Highlighted
New Member
Posts: 37
Registered: ‎02-12-2013
Kudos: 9
Solutions: 2
Accepted Solution

External syslog working / partly... need assistance

Hey guys, from searching around, I was able to alter the level of logs that are going to my external box (graylog2)... however no matter what I do (even with facility all level debug) I am not getting some of the messages that get dumped into the /var/log/messages.  The ones that are missing are the ones related directly to things like NAT and firewall items that I have setup to log in the gui.

 

The messages are hitting  that /var/log/messages...  Is there some speical way to have logs that aren't normal syslog type things go to an external syslog?  Or is this just a bug that they're not going?

 

 


Accepted Solutions
New Member
Posts: 37
Registered: ‎02-12-2013
Kudos: 9
Solutions: 2

Re: External syslog working / partly... need assistance

hate to reply to my own messages... anyways, solution was in the /etc/rsyslog.d/ graylog.conf file....  

 

When I had originally set it up it only had:

$template GRAYLOG2,"<%PRI%>1 %timegenerated:::date-rfc3339% %HOSTNAME% %syslogtag% - %APP-NAME%: %msg:::drop-last-lf%\n"
$ActionForwardDefaultTemplate GRAYLOG2
$PreserveFQDN on
*.err;*.crit;*.alert;*.emerg;cron.*;auth,authpriv.* @localhost:10514

 

I was able to get the messages showing up by changing what levels it was parsing by adding

kern.*; 

 

Now I just need to figure up what levels I need to log etc... 

 

learning experience...

 

 

View solution in original post


All Replies
Emerging Member
Posts: 71
Registered: ‎03-04-2013
Kudos: 52
Solutions: 3

Re: External syslog working / partly... need assistance

Can you post an example snippet of your /var/log/messages containing the entries that aren't being forwarded?  

 

Use the little "insert code" option when creating the reply so that the log files are readable. 

 

New Member
Posts: 37
Registered: ‎02-12-2013
Kudos: 9
Solutions: 2

Re: External syslog working / partly... need assistance

Sure, any of the logs that are related to NAT / Firewall... Here's an example (I changed the mac / ips listed for annominity) 

 

ubnt kernel: [NAT-5-DNAT] IN=eth2 OUT= MAC=34:43:db:29:e0:22:00:aa:f1:af:c4:34:08:00 src=15.123.42.13 DST=99.99.84.24 LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=64875 DF PROTO=TCP SPT=3591 DPT=9999 WINDOW=65535 RES=0x00 SYN URGP=0

 

These style ones are never forwarded off to the syslog.

Ubiquiti Employee
Posts: 2,991
Registered: ‎02-04-2013
Kudos: 354
Solutions: 289

Re: External syslog working / partly... need assistance

Your current syslog, firewall, and NAT config on the ERL? your external syslog config? Maybe enable log for the external syslog server see if anything suspects there?

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3140
Solutions: 945
Contributions: 16

Re: External syslog working / partly... need assistance

[ Edited ]

Just out of curiousity I did a capture on the syslog port and I'm definitely seeing firewall logs being sent to the syslog server.

stig@ubnt-SJ:~$ sudo tcpdump -n -vv -i eth1 port 514      
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
13:49:53.275846 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 285)
    10.1.0.1.47786 > 10.1.1.24.514: [bad udp cksum 6602!] SYSLOG, length: 257
	Facility kernel (0), Severity warning (4)
	Msg: May 13 13:49:53 ubnt-SJ kernel: [LOCAL-default-D]IN=eth0 OUT= MAC=dc:9f:db:29:d0:cc:00:14:69:79:05:20:08:00 src=108.129.75.133 DST=204.113.31.178 LEN=64 TOS=0x00 PREC=0x00 TTL=43 ID=28891 DF PROTO=TCP SPT=50979 DPT=41934 WINDOW=65535 RES=0x00 SYN URGP=0 

 

My configuration is:

stig@ubnt-SJ# show system syslog host 
 host 10.1.1.24 {
     facility all {
         level notice
     }
 }
[edit]

 

EdgeMAX Router Software Development
New Member
Posts: 37
Registered: ‎02-12-2013
Kudos: 9
Solutions: 2

Re: External syslog working / partly... need assistance

Interesting... I just did a tcpdump and it's throwing errors on the sections that aren't making it over properly.  I have my syslog setup the same way you have yours:

 

show system syslog host
 host 192.168.2.103 {
     facility all {
         level notice
     }
 }
[edit]

 

Here's the error i'm seeing:

 

sudo tcpdump -n -vv -i br0 port 514
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes
20:06:35.818714 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 273)
    192.168.2.1.42102 > 192.168.2.103.514: [bad udp cksum c65f!] SYSLOG, length: 245
	Facility kernel (0), Severity warning (4)
	Msg: May 13 20:06:35 ubnt kernel: [NAT-5-DNAT] IN=eth2 OUT= MAC=dc:9f:db:29:e0:d9:00:14:f1:e9:c4:d9:08:00 src=146.7.22.120 DST=75.141.84.22 LEN=64 TOS=0x00 PREC=0x00 TTL=48 ID=32280 DF PROTO=TCP SPT=13375 DPT=9999 WINDOW=65535 RES=0x00 SYN URGP=0 
	0x0000:  3c34 3e4d 6179 2031 3320 3230 3a30 363a
	0x0010:  3335 2075 626e 7420 6b65 726e 656c 3a20
	0x0020:  5b4e 4154 2d35 2d44 4e41 545d 2049 4e3d
	0x0030:  6574 6832 204f 5554 3d20 4d41 433d 6463
	0x0040:  3a39 663a 6462 3a32 393a 6530 3a64 393a
	0x0050:  3030 3a31 343a 6631 3a65 393a 6334 3a64
	0x0060:  393a 3038 3a30 3020 5352 433d 3132 2e37
	0x0070:  2e32 3332 2e31 3330 2044 5354 3d37 352e
	0x0080:  3134 332e 3834 2e32 3420 4c45 4e3d 3634
	0x0090:  2054 4f53 3d30 7830 3020 5052 4543 3d30
	0x00a0:  7830 3020 5454 4c3d 3438 2049 443d 3332
	0x00b0:  3238 3020 4446 2050 524f 544f 3d54 4350
	0x00c0:  2053 5054 3d31 3333 3735 2044 5054 3d39
	0x00d0:  3939 3920 5749 4e44 4f57 3d36 3535 3335
	0x00e0:  2052 4553 3d30 7830 3020 5359 4e20 5552
	0x00f0:  4750 3d30 20
20:06:35.889324 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 272)

 

 

Any ideas?  

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3140
Solutions: 945
Contributions: 16

Re: External syslog working / partly... need assistance

That doesn't look like an error to me.  Try do a tcpdump on the syslog server to see if you see the same packet.

EdgeMAX Router Software Development
New Member
Posts: 37
Registered: ‎02-12-2013
Kudos: 9
Solutions: 2

Re: External syslog working / partly... need assistance

sure enough, i'm seeing it hitting the syslog server on the port...  using graylog; now i'm confused as to why it isn't parsing that data into the log.

 

 

New Member
Posts: 37
Registered: ‎02-12-2013
Kudos: 9
Solutions: 2

Re: External syslog working / partly... need assistance

digging a little deeper... on the graylog2 server that the messages are getting sent to, i see in the /var/log/kern.log file; all of the missing logs.  I guess this is a configuration issue in graylog or some plugin, guess i'll start working that side of the problem since I assume it's not the edgerouter now. 

 

(if anyone gets graylog2 working properly, lemme know !  Man Wink )

 

 

New Member
Posts: 37
Registered: ‎02-12-2013
Kudos: 9
Solutions: 2

Re: External syslog working / partly... need assistance

hate to reply to my own messages... anyways, solution was in the /etc/rsyslog.d/ graylog.conf file....  

 

When I had originally set it up it only had:

$template GRAYLOG2,"<%PRI%>1 %timegenerated:::date-rfc3339% %HOSTNAME% %syslogtag% - %APP-NAME%: %msg:::drop-last-lf%\n"
$ActionForwardDefaultTemplate GRAYLOG2
$PreserveFQDN on
*.err;*.crit;*.alert;*.emerg;cron.*;auth,authpriv.* @localhost:10514

 

I was able to get the messages showing up by changing what levels it was parsing by adding

kern.*; 

 

Now I just need to figure up what levels I need to log etc... 

 

learning experience...