Remote logging DD-WRT with Syslog-ng
Since moving to Quebec, the bandwidth usage at home hasn't dropped below our ISP's limit. Therefore, I am setting up remote administration for the DD-WRT router. The idea is to monitor dropped/rejected packets to figure out a way to limit them, do per-ip bandwidth monitoring and setup a centralized logging server in the process.
On the Ubuntu machine
The slice is running Ubuntu Hardy. For those running Debian, the steps are similar except you won't have the ubuntu-minimal
issue.
Installing Syslog-ng
We don't use Sysklogd because it can't split logs by host or other parameters, which also makes Syslog-ng easily scalable.
$ sudo apt-get install syslog-ng
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be REMOVED:
klogd sysklogd ubuntu-minimal
The following NEW packages will be installed:
syslog-ng
0 upgraded, 1 newly installed, 3 to remove and 0 not upgraded.
Need to get 179kB of archives.
After unpacking 139kB of additional disk space will be used.
Do you want to continue [Y/n]? y
I think it might be prudent to point out that whilst it is safe to remove ubuntu-minimal, it should be present when upgrading between Ubuntu versions. If it isn't installed, then the upgrade may not go entirely to plan.
Configuring Syslog-ng
$ sudo nano /etc/syslog-ng/syslog-ng.conf
source s_home { udp(port(514)); };
destination df_remote_home { file("/var/log/$HOST/$YEAR/$MONTH/$YEAR$MONTH$DAY"); };
log { source(s_home); destination(df_remote_home); };If you wish to resolve IPs to hostnames, you'll need the following additional options:
options { use_dns(yes); use_fqdn(yes); keep_hostname(yes); }
Be sure to read the reference bellow to optimize Syslog-ng when using DNS, otherwise Syslog-ng can lockup.
Once you're done configuring Syslog-ng, you'll need to reload its configuration:
$ /etc/init.d/syslog-ng reload
Reference: Syslog-ng v2.0 Administration Guide
On the DD-WRT router
Enable the Syslogd service
Don't forget to fill in your logging server's ip or hostname.
Using the console
$ nvram set syslogd_rem_ip=123.456.789.1
$ nvram set syslogd_enable=1
$ nvram commit
$ reboot
Activate the firewall
Choose the logging level wisely as you may find yourself with huge logs.
Using the console
$ nvram set log_level=2
$ nvram set log_enable=1
$ nvram set log_rejected=1
$ nvram set log_dropped=1
$ nvram set log_accepted=0
$ nvram commit
$ reboot
Logging packets that hit your firewall may overwhelm you with useless information.
Securing Syslog-ng
I'm personally using iptables to secure both the routers and the slice. Therefore, I made sure to allow connections from the routers to the slice on port 514.
-A INPUT -p udp -s 123.456.789.1 --sport 2048 --dport 514 -m state --state ESTABLISHED,RELATED -j ACCEPT