My D-Link DIR-655 supports sending data over UDP port 514 to a syslog server. Here is my story on how to set-it up with Rsyslog.
I use Fedora 10 here and D-Link DIR-655.
Rsyslog is the syslog module that runs as a service in Fedora. That is to say you can manage it using commands such as:
system rsyslog restart
Hence you have to modify how Fedora handles rsyslog service when the above command is issued. You do this by modifying /etc/sysconfig/rsyslog and changing the line command to include -r option (rather than default -m 0). Save this file and restart the syslog service as above. For other Linux distributions, make sure you are running rsyslog with -r (To do this, run the process snapshot as below and examine the output to see how rsyslog was started on your system. If you don’t see anything that means you’re not running rsyslog, so start it!).
ps aux | grep -i rsyslog
After above modification is complete, find out the ip of your machine (i.e. using ifconfig). Make sure your machine has static IP obviously (one Fedora, edit /etc/sysconfig/network-scripts/ifcfg-eth1 and save your settings.) Now go to your router and type in the IP of the server you want to post your logs to. Restart the router.
On my Fedora, I have iptraf installed, which I use to make sure that my router is sending logs to my server on port 514 (remember because we used -r above, the default rsyslog port is used which is 514). If you are familiar with iptraf, it could be a handy tool for debugging in case you run into issues.
Now you want to make sure that port 514 of is open for UDP if you are using a firewall (i.e. something such as iptables). Do this by issuing the following command.
vi /etc/sysconfig/iptables
Add following line somewhere before COMMIT, in order to open the UDP port 514, and save the file. [IMPORTANT: here make sure your *nix server is not behind DMZ]
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
Now restart iptables by (i.e using service iptables restart).
If this is the first time you are playing with rsyslog, the chances are that Rsyslog isn’t configured to allow UDP logging. To enable this, uncomment the following lines (if they exists) in your /etc/rsyslog.conf and restart the Rsyslog service.
$ModLoad imudp.so $UDPServerRun 514
You are now done and you should see your logs being saved inside /var/log/messages. Here is an example of mine. See how this clown “67.158.78.125″ is sniffing?
Sample Syslog messages for D-Link DIR-655
At this point, we can take it a step further and configure Rsyslog to save all the router logs in their own rolling logs. All you have to do, is to modify /etc/rsyslog.conf to look like this.
:msg, contains, "DIR-655" /var/log/router :msg, contains, "DIR-655" ~ *.info;mail.none;authpriv.none;cron.none /var/log/messages
You can also configure rsyslog to work with MySQL which on Fedora requires the rsyslog-mysql package. So yum that if you want MySQL support. Make sure to add $ModLoad MySQL to the top of your /etc/rsyslog, and also add *.* >yourmysql,con,string to redirect everything to MySQL. (Note that you need to create the table you have in your connection string but for MySQL setup, look at the documentation for MySQL and rsyslog, there is a createDB.sql file you can use if you want). Now restart rsyslog using service rsyslog restart and you should get your router logs in your MySQL.
1 Comment until now
You should try using Splunk to capture and actually use the data. http://www.splunk.com
Very cool. And free!