Results 1 to 12 of 12

Thread: HOWTO: install syslog-ng

  1. #1
    Join Date
    Aug 2007
    Location
    Austria
    Posts
    52

    HOWTO: install syslog-ng

    HOWTO: install syslog-ng on a WL700gE
    2007-08-23 tiwag

    preferences:
    install kfurge's modified firmware WL700gE_1.0.4.6_kc_02a
    http://home.comcast.net/~kfurge/wl700g.html

    installation:
    1. install syslog-ng from http://ipkg.nslu2-linux.org/feeds/op...table/Packages
    Code:
    	root$ ipkg update
    	root$ ipkg install syslog-ng
    this installs syslog-ng version 2.0.4-2 (at the time of writing)

    there will be an error message when running the postinstall script

    2. edit the postinstall-script
    so that the ipkg installation can be run and terminated successfully

    here is a copy of mine:

    Code:
    #!/bin/sh
    ###############################################################################
    # /opt/lib/ipkg/info/syslog-ng.postinst
    # 2007-08-23 tiwag
    # 
    # modified ipkg postinstall script for syslog-ng used on WL700g
    #
    
    echo
    echo "How to use syslog-ng on a WL700gE"
    echo "1. kill syslogd before you start syslog-ng."
    echo "   $ killall syslogd"
    echo "2. Edit the file /opt/etc/init.d/S01syslog-ng."
    echo "   add the path to the configuration file
    echo "   /opt/sbin/syslog-ng -f /opt/etc/syslog-ng/syslog-ng.conf
    echo "3. run /opt/etc/init.d/S01syslog-ng."
    echo
    echo "Log files will be created by default at /opt/var/log."
    echo

    3. finish the ipkg installation
    Code:
    	root$ ipkg install syslog-ng
    finishes installation without an error message


    4. edit the startup-script
    by default syslog-ng_2.0.4-2 expects its config-file
    in /opt/etc/syslog-ng.conf (bug?), but the ipkg installer
    installs it in /opt/etc/syslog-ng/syslog-ng.conf.
    run syslog-ng with proper path to the config-file

    example of my startup script:


    Code:
    #!/bin/sh
    ###############################################################################
    # /opt/etc/init.d/S01syslog-ng
    # 2007-08-23 tiwag
    # 
    # Startup script for syslog-ng used on WL700g
    #
    
    # Stop syslogd if running
    if [ -n "`pidof syslogd`" ]; then
        /bin/killall syslogd 2>/dev/null
        sleep 2
    fi
    
    
    # Stop itself if running
    if [ -n "`pidof syslog-ng`" ]; then
        /bin/killall syslog-ng 2>/dev/null
        sleep 2
    fi
    
    # start syslog-ng with path to syslog-ng.conf file
    /opt/sbin/syslog-ng -f /opt/etc/syslog-ng/syslog-ng.conf
    sleep 2


    5. run the startup-script and test syslog-ng,

    the syslog can be viewed e.g. with
    Code:
    	root$ cat /opt/var/log/syslog
    if everything works as you expected, add the startup script
    for syslog-ng to your rc.local file and reboot your brick


    HTH, brgds,

    --
    tiwag



    ps.
    now i'm going to install fail2ban ... wish me luck !
    Last edited by tiwag; 23-08-2007 at 11:50.

  2. #2
    Quote Originally Posted by tiwag View Post
    ps.
    now i'm going to install fail2ban ... wish me luck !
    I have it running on my 700ge and it works great! Finally stopping the brute force attacks against vsftpd!

    Hopefully it runs as well for you.

  3. #3
    Join Date
    Aug 2007
    Location
    Austria
    Posts
    52
    Quote Originally Posted by medsource View Post
    I have it running on my 700ge and it works great! Finally stopping the brute force attacks against vsftpd!
    ...
    its nice that it works well for you,

    started another thread where the fail2ban infos can go
    http://wl500g.info/showthread.php?t=10400

    brgds

    --

    tiwag
    Last edited by tiwag; 23-08-2007 at 19:15. Reason: updated info on fail2ban thread

  4. #4
    Hey, thanks so much for the how-to! I have syslog-ng running nicely, however I can no longer see the logs in the web interface. I'm assuming it's just because the logs are now being put someplace different? Is there a way to fix this? Where is it expecting to see the log files, and will I break things if I move it there?

