Logging router events on an Ubuntu server, and checking with Logwatch
Submitted by Rory Jaffe on
Getting all the pieces working was complicated. There are four different things to set up:
- The router needs to forward the log to the syslog server — this is router-dependent so not described here
- The Linux server needs to accept the logs
- Logwatch needs to know what to do with the logs
- Logrotate needs to know what to do
Accepting the logs
Edit /etc/rsyslog.conf to provide UDP and TCP reception, by uncommenting the modules in the first section. In my case, the uncommented modules look like this:# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
$ModLoad imudp
$UDPServerRun 514
# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
Add /etc/rsyslog.d/01router.conf to handle the incoming data before any of the other rules in rsyslog.d are executed, with the following content:
#rules for netgear router to place in separate file
# do this in FRONT of the local/regular rules
if $fromhost-ip == '192.168.0.1' then /var/log/router.log
& ~
#& ~ means stop processing rules
# do this in FRONT of the local/regular rules
if $fromhost-ip == '192.168.0.1' then /var/log/router.log
& ~
#& ~ means stop processing rules
Telling logwatch what to do with the files
Add /etc/logwatch/conf/logfiles/netgear.conf containing
LogFile = router.log
Archive = router. log.?
Archive = rouger. log.?.gz
# Keep only the lines in the proper date range…
*ApplyStdDate
Archive = router. log.?
Archive = rouger. log.?.gz
# Keep only the lines in the proper date range…
*ApplyStdDate
Add /etc/logwatch/conf/services/netgear.conf containing
Title = “netgear”
# Which logfile group…
LogFile = netgear
# Which logfile group…
LogFile = netgear
And, finally, add the code to process the log. This is what I put together:
In the file /etc/logwatch/scripts/services/netgear
#!/bin/sh
#
#variable initialization
#
SEDSCRIPT='/netgear.sed'
DIR=”$( cd “$( dirname “$0” )” && pwd )”
LASTACTION=
: ${LOGWATCH_DETAIL_LEVEL:=5}
#
#is there a script for sed?
#
[ -s ${DIR}${SEDSCRIPT} ] && LASTACTION=”-f ${DIR}${SEDSCRIPT}”
#
# Should we remove some of the detail?
# These following lines wrap in the blog, but there are four lines
#
#variable initialization
#
SEDSCRIPT='/netgear.sed'
DIR=”$( cd “$( dirname “$0” )” && pwd )”
LASTACTION=
: ${LOGWATCH_DETAIL_LEVEL:=5}
#
#is there a script for sed?
#
[ -s ${DIR}${SEDSCRIPT} ] && LASTACTION=”-f ${DIR}${SEDSCRIPT}”
#
# Should we remove some of the detail?
# These following lines wrap in the blog, but there are four lines
# of code. Each lines should start with [ and end with /d”
[ “$LOGWATCH_DETAIL_LEVEL” -lt 10 ] && LASTACTION=”$LASTACTION -e /Receive.NTP.Reply/d;/Send. out.NTP.request/d”
[ “$LOGWATCH_DETAIL_LEVEL” -lt 8 ] && LASTACTION=”$LASTACTION -e /DHCP.server. received.REQUEST.from…………………/d”
[ “$LOGWATCH_DETAIL_LEVEL” -lt 5 ] && LASTACTION=”$LASTACTION -e /\[UPnP. set.event/d”
[ “$LOGWATCH_DETAIL_LEVEL” -lt 3 ] && LASTACTION=”$LASTACTION -e /DHCP.server/d”
#
#is there something to do after uniq?
#
if [ “$LASTACTION” ]
then
cut -c17- | sort | uniq -c | sed $LASTACTION
else
cut -c17- | sort | uniq -c
fi
[ “$LOGWATCH_DETAIL_LEVEL” -lt 10 ] && LASTACTION=”$LASTACTION -e /Receive.NTP.Reply/d;/Send. out.NTP.request/d”
[ “$LOGWATCH_DETAIL_LEVEL” -lt 8 ] && LASTACTION=”$LASTACTION -e /DHCP.server. received.REQUEST.from…………………/d”
[ “$LOGWATCH_DETAIL_LEVEL” -lt 5 ] && LASTACTION=”$LASTACTION -e /\[UPnP. set.event/d”
[ “$LOGWATCH_DETAIL_LEVEL” -lt 3 ] && LASTACTION=”$LASTACTION -e /DHCP.server/d”
#
#is there something to do after uniq?
#
if [ “$LASTACTION” ]
then
else
fi
in the file /etc/logwatch/scripts/services/netgear.sed I put code to give friendly names to known entities on the local network and other entities in the log (e. g., time servers)
s/12:34:6B:49:56:21/& T410s wifi /
s/12:43:06:4E:32:23/& Fred's iPad /
s/192.168.0.3$/& Computer in office /
s/192.168.0.8$/& Printer HP 7555 /
s/69.25.96.13$/& nist1.symmetricom.com /
s/12:43:06:4E:32:23/& Fred's iPad /
s/192.168.0.3$/& Computer in office /
s/192.168.0.8$/& Printer HP 7555 /
s/69.25.96.13$/& nist1.symmetricom.com /
Logrotate
In /etc/logrotate.d, add the following (I have it in the file “custom”)
/var/log/router.log {
rotate 5
weekly
compress
missingok
notifempty
create 640 syslog adm
}