0

I'm trying to intercept application specific syslog log traffic from a custom UDP server in ubuntu. For testing purposes, I stopped the default syslogd daemon running in port 514 and configured a UDP server to listen to UDP traffic on port 514. I have faced the following questions in doing so:

  1. The remote