    Thanks!

    Quote Originally Posted by tiwag View Post
    HOWTO: install syslog-ng on a WL700gE
    2007-08-23 tiwag

    preferences:
    install kfurge's modified firmware WL700gE_1.0.4.6_kc_02a
    http://home.comcast.net/~kfurge/wl700g.html

    installation:
    1. install syslog-ng from http://ipkg.nslu2-linux.org/feeds/op...table/Packages
    Code:
    	root$ ipkg update
    	root$ ipkg install syslog-ng
    this installs syslog-ng version 2.0.4-2 (at the time of writing)

    there will be an error message when running the postinstall script

    2. edit the postinstall-script
    so that the ipkg installation can be run and terminated successfully

    here is a copy of mine:

    Code:
    #!/bin/sh
    ###############################################################################
    # /opt/lib/ipkg/info/syslog-ng.postinst
    # 2007-08-23 tiwag
    # 
    # modified ipkg postinstall script for syslog-ng used on WL700g
    #
    
    echo
    echo "How to use syslog-ng on a WL700gE"
    echo "1. kill syslogd before you start syslog-ng."
    echo "   $ killall syslogd"
    echo "2. Edit the file /opt/etc/init.d/S01syslog-ng."
    echo "   add the path to the configuration file
    echo "   /opt/sbin/syslog-ng -f /opt/etc/syslog-ng/syslog-ng.conf
    echo "3. run /opt/etc/init.d/S01syslog-ng."
    echo
    echo "Log files will be created by default at /opt/var/log."
    echo

    3. finish the ipkg installation
    Code:
    	root$ ipkg install syslog-ng
    finishes installation without an error message


    4. edit the startup-script
    by default syslog-ng_2.0.4-2 expects its config-file
    in /opt/etc/syslog-ng.conf (bug?), but the ipkg installer
    installs it in /opt/etc/syslog-ng/syslog-ng.conf.
    run syslog-ng with proper path to the config-file

    example of my startup script:


    Code:
    #!/bin/sh
    ###############################################################################
    # /opt/etc/init.d/S01syslog-ng
    # 2007-08-23 tiwag
    # 
    # Startup script for syslog-ng used on WL700g
    #
    
    # Stop syslogd if running
    if [ -n "`pidof syslogd`" ]; then
        /bin/killall syslogd 2>/dev/null
        sleep 2
    fi
    
    
    # Stop itself if running
    if [ -n "`pidof syslog-ng`" ]; then
        /bin/killall syslog-ng 2>/dev/null
        sleep 2
    fi
    
    # start syslog-ng with path to syslog-ng.conf file
    /opt/sbin/syslog-ng -f /opt/etc/syslog-ng/syslog-ng.conf
    sleep 2


    5. run the startup-script and test syslog-ng,

    the syslog can be viewed e.g. with
    Code:
    	root$ cat /opt/var/log/syslog
    if everything works as you expected, add the startup script
    for syslog-ng to your rc.local file and reboot your brick


    HTH, brgds,

    --
    tiwag



    ps.
    now i'm going to install fail2ban ... wish me luck !

  5. #5

    Getting syslog to email alerts / daily syslogs

    Ok, so as an alternative to viewing the logs in the web interface I've been trying to set up a way to email alerts and daily syslogs. I can see where to set up at least the alerts w/in syslog-ng but I have no idea how to make the mail part happen. I understand I'll need to connect out to a remote SMTP server (my ISP has one and I know the hostname and authentication pieces), but I'm not sure how to go about making that work. I've installed sendmail and played around with it a bit, but really am too green to figure out how to use it to connect out to a remote SMTP server. Can someone point me in the right direction? I'll be happy to write a HOW-TO once I can get this all figured out.

    Thanks!

