1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

how to syslog to windows

Discussion in 'Tomato Firmware' started by petm, Oct 13, 2010.

  1. petm

    petm Networkin' Nut Member

    i was looking at the administration/logging options and decided to try remote logging. i installed syslogd-win32 (http://syslog-win32.sourceforge.net/) and ran it with this config file:
    <conf>
    <source name="src_udp" type="udp"/>
    <destination name="logfile" file="syslog.txt" rotate="weekly" backlogs="4"/>
    <logpath source="src_udp" destination="logfile"/>
    <options logdir="log"/>
    </conf>

    if i send messages using the bundled test tool, they land in the log file. on the router i set remote logging to 192.168.1.2:514, thats the ip of the computer i am running syslogd on and the port it defaults to.

    but no log messages from the router appear in my log file.

    how can i debug this situation? how do i know if the messages are sent and why they are not received/written?

    does anyone have this working?
     
  2. rhester72

    rhester72 Network Guru Member

    Do a Wireshark capture on the Windows box and see if you can see the incoming UDP packets on port 514.

    Rodney
     
  3. pfoomer

    pfoomer LI Guru Member

    Yes, I do.

    You need to put the ip address of the system receiving the syslog traffic
    in the field in the routers Administration/logging page, and also check the log to remote box on the same page

    Ideally you should be able to put in the broadcast address for example 192.168.1.255, and then all receivers would get it, but its not supported.
     
  4. petm

    petm Networkin' Nut Member

    pfoomer, that's what i did. but i have probably something missing on the other hand. is there maybe a need to specify the source on the logging machine?

    *off googling wireshark*
     
  5. pfoomer

    pfoomer LI Guru Member

    Hi

    not that I am aware of, I collect the traffic using a program I wrote, it just listens on port 514.

    If you reboot your router you should see loads of stuff, but maybe the receiver is not set up to get all the traffic types, for example there are various levels of priority and facility in the message that may be ignored by the receiver.

    Ideally the receiver should initially be set to display all, I tested the output from the router with the kiwi free syslogger.
     
  6. petm

    petm Networkin' Nut Member

    i installed wireshark, deactivated promiscuity since i'm wireless and see lots of traffic. absolutely no udp packets though.

    the check if anything should be logged i looked in the local log on the router and came across this line:
    Oct 13 21:00:01 router cron.err crond[9137]: USER root pid 9444 cmd logger -p syslog.info -- -- MARK --

    does this have to do with the current problem?

    i'll try the kiwi server, maybe it accidentally configures something right.
     
  7. pfoomer

    pfoomer LI Guru Member

    Administration/Logging is where you can set MARK times, I do not use internal logging, but looking at the timestamp this appears normal.

    Also on this page you can set up events to log, and also what firewall events to log.
     
  8. petm

    petm Networkin' Nut Member

    this is not about the MARK but about the cron.err and syslog.
    thanks for pointing me the administration/logging, but i had already found that.
     
  9. pfoomer

    pfoomer LI Guru Member

    Hi

    The MARK is seen every 30 mins, via syslog to my collector, so I assume it will be on the internal log as well.

    Why the cron error, I assume as the MARK is time related, cron will have a part to play in generating the entry, also your timestamp suggests you are getting time ok.

    Any firewall running on your windows box to prevent syslog traffic being received?, also Wireshark is a bit daunting, you can set up filters to only see certain traffic.
     
  10. pfoomer

    pfoomer LI Guru Member

    Hi

    this is my internal log entry for the mark event
    Oct 13 22:30:01 router syslog.info root: -- MARK --

    I am running the latest K26 version (not suggesting you upgrade btw) but all syslog rated stuff has worked ok from version 18
     
  11. petm

    petm Networkin' Nut Member

    oh, so that line probably just logs that we're about to set a mark (since the next line ist just the hourly mark).

    ok, firewall was a good idea, i completely disregarded that before, but sadly, deactivating it doesnt change a thing. also the kiwi syslog server doesnt get any messages (except the ones i trigger locally using that test program).

    so at the moment i think that nothing reaches my computer, so how can i verify what my router sends?
     
  12. Jedis

    Jedis LI Guru Member

    I use WallWatcher and I've never had a problem. You could try that and see if it works.
     
  13. pfoomer

    pfoomer LI Guru Member

    Hi

    Well if you are sure all is set up correctly on the router a couple of possibilities...

    1. Try another system to act as the receiver

    2. Try wireshark

    Syslog works pretty much out of the box on Tomato.
     
  14. petm

    petm Networkin' Nut Member

    alright, got it working! manually rebooting did the trick. now i'll try to tell my windows firewall to let those messages through.
     
  15. pfoomer

    pfoomer LI Guru Member

    Hi

    manual reboot of what?
     
  16. petm

    petm Networkin' Nut Member

    of the router. i wonder why saving didnt do that automatically.
     
  17. pfoomer

    pfoomer LI Guru Member

    Hi

    I think it did save it, just that the daemon will not pick it up unless restarted, either manually via cli, or on a reboot.
     
  18. petm

    petm Networkin' Nut Member

    yes but i wonder why hitting the save button in that situation didnt reboot the router automatically. it should know which value changes require that, as opposed to me.
     
  19. pfoomer

    pfoomer LI Guru Member

    Hi

    Well its a router running on Linux, not windows!!!

    Seriously, I wouldn't want to reboot the thing every time a make a change while its running, it would only tee off my partner.

    This is what happens in Linux world, restarting daemons on the fly is quite normal.

    Also in an ideal world it should broadcast syslog on n.n.n.255 but it doesn't.

    All said and done you are getting a cool bit of software from the sterling efforts of Jon, Teddy Bear, Victek and others for a very small price, so a few imperfections are allowable in my opinion.
     
  20. rhester72

    rhester72 Network Guru Member

    In fairness, it *should* have restarted syslogd after the change was saved. It certainly used to.

    Rodney
     
  21. pfoomer

    pfoomer LI Guru Member

    Hi

    can you recall the last version it did that?

    also does it re read any changes to the firewall scripts automatically (via the script window and restrictions)?
     

Share This Page