Question

  • Creator
    Topic
  • #3937594

    Modem Router & Syslog Server

    Locked

    by pj863 ·

    Hi Experts, I am what a newbie in networking arena. Have basic understanding, as I have beeb in IT for a decade.

    I am trying setup a centralized log server for my personal use. Here is my current setup. Question will be written at the bottom of the post, response / guidance will be much appreciated.

    Modem : At&T Model 5268AC
    Router : Netgear R7000, Flashed with Fresh Tomato.
    Ubuntu 20.0.4x running machine with Rsyslog server.

    Modem IP address is 192.168.1.254
    Router IP address is 10.0.0.1

    Both the modem & router have ability to send syslog data to remote machine.

    Facts:
    1. I am successfully able to send syslog data from my router to Rsyslog.
    2. However no data gets transferred from my modem to Rsyslog.

    Troubleshooting steps:
    1. I have tried turning router syslog export off & use the same port (1515) on modem – just to troubleshoot if it was incoming port issue at Ubuntu side. But it’s not as router can successfully send syslog data to Ubuntu but modem cannot. Nothing gets to Ubuntu server from modem.
    2. On router I have tried opening Port Forwarding as follows:
    Source port and destination port – same as 1515
    Source IP address as my modem ( 192.168.1.254)
    Destination IP address of my Ubuntu ( 10.0.0.41 )

    – Can someone guide what I am doing wrong?

All Answers

  • Author
    Replies
    • #3938631
      Avatar photo

      The modem appears to be more than a modem.

      by rproffitt ·

      In reply to Modem Router & Syslog Server

      It’s also on another subnet which will cause issues.

      Why not turn the modem into a real full up modem?

      • #3938630

        its at&t modem

        by pj863 ·

        In reply to The modem appears to be more than a modem.

        AT&T provided modem & I have to use if I need service from At&T. But only thing connected to my modem is the router and whole network gets DHCP address from router.

        • #3938629
          Avatar photo

          This residential gateway is not that capable.

          by rproffitt ·

          In reply to its at&t modem

          So you’ll need another Ethernet or WiFi connection from your Ubuntu box to the other LAN. Then it’s easy peasy.

        • #3938622

          second n/w interface enabled

          by pj863 ·

          In reply to This residential gateway is not that capable.

          Thanks, this was a good suggestion. I opened up another network interface and connected my Ubuntu to AT&T modem directly in addition to existing ethernet connection to my personal router. Now I can see my Ubuntu has 2 IP addresses, one for each subnet.
          192.168.1.67
          10.0.0.41

          Problem: I have a web server running on Ubuntu server port 80 & 443. This is for my website. As soon as I turn on the second interface card on my Ubuntu for my At&T Modem – my website becomes unreachable.

          I checked port forwarding on my router is only to 10.0.041 ( which it was configured earlier and was working just fine )

          Enabling second interface, is that interrupting my web server traffic?

          Thanks

        • #3938617
          Avatar photo

          Shouldn’t but

          by rproffitt ·

          In reply to second n/w interface enabled

          I’m not your web server admin but would suggest the web admin to check what IP and again the ports the server is listening on.

          And if that never works out I’d cheat and setup a small low power syslog server on a cheap Pi. Source: https://www.google.com/search?&q=syslog+server+raspberry+pi

        • #3938601

          Working

          by pj863 ·

          In reply to Shouldn’t but

          Thanks for the suggestions again. I got the stop working by binding Apache to a specific address.
          Probably not an apt question for this thread, but asking as that was the initial objective of doing this setup.

          Question: what are key logs I should be looking for in my modem logs to detect if there is any intrusion attempts happening overtime? For example , below list of sources that are captured through modem logs, which ones can be useful to filter any intrusion attempt(s) ?

          source Message count
          mcpd: 224
          led-manager[1839] : 184
          kernel: 136
          lmd[1841] : 106
          fw [1908] : 59
          wifimgrd[1**8] : 25
          dhcp6d[1793] : 24
          bulkdatad[1782] : 13
          dnsmasq[19824] : 8
          optip-990 7
          raspberrypi 3
          dlnamgr[1801] : 2
          ethblink[26698] : 2
          ethblink[26762] : 2
          ethblink[26801] : 2

        • #3938598
          Avatar photo

          I no longer look at syslogs.

          by rproffitt ·

          In reply to Working

          It would be hours lost to me. Besides any PC/device connected to the web will be attacked. The best defense is to have the device only respond to what it needs to and nothing else. Strip it bare and then keep current on the OS and apps that are left.

          I’ve run such for years without trouble.

          I am a security maven. I’d go find a Reddit on that.

        • #3938597

          agreed partially

          by pj863 ·

          In reply to I no longer look at syslogs.

          I am no security maven by any means…. but I could not agree more on hours lost comment 🙂

          Just to give an idea where I am coming from:
          1. My external modem has only & only 443/80 port open & I have made sure to check with Nmap vulnerability for my personal network. There are few ports open on my network but behind the firewall. So I 100% agree on strip to be more secure.

          2. This setup I am trying to do will eventually send me a notification / alert as a text to my phone if my syslog parsing software meets a condition to send a notification. And I am at a point to jot down what key messages etc I should be asking my parsing software to look through in syslog.
          Hope this helps in delivering my perspective.

          Thanks..

        • #3938585
          Avatar photo

          For that

          by rproffitt ·

          In reply to agreed partially

          I’d get to a subreddit about syslog and security discussions. You’ll find more folk there than here.

          The one condition I can think of is a successful connection on other ports BUT the routers can’t determine that in stock form. I can’t guess what might be possible with PFSense, Tomato and such firmware. Another nod to subreddits on those firmwares.

          Since any Internet connected device is going to be scanned, pinged and even DDOS’d I can’t see why I need to be alerted to all that. It would be a waste of time to get such an alert as today, we can’t stop these on our routers.

        • #3938581
          Avatar photo

          If I were to do this again.

          by rproffitt ·

          In reply to For that

          Since all I ever saw was to be expected over a few years I rarely look at this today.

          But you did ask so I would be remiss to not note there are such beyond Reddit discussions. Try this search:
          https://www.google.com/search?&q=Router+log+analyzer

    • #4010464

      Reply To: Modem Router & Syslog Server

      by Willjoe24 ·

      In reply to Modem Router & Syslog Server

      Syslog server configuration
      Open the rsyslog. conf file and add the following lines
      Create and open your custom config file.
      Restart the rsyslog process.
      Configure Log Forwarding in the KeyCDN dashboard with your syslog server details.
      Verify if you are receiving the logs (log forwarding starts within 5 minutes).

      Regards,
      Will

Viewing 1 reply thread