  6. #6
    Join Date
    Aug 2007
    Location
    Austria
    Posts
    52
    Quote Originally Posted by Maccro View Post
    Ok, so as an alternative to viewing the logs in the web interface I've been trying to set up a way to email alerts and daily syslogs. I can see where to set up at least the alerts w/in syslog-ng but I have no idea how to make the mail part happen. I understand I'll need to connect out to a remote SMTP server (my ISP has one and I know the hostname and authentication pieces), but I'm not sure how to go about making that work. I've installed sendmail and played around with it a bit, but really am too green to figure out how to use it to connect out to a remote SMTP server. Can someone point me in the right direction? I'll be happy to write a HOW-TO once I can get this all figured out.

    Thanks!
    i've installed successfully and use the package esmtp
    it is not an email (or smtp) server but it is a smtp relay client.
    with esmtp you can send mails using your already existing email account with any provider which allows smtp

    you can install it with "ipkg install esmtp"


    then you need to edit the file /opt/etc/esmtprc with your account infos
    # /opt/etc/esmtprc
    #

    identity = username@email.org
    hostname = smtphost.email.org:25
    username = "username"
    password = "password"

    after that you can use it like sendmail

    example: sending a mail to user@mail.com, note the two "\n\n" before the Message text !!

    echo -e "From: me\nTo: user@mail.com\nSubject: test\n\nMessage: hello world" | sendmail user@mail.com
    Last edited by tiwag; 23-09-2007 at 08:55.
    tiwag

  7. #7
    You rock tiwag! It works just dandy for me! I'm going to create filter(s) now and get syslog-ng sending me alerts. Any idea how I'd get it to send daily log digests?

    Thanks!!

    Quote Originally Posted by tiwag View Post
    i've installed successfully and use the package esmtp
    it is not an email (or smtp) server but it is a smtp relay client.
    with esmtp you can send mails using your already existing email account with any provider which allows smtp

    you can install it with "ipkg install esmtp"


    then you need to edit the file /opt/etc/esmtprc with your account infos



    after that you can use it like sendmail

    example: sending a mail to user@mail.com, note the two "\n\n" before the Message text !!

  8. #8
    So, I'm now able to get syslog-ng sending email alerts when certain simple things happen (like authentication), but I'm not sure how to get it to detect 'attacks'. Any idea how I would do that? By the way, the perl script that I call from syslog-ng.conf is here (I modified someone elses to work with esmtp):

    Code:
    #!/opt/bin/perl -n
    # thanks to Brian Dowling for an example with security in mind.
    
    $TO = 'user@mail.com';
    $FROM = 'user@smtphost.net';
    
    s/^<\d{1,2}>//;
    
    open(MAIL, "|/opt/sbin/sendmail -t");
    
    print MAIL << "EOT";
    From: $FROM
    To: $TO
    Subject: Email Alert:
    
    Message: $_
    
    EOT
    Quote Originally Posted by tiwag View Post
    i've installed successfully and use the package esmtp
    it is not an email (or smtp) server but it is a smtp relay client.
    with esmtp you can send mails using your already existing email account with any provider which allows smtp

    you can install it with "ipkg install esmtp"


    then you need to edit the file /opt/etc/esmtprc with your account infos



    after that you can use it like sendmail

    example: sending a mail to user@mail.com, note the two "\n\n" before the Message text !!

  9. #9
    Join Date
    Aug 2007
    Location
    Austria
    Posts
    52
    Quote Originally Posted by Maccro View Post
    ... I'm not sure how to get it to detect 'attacks'. Any idea how I would do that? ...
    yes i did install syslog-ng and fail2ban in order to be able to detect attacks
    and banning attacking ip-addresses.

    for me this works with dropbear and vsftpd


    i'm using this configuration:

    syslog-ng config file:
    Code:
    ################################################################################
    # Syslog-ng configuration for WL700g
    # /opt/etc/syslog-ng/syslog-ng.conf
    #
    
    ###############################################################################
    # tiwag's active filters and logs
    #
    
    options { long_hostnames(off); sync(0); };
    
