Skip to content

LEDE Remote Syslog

Sending router system logs to remote server using rsyslogEither 18.04 Server or the LXC snap has rsyslog installed. So getting syslog information from the admin firewall is pretty simple. Its possible that we may need to provide a server other than kb2018 to make this ideal however I wanted to make sure that the syslogs stayed on the admin lan.

Sending logs to remote server

Modify the log configuration entries to point to the remote syslog and selecting a port and protocol is all that is needed.

feurig@knight:~$ cat /etc/config/system

config system
    option hostname 'knight'
    option timezone 'PDT'
    option ttylogin '0'
    option log_size '64'
    option urandom_seed '0'
    option log_ip ''
    option log_port '514'
    option log_proto 'udp'

config timeserver 'ntp'
    option enabled '1'
    option enable_server '0'
    list server ''
    list server ''
    list server ''
    list server ''

Afterwords commit the configuration and restart the log daemon.

root@knight:/home/feurig# uci commit 
root@knight:/home/feurig# /etc/init.d/log enable
root@knight:/home/feurig# /etc/init.d/log restart

Configuring rsyslogd on the remote server

Once you swim through the bagillian conflicting howtoo's for the multiple versions of rsyslogd you add the following lines to /etc/rsyslog.conf and restart it.

root@kb2018:/var/log# nano /etc/rsyslog.conf 
# provides UDP syslog reception
input(type="imudp" port="514")

##Try exameple template for remote logs.
$template RemoteLogs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"

. ?RemoteLogs .... root@kb2018:/var/log# service rsyslog restart

And test it.

root@knight:/home/feurig# logger testlog meh

root@kb2018:/var/log# tail /var/log/knight/
dropbear.log  logread.log   root.log      sudo.log      
root@kb2018:/var/log# tail /var/log/knight/dropbear.log 
2018-12-21T18:50:54-08:00 knight dropbear[2465]: Exit (feurig): Keepalive timeout
2018-12-21T19:44:31-08:00 knight dropbear[2524]: Child connection from
2018-12-21T19:44:31-08:00 knight dropbear[2524]: Exit before auth: Exited normally
2018-12-21T20:02:11-08:00 knight dropbear[2541]: Child connection from
2018-12-21T20:02:12-08:00 knight dropbear[2541]: Exit before auth: Exited normally
2018-12-21T21:22:01-08:00 knight dropbear[2598]: Child connection from
2018-12-21T21:22:13-08:00 knight dropbear[2598]: Login attempt for nonexistent user from
2018-12-21T21:22:14-08:00 knight dropbear[2598]: Exit before auth: Disconnect received
2018-12-21T21:54:15-08:00 knight dropbear[2623]: Child connection from
2018-12-21T21:54:17-08:00 knight dropbear[2623]: Pubkey auth succeeded for 'feurig' with key sha1!! 2a:26:75:a7:ec:fe:92:f4:b5:64:2e:26:26:dd:12:e5:d5:68:4f:67 from
root@kb2018:/var/log# tail /var/log/knight/sudo.log 
2018-12-21T18:35:42-08:00 knight sudo:   feurig : TTY=pts/0 ; PWD=/home/feurig ; USER=root ; COMMAND=/bin/ash
2018-12-21T22:13:35-08:00 knight sudo:   feurig : TTY=pts/0 ; PWD=/home/feurig ; USER=root ; COMMAND=/sbin/uci commit
root@kb2018:/var/log# tail /var/log/knight/root.log 
2018-12-21T17:37:28-08:00 knight root: testLog “Blah1”
2018-12-21T18:35:54-08:00 knight root: testlog meh