Solved

Red Hat Linux Firewall - Hot to configure so syslog traffic is redirected to different IP address?

Posted on 2006-06-21
10
2,785 Views
Last Modified: 2008-03-06
Hello,

I need to write a Perl script (to run on a Linux server node) that intercepts all syslog messages from a Linux client node, e.g. generated from its firewall, etc.  

1) Usually, with log generating clients, you can redirect where they send the log entries to the syslog server via the syslog server's IP address.  But for the life of me, I cannot figure out how to configure Red Hat Linux's firewall to do so.  I type in system-config-securitylevel, and I cannot find where I would be able to redirect syslog traffic.  Any suggestions on how to configure the firewall to do what I want?

2) What are examples of other programs that generate syslog?  How do I configure them?

Thanks!!!
Rawray
0
Comment
Question by:rawray
  • 4
  • 3
  • 3
10 Comments
 
LVL 16

Expert Comment

by:Blaz
ID: 16957243
You might want to check "man syslogd"
http://linux.about.com/od/commands/l/blcmdl8_syslogd.htm

Section "Support for remote logging"
0
 
LVL 18

Expert Comment

by:decoleur
ID: 17030386
1) you do not want to configure the firewall to redirect the syslog traffic, you want to instruct the applications that are generating logs to direct their traffic to the syslog server.
2) some links on configuring syslogs to get you going:

http://www.softpanorama.org/Logs/Syslog/syslog_configuration_examples.shtml
http://www.adventnet.com/products/webnms/syslog/help/syslog_fp/start_forward.html
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch05_:_Troubleshooting_Linux_with_syslog

let me know if you have any specific questions regarding any of the content presented.

-t
0
 

Author Comment

by:rawray
ID: 17039403
Thanks to both decoleur and Blaz,

All links have been extremely helpful.  

By the way, what Linux file calls syslogd on startup?  I think the call needs to be modified to "syslogd -r" in order to get what I'm trying to do to work, i.e. forwarding log messages from one machine to a dedicated syslog server.

Best,
Rawray
0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 
LVL 18

Expert Comment

by:decoleur
ID: 17044921
on a redhat server you will want to confirm that the syslogd service is configured to start on boot:

try
/sbin/chkconfig --list | grep syslog
this should show you if syslogd is configured to start on boot.
/sbin/chkconfig --levels 2345 syslogd on
this will configure syslogd to start when the system is in run levels 2-5

/sbin/service syslogd status
this will let you know if the service is running or not

hope this helps

-t
0
 
LVL 16

Expert Comment

by:Blaz
ID: 17048362
If you are running a not too old redhat linux or fedora distribution then you can add the "-r" option in /etc/sysconfig/syslog file in line SYSLOGD_OPTIONS

Otherwise you can change the /etc/rc.d/init.d/syslog script to include the -r option.
0
 

Author Comment

by:rawray
ID: 17079755
Hi decoleur and Blaz,

Thanks so much again for all your help.  I will award points soon.

I did all of the above on my Fedora Core 4 Linux system.  Here is what I get:

/sbin/chkconfig --list | grep syslog –
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off

/sbin/chkconfig --levels 2345 syslogd on –
error reading information on service syslogd: No such file or directory
 
/sbin/service syslogd status –
unrecognized service

What is going on, and where is syslogd?

Thanks so much!
Rawray
0
 
LVL 16

Expert Comment

by:Blaz
ID: 17080169
On Fedora Core 4 you should add the "-r" option in /etc/sysconfig/syslog file in line SYSLOGD_OPTIONS qnd then do a "/etc/init.d/syslog restart"
0
 
LVL 18

Assisted Solution

by:decoleur
decoleur earned 225 total points
ID: 17080265
the application that you should query with chkconfig is syslog not syslogd, as shown by your successfull query:

/sbin/chkconfig --list | grep syslog –
syslog          0:off   1:off   2:on    3:on    4:on    5:on    6:off

and based upon that you do not need to run
/sbin/chkconfig --levels 2345 syslog on

as it already has been (this is what toggles the different run levels from off to on and right now 2,3,4,5 are all on.

try running:
/sbin/service syslog status
and you should get results...

hope this helped.
0
 

Author Comment

by:rawray
ID: 17083517
Hi decoleur and Blaz,

Changed line in /etc/sysconfig/syslog to

SYSLOGD_OPTIONS="-m -r 0"

/etc/init.d/syslog restart gives:

Shutting down kernel logger:                               [  OK  ]
Shutting down system logger:                               [FAILED]
Starting system logger:                                    [FAILED]
Starting kernel logger:                                    [  OK  ]

and thus /sbin/service syslog status gives:

syslogd is stopped
klogd (pid 3553) is running...

How do I START syslogd?  Why do you think attempts FAILED?

Thanks so much!
0
 
LVL 16

Accepted Solution

by:
Blaz earned 275 total points
ID: 17087967
"-m 0" is a single parameter and you should not split it with the -r option. So your file should look like:

SYSLOGD_OPTIONS="-m 0 -r"

Probably this is the only reason for syslog not starting, so you can do a
/etc/init.d/syslog restart
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question