    #source src { pipe("/proc/kmsg");unix-stream("/dev/log"); internal(); };
    source src { file("/proc/kmsg");unix-stream("/dev/log"); internal(); };
    source net { udp(); };
    
    destination mysyslog {
      file("/opt/var/log/syslog-ng.log"
        owner("root")
        group("root")
        perm(0640)
        template("{$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC}{PRI:$PRIORITY}{FAC:$FACILITY}{PRG:$PROGRAM}{{{ $MESSAGE }}}\n")
      ); 
    };
    
    destination authwarnlog { 
      file("/opt/var/log/authwarn.log"
        owner("root")
        group("root")
        perm(0640)
        template("{$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC}{PRI:$PRIORITY}{FAC:$FACILITY}{PRG:$PROGRAM}{{{ $MESSAGE }}}\n")
      ); 
    };
    
    destination vsftpdlog   { file("/opt/var/log/vsftpd.log");   };
    destination dropbearlog { file("/opt/var/log/dropbear.log"); };
    destination cronlog     { file("/opt/var/log/cron.log");     };
    
    
    filter f_ni_syslog-ng { not ( level(info) and program(syslog-ng) ); };
    filter f_ni_thttpd    { not ( level(info) and program(thttpd)    ); };
    filter f_ni_vsftpd    { not ( level(info) and program(vsftpd)    ); };
    
    filter f_vsftpd   { ( program(vsftpd)   ); };
    filter f_dropbear { ( program(dropbear) ); };
    filter f_authwarn { (   ( ( level(info) or level(warning) 
                              ) and program(dropbear) 
                            ) 
                         or ( ( level(warning)
                              ) and  program(vsftpd) 
                            ) 
                        ); };
    
    filter f_ni_cron { not ( level(info) and  facility(cron) ); };
    filter f_cron { program(cron); };
    
    ###############################################################################
    # active logs
    #
    
    log { source(src); 
          filter(f_ni_vsftpd); 
          filter(f_ni_thttpd); 
          filter(f_ni_syslog-ng); 
    #      filter(f_ni_cron);
          destination(mysyslog); };
    
    log { source(src); 
          filter(f_vsftpd);   
          destination(vsftpdlog); };
    
    log { source(src); 
          filter(f_dropbear); 
          destination(dropbearlog); };
    
    log { source(src); 
          filter(f_authwarn); 
          destination(authwarnlog); };
    
    log { source(src); 
          filter(f_cron); 
          destination(cronlog); };
    fail2ban config and filter files

    Code:
    ###############################################################################
    # Fail2Ban configuration file
    # /opt/etc/fail2ban/jail.conf
    #
    
    # The DEFAULT allows a global definition of the options. They can be override
    # in each jail afterwards.
    
    [DEFAULT]
    
    # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
    # ban a host which matches an address in this list. Several addresses can be
    # defined using space separator.
    ignoreip = 127.0.0.1
    
    # "bantime" is the number of seconds that a host is banned.
    #bantime  = 1800
    
    
    # A host is banned if it has generated "maxretry" during the last "findtime"
    # seconds.
    findtime  = 300
    
    # "maxretry" is the number of failures before a host get banned.
    maxretry = 3
    
    # "backend" specifies the backend used to get files modification. Available
    # options are "gamin", "polling" and "auto". This option can be overridden in
    # each jail too (use "gamin" for a jail and "polling" for another).
    #
    # gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
    #          is not installed, Fail2ban will use polling.
    # polling: uses a polling algorithm which does not require external libraries.
    # auto:    will choose Gamin if available and polling otherwise.
    backend = auto
    
    
    ###############################################################################
    # enabled jails
    #
    
    [vsftpd-iptables]
    
    enabled  = true
    filter   = vsftpd
    action   = iptables[name=VSFTPD, port=ftp, protocol=tcp]
    #           sendmail-whois[name=VSFTPD, dest=you@mail.com]
    logpath  = /opt/var/log/authwarn.log
    maxretry = 3
    bantime  = 1800
    
    
    [dropbear-iptables]
    
    enabled  = true
    filter   = dropbear
    action   = iptables[name=DROPBEAR, port=ssh, protocol=tcp]
    #           sendmail-whois[name=VSFTPD, dest=you@mail.com]
    logpath  = /opt/var/log/authwarn.log
    maxretry = 3
    bantime  = 1800

    Code:
    # Fail2Ban configuration file
    # /opt/etc/fail2ban/filter.d/vsftpd.conf
    #
    
    [Definition]
    
    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile. The
    #          host must be matched by a group named "host". The tag "<HOST>" can
    #          be used for standard IP/hostname matching and is only an alias for
    #          (?:::f{4,6}:)?(?P<host>\S+)
    # Values: TEXT
    #
    failregex = {.*}{PRI:warning}{FAC:ftp}{PRG:vsftpd}{{{ vsftpd: .* FAIL LOGIN: Client \\"<HOST>\\" }}}$
    
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    #
    ignoreregex =
    Code:
    # Fail2Ban configuration file
    # /opt/etc/fail2ban/filter.d/dropbear.conf
    #
    
    [Definition]
    
    # Option: failregex
    # Notes.: regex to match the password failures messages in the logfile. The
    #          host must be matched by a group named "host". The tag "<HOST>" can
    #          be used for standard IP/hostname matching and is only an alias for
    #          (?:::f{4,6}:)?(?P<host>\S+)
    # Values: TEXT
    #
    failregex = {.*}{PRI:warning}{FAC:authpriv}{PRG:dropbear}{{{ dropbear\[[0-9]*\]: login attempt .* from <HOST>:.* }}}$
                {.*}{PRI:info}{FAC:authpriv}{PRG:dropbear}{{{ dropbear\[[0-9]*\]: exit before auth \(user .* fails\): Disconnect received from IP <HOST>:.* }}}$
                {.*}{PRI:info}{FAC:authpriv}{PRG:dropbear}{{{ dropbear\[[0-9]*\]: exit before auth: Timeout before auth from IP <HOST>:.* }}}$
                {.*}{PRI:info}{FAC:authpriv}{PRG:dropbear}{{{ dropbear\[[0-9]*\]: exit before auth: Disconnect received from IP <HOST>:.* }}}$
    
    # Option:  ignoreregex
    # Notes.:  regex to ignore. If this regex matches, the line is ignored.
    # Values:  TEXT
    #
    ignoreregex =
    with this config i can detect attacks and ban the attacking ip-addresses very fine. but it was also necessary to patch dropbear in order to print the IP-addresses for any attack-attemps, where a known username was used.

    see the attached files for the dropbear patch

    brgds
    Attached Files Attached Files
    tiwag

  10. #10
    @tiwag or someone else:

    is it possible to log with syslog-ng why the internet connection is broken by the router to wan? because when i turn off/on the cable modem it works again (and the problem isn't the modem!).

    thanks in advice

    grat182

  11. #11
    Join Date
    Aug 2007
    Location
    Austria
    Posts
    52
    i don't know if there is a log why your connection breaks down,

    basically kernel messages are logged and look like this:
    {2007-10-03 10:50:40}{PRI:warning}{FAC:kern}{PRG:kernel}{{{ change ip from 90177054 to 90177054 }}}
    e.g. in my log's i have the ip-address-renewal logged, which seems to appear every 24 hours.
    i always get the same ip as before because i have a static ip.

    brgds
    tiwag

  12. #12
    I'm just curious here but does this work with the wl500g premium?

Similar Threads

  1. HOWTO install debian on 128 mb usb stick
    By iiivx in forum WL-500gP Tutorials
    Replies: 49
    Last Post: 11-09-2010, 08:26
  2. Русские имена торрентов
    By Mirage-net in forum Russian Discussion - РУССКИЙ (RU)
    Replies: 110
    Last Post: 18-06-2010, 15:16
  3. И снова про мультикаст...
    By Sabur in forum Russian Discussion - РУССКИЙ (RU)
    Replies: 477
    Last Post: 17-05-2010, 06:57
  4. HowTo install a lightweight blog server
    By Tamadite in forum WL-500g/WL-500gx Tutorials
    Replies: 0
    Last Post: 03-12-2006, 02:46
  5. HowTo install OpenVPN server with multiple clients
    By JR-__- in forum WL-500g/WL-500gx Tutorials
    Replies: 0
    Last Post: 08-06-2006, 17:10

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •