Setting Up Linux Mint RSyslog Server to Log Vigor Router Data

Much off this Post is a brief intro to logging interface traffic in general, then viewing them at a basic level, and applies to most other devices that can send to UDP port 514 for logging.

My Vigor 2830 has a syslog feature that can send varied packet type data to another syslog server over the network – setup via it's SysMaintenance page:

vigorlogging.png

It has an email alert function also that I have not ever received info from bar the first test mail! This is despite repeat pings to the external interface, which I would hope would trigger as a DoS attack, as ticked above and as shown sent in the video below…?

The setup for your linux server to accept these logs can be done in very few steps. First, check the current UDP port 514 of your server at 192.168.1.5 below is not already setup and running, via nmap:

sudo nmap -sU -p 514 192.168.1.5

Starting Nmap 6.40 ( http://nmap.org ) at 2016-07-31 22:37 BST

Nmap scan report for 192.168.1.5

Host is up (0.0018s latency).

PORT STATE SERVICE

514/udp closed syslog

MAC Address: 00:23:54:3A:EB:9A (Asustek Computer)

Uncomment the lines:

sudo vi /etc/rsyslog.conf

$ModLoad immark # provides --MARK-- message capability

$ModLoad imudp

$UDPServerRun 514

Restart rsyslog:

sudo service rsyslog restart

rsyslog stop/waiting

rsyslog start/running, process 4219

Check that the service is now running for port 514:

sudo nmap -sU -p 514 192.168.1.5

Starting Nmap 6.40 ( http://nmap.org ) at 2016-07-31 22:38 BST

Nmap scan report for 192.168.1.5

Host is up (0.0023s latency).

PORT STATE SERVICE

514/udp open|filtered syslog

MAC Address: 00:23:54:3A:EB:9A (Asustek Computer)

Now you should be able to test it by viewing log output from the router in real time using

tail -f /var/log/syslog

by sending the external interface some pings and an nmap scan. The dynamic WAN IP address 87.112.104.207 for the router is found here:

WANIP.png

You can see the varied ports nmap uses to probe the interface in the video:

If you want to scan the logs in future for Vigor specific data, you can grep for Vigor:

cat /var/log/syslog | grep Vigor

or view the output in real time:

tail -f /var/log/syslog | grep Vigor

grepvigor.png

or for nmap or DoS pings, you can grep for ICMP:

cat /var/log/syslog | grep ICMP

vigorICMP.png

If you get suspicious looking traffic, you may then be able to check the source IP address using an Internet Whois service, but any decent potential hacker would be spoofing it anyway – but so you get an idea, say you are curious about 173.194.144.50:

whois.png

Ah, it's just google as I have my browser open…!

But why use the browser when Unix had these tools built in years ago, so you can check your gateway service IP for example, that shows up talking to your router:

whois 194.74.65.98

% This is the RIPE Database query service.

% The objects are in RPSL format.

%

% The RIPE Database is subject to Terms and Conditions.

% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Note: this output has been filtered.

% To receive output for a database update, use the "-B" flag.

% Information related to '194.74.65.0 - 194.74.65.255'

% Abuse contact for '194.74.65.0 - 194.74.65.255' is 'abuse@bt.com'

inetnum: 194.74.65.0 - 194.74.65.255

netname: BT-UKIP-IPV4-INFRASTRUCTURE

descr: Private Circuit Customer Networks

country: GB

admin-c: BS1474-RIPE

tech-c: BS1474-RIPE

status: ASSIGNED PA

remarks: Please send abuse notification to abuse@bt.net

remarks: New netname

remarks: INFRA-AW

mnt-by: BTNET-MNT

mnt-lower: BTNET-MNT

mnt-routes: BTNET-MNT

created: 2003-08-20T09:18:52Z

last-modified: 2010-07-29T09:43:25Z

source: RIPE

role: BTnet Support

address: Adhara

address: Adastral Park

address: Martlesham Heath

address: Ipswich

address: SUFFLK IP5 3RE

address: GB

phone: +44 800 0858963 5

phone: +44 1473 336231

admin-c: FLS15-RIPE

tech-c: BS1474-RIPE

nic-hdl: BS1474-RIPE

remarks: For all queries contact as2856peering@bt.com

remarks: Please send delisting issues to btnetdns@bt.net

mnt-by: BTNET-MNT

created: 2002-04-30T07:54:10Z

last-modified: 2009-11-19T15:52:52Z

source: RIPE # Filtered

% Information related to '194.72.0.0/14AS2856'

route: 194.72.0.0/14

descr: BTnet

origin: AS2856

mnt-by: BTNET-INFRA-MNT

created: 1970-01-01T00:00:00Z

last-modified: 2014-07-30T09:23:02Z

source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.87.4 (BLAARKOP)

Perfectly legit as my ISP is Plusnet, owned by BT!

If you wish to view remote logs locally in a clearer window than vim, try the rather basic Log File Viewer found in Menu/Admin:

stevee@AMD ~ $ ssh -X hpmint

stevee@hpmint ~ $ gnome-system-log

Now you need to choose a suitable GUI analyzer to suit your preference:

http://xmodulo.com/open-source-log-monitoring-tools-linux.html

If you are serious about logging interface traffic you need to install Snort. I may do a Post on it soon.

If you only want to use linux repo based tools you can explore log related options by hitting the tab key after "log" to research such as logster, loganalyzer etc.:

sudo apt-get install log
loganalyzer logfs-tools-dbg logisim logstalgia
logapp loggedfs logitech-applet logster
logaricheck loggedfs-dbg logjam logtail
logcentral loggerhead logkeys logtool
logcentral-tools loggerhead-doc logol logtools
logcheck logidee-tools logol-bin logtop
logcheck-database login logreq logwatch
logfs-tools login-duo logrotate

Logs you may want to investigate residing in /var/log:

logs.png

Comments are closed.

Post Navigation