Logging router events on an Ubuntu server, and checking with Logwatch

Logging router events on an Ubuntu server, and checking with Logwatch

Getting all the pieces working was complicated. There are four different things to set up:

  1. The router needs to forward the log to the syslog server — this is router-dependent so not described here
  2. The Linux server needs to accept the logs
  3. Logwatch needs to know what to do with the logs
  4. Logrotate needs to know what to do

Accepting the logs

Edit /etc/rsyslog.conf to provide UDP and TCP reception, by uncommenting the modules in the first section. In my case, the uncommented modules look like this:

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514


Add /etc/rsyslog.d/01router.conf to handle the incoming data before any of the other rules in rsyslog.d are executed, with the following content:

#rules for netgear router to place in separate file
# do this in FRONT of the local/regular rules
if $fromhost-ip == '192.168.0.1' then /var/log/router.log
& ~
#& ~ means stop processing rules



Telling logwatch what to do with the files


Add /etc/logwatch/conf/logfiles/netgear.conf containing

LogFile = router.log
Archive = router. log.?
Archive = rouger. log.?.gz
# Keep only the lines in the proper date range…
*ApplyStdDate


Add /etc/logwatch/conf/services/netgear.conf containing

Title = “netgear”

# Which logfile group…
LogFile = netgear


And, finally, add the code to process the log. This is what I put together:

In the file /etc/logwatch/scripts/services/netgear

#!/bin/sh
#
#variable initialization
#
SEDSCRIPT='/netgear.sed'
DIR=”$( cd “$( dirname “$0” )” && pwd )”
LASTACTION=
 : ${LOGWATCH_DETAIL_LEVEL:=5}

#
#is there a script for sed?
#
[ -s ${DIR}${SEDSCRIPT} ] && LASTACTION=”-f ${DIR}${SEDSCRIPT}”

#
# Should we remove some of the detail?
# These following lines wrap in the blog, but there are four lines

# of code. Each lines should start with [ and end with /d”

[ “$LOGWATCH_DETAIL_LEVEL” -lt 10 ] && LASTACTION=”$LASTACTION -e /Receive.NTP.Reply/d;/Send. out.NTP.request/d”
[ “$LOGWATCH_DETAIL_LEVEL” -lt 8 ] && LASTACTION=”$LASTACTION -e /DHCP.server. received.REQUEST.from…………………/d”
[ “$LOGWATCH_DETAIL_LEVEL” -lt 5 ] && LASTACTION=”$LASTACTION -e /\[UPnP. set.event/d”
[ “$LOGWATCH_DETAIL_LEVEL” -lt 3 ] && LASTACTION=”$LASTACTION -e /DHCP.server/d”


#
#is there something to do after uniq?
#
if [ “$LASTACTION” ]
then
 
cut -c17- | sort | uniq -c | sed $LASTACTION
else
 
cut -c17- | sort | uniq -c
fi


in the file /etc/logwatch/scripts/services/netgear.sed I put code to give friendly names to known entities on the local network and other entities in the log (e. g., time servers)


s/12:34:6B:49:56:21/& T410s wifi /
s/12:43:06:4E:32:23/& Fred's iPad /
s/192.168.0.3$/& Computer in office /
s/192.168.0.8$/& Printer HP 7555 /
s/69.25.96.13$/& nist1.symmetricom.com /

 

Logrotate


In /etc/logrotate.d, add the following (I have it in the file “custom”)
 

/var/log/router.log {
  rotate 5
  weekly
  compress
  missingok
  notifempty
  create 640 syslog adm
}

Tags: