In my office network, we have a lot of small devices like router and switches in our environment. My boss wants me to have a report on all of our network device for auditing purposes. To accomplish this objective, I need to have a server which run as logging server, accepting various type of logging from several devices. This method will ease up my auditing trail in one centralized location.
I will use my development server which run on CentOS to receive logs from my Mikrotik router, 192.168.0.1 as picture below:
I am using following variables:
Rsyslog OS: CentOS 6.0 64bit
Rsyslog Server IP: 192.168.0.160
Router hostname: router.mynetwork.org
Router IP: 192.168.0.1
Rsyslog Server
1. Install Rsyslog package:
$ yum install rsyslog -y |
2. Make sure you have following line uncommented in /etc/rsyslog.conf:
$ModLoad imuxsock.so $ModLoad imklog.so $ModLoad imudp.so $UDPServerRun 514 $ModLoad imtcp.so $InputTCPServerRun 514 $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat *.info;mail.none;authpriv.none;cron.none /var/log/messages authpriv.* /var/log/secure mail.* -/var/log/maillog cron.* /var/log/cron *.emerg * uucp,news.crit /var/log/spooler local7.* /var/log/boot.log $AllowedSender TCP, 127.0.0.1, 192.168.0.0/24 $AllowedSender TCP, 192.168.0.1 |
3. We need to add following rules into /etc/rsyslog.conf so logs received from the router will be output into a file called /var/log/router.log:
:fromhost-ip,isequal,"192.168.0.1" /var/log/router.log |
There are a lot of options you can use to define your remote logging rules, which you can refer to this page: http://www.rsyslog.com/doc/property_replacer.html
4. Open firewall port 514 on TCP and UDP:
$ iptables -A INPUT -m tcp -p tcp --dport 514 -j ACCEPT $ iptables -A INPUT -m udp -p udp --dport 514 -j ACCEPT |
5. Restart Rsyslog daemon to apply the configuration:
$ service rsyslog restart |
6. We also need to rotate this log file so it will need eating up the server’s disk space. Create a new text file called router under /etc/logrotate.d/ directory:
$ vim /etc/logrotate.d/router |
And add following line:
/var/log/router.log { daily rotate 5 missingok notifempty sharedscripts postrotate /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true endscript } |
Router (Rsyslog Client)
1. Mikrotik router supports remote logging. I just need to login into the Winbox > System > Logging and configure Actions as screenshot below:
2. The next thing, is we need to create the rules on which logging level do we want to be sent to the rsyslog server. Go to Winbox > System > Logging and configure Rules as screenshot below:
Testing
Now, the router should send the log remotely to the rsyslog server and we can check the router logs by running following command:
$ tail -f /var/log/router.log Jan 8 17:23:28 192.168.0.1 system,info log action changed by admin Jan 8 17:26:09 192.168.0.1 system,info filter rule changed by admin Jan 8 17:26:09 192.168.0.1 system,info filter rule changed by admin Jan 8 17:26:23 192.168.0.1 system,info PPP AAA settings changed by admin Jan 8 17:26:40 192.168.0.1 system,info L2TP Server settings changed by admin Jan 8 17:26:49 192.168.0.1 system,info filter rule changed by admin Jan 8 17:26:50 192.168.0.1 system,info filter rule changed by admin |