Red Hat Linux Firewall - Hot to configure so syslog traffic is redirected to different IP address?

Hello,

I need to write a Perl script (to run on a Linux server node) that intercepts all syslog messages from a Linux client node, e.g. generated from its firewall, etc.  

1) Usually, with log generating clients, you can redirect where they send the log entries to the syslog server via the syslog server's IP address.  But for the life of me, I cannot figure out how to configure Red Hat Linux's firewall to do so.  I type in system-config-securitylevel, and I cannot find where I would be able to redirect syslog traffic.  Any suggestions on how to configure the firewall to do what I want?

2) What are examples of other programs that generate syslog?  How do I configure them?

Thanks!!!
Rawray
rawrayAsked:
Who is Participating?
 
BlazConnect With a Mentor Commented:
"-m 0" is a single parameter and you should not split it with the -r option. So your file should look like:

SYSLOGD_OPTIONS="-m 0 -r"

Probably this is the only reason for syslog not starting, so you can do a
/etc/init.d/syslog restart
0
 
BlazCommented:
You might want to check "man syslogd"
http://linux.about.com/od/commands/l/blcmdl8_syslogd.htm

Section "Support for remote logging"
0
 
decoleurCommented:
1) you do not want to configure the firewall to redirect the syslog traffic, you want to instruct the applications that are generating logs to direct their traffic to the syslog server.
2) some links on configuring syslogs to get you going:

http://www.softpanorama.org/Logs/Syslog/syslog_configuration_examples.shtml
http://www.adventnet.com/products/webnms/syslog/help/syslog_fp/start_forward.html
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch05_:_Troubleshooting_Linux_with_syslog

let me know if you have any specific questions regarding any of the content presented.

-t
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
rawrayAuthor Commented:
Thanks to both decoleur and Blaz,

All links have been extremely helpful.  

By the way, what Linux file calls syslogd on startup?  I think the call needs to be modified to "syslogd -r" in order to get what I'm trying to do to work, i.e. forwarding log messages from one machine to a dedicated syslog server.

Best,
Rawray
0
 
decoleurCommented:
on a redhat server you will want to confirm that the syslogd service is configured to start on boot:

try
/sbin/chkconfig --list | grep syslog
this should show you if syslogd is configured to start on boot.
/sbin/chkconfig --levels 2345 syslogd on
this will configure syslogd to start when the system is in run levels 2-5

/sbin/service syslogd status
this will let you know if the service is running or not

hope this helps

-t
0
 
BlazCommented:
If you are running a not too old redhat linux or fedora distribution then you can add the "-r" option in /etc/sysconfig/syslog file in line SYSLOGD_OPTIONS

Otherwise you can change the /etc/rc.d/init.d/syslog script to include the -r option.
0
 
rawrayAuthor Commented:
Hi decoleur and Blaz,

Thanks so much again for all your help.  I will award points soon.

I did all of the above on my Fedora Core 4 Linux system.  Here is what I get:

/sbin/chkconfig --list | grep syslog –
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off

/sbin/chkconfig --levels 2345 syslogd on –
error reading information on service syslogd: No such file or directory
 
/sbin/service syslogd status –
unrecognized service

What is going on, and where is syslogd?

Thanks so much!
Rawray
0
 
BlazCommented:
On Fedora Core 4 you should add the "-r" option in /etc/sysconfig/syslog file in line SYSLOGD_OPTIONS qnd then do a "/etc/init.d/syslog restart"
0
 
decoleurConnect With a Mentor Commented:
the application that you should query with chkconfig is syslog not syslogd, as shown by your successfull query:

/sbin/chkconfig --list | grep syslog –
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off

and based upon that you do not need to run
/sbin/chkconfig --levels 2345 syslog on

as it already has been (this is what toggles the different run levels from off to on and right now 2,3,4,5 are all on.

try running:
/sbin/service syslog status
and you should get results...

hope this helped.
0
 
rawrayAuthor Commented:
Hi decoleur and Blaz,

Changed line in /etc/sysconfig/syslog to

SYSLOGD_OPTIONS="-m -r 0"

/etc/init.d/syslog restart gives:

Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [FAILED]
Starting system logger:                                    [FAILED]
Starting kernel logger:                                    [  OK  ]

and thus /sbin/service syslog status gives:

syslogd is stopped
klogd (pid 3553) is running...

How do I START syslogd?  Why do you think attempts FAILED?

Thanks so much!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.