var/log/boot.log

# the packets getting logged, received at port 514 of the server
# server ip address 192.168.7.142
# cient ip address 192.168.7.141

Mar 24 12:54:26 linuxws142 kernel: IN=eth0 OUT= MAC=00:10:dc:f0:b5:55:00:10:dc:f0:b4:cc:08:00 SRC=192.168.7.141 DST=192.168.7.142 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=514 DPT=514 LEN=36 

Mar 24 12:54:26 linuxws142 kernel: IN=eth0 OUT= MAC=00:10:dc:f0:b5:55:00:10:dc:f0:b4:cc:08:00 SRC=192.168.7.141 DST=192.168.7.142 LEN=85 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=514 DPT=514 LEN=65 

Mar 24 12:55:33 linuxws142 kernel: IN=eth0 OUT= MAC=00:10:dc:f0:b5:55:00:10:dc:f0:b4:cc:08:00 SRC=192.168.7.141 DST=192.168.7.142 LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=514 DPT=514 LEN=80 

Mar 24 12:56:24 linuxws142 kernel: IN=eth0 OUT= MAC=00:10:dc:f0:b5:55:00:10:dc:f0:b4:cc:08:00 SRC=192.168.7.141 DST=192.168.7.142 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=514 DPT=514 LEN=61 

Mar 24 12:59:10 linuxws142 kernel: device eth0 entered promiscuous mode
Mar 24 13:00:00 linuxws142 kernel: IN=eth0 OUT= MAC=00:10:dc:f0:b5:55:00:10:dc:f0:b4:cc:08:00 SRC=192.168.7.141 DST=192.168.7.142 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=514 DPT=514 LEN=56 

Mar 24 13:00:32 linuxws142 kernel: IN=eth0 OUT= MAC=00:10:dc:f0:b5:55:00:10:dc:f0:b4:cc:08:00 SRC=192.168.7.141 DST=192.168.7.142 LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=514 DPT=514 LEN=53 

Mar 24 13:00:46 linuxws142 kernel: IN=eth0 OUT= MAC=00:10:dc:f0:b5:55:00:10:dc:f0:b4:cc:08:00 SRC=192.168.7.141 DST=192.168.7.142 LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=514 DPT=514 LEN=80 

Mar 24 13:00:55 linuxws142 kernel: IN=eth0 OUT= MAC=00:10:dc:f0:b5:55:00:10:dc:f0:b4:cc:08:00 SRC=192.168.7.141 DST=192.168.7.142 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=514 DPT=514 LEN=61 

Mar 24 13:05:12 linuxws142 kernel: IN=eth0 OUT= MAC=00:10:dc:f0:b5:55:00:10:dc:f0:b4:cc:08:00 SRC=192.168.7.141 DST=192.168.7.142 LEN=100 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=514 DPT=514 LEN=80 

Mar 24 13:05:15 linuxws142 kernel: IN=eth0 OUT= MAC=00:10:dc:f0:b5:55:00:10:dc:f0:b4:cc:08:00 SRC=192.168.7.141 DST=192.168.7.142 LEN=81 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=514 DPT=514 LEN=61  



_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Sat Mar 26 2005 - 23:16:12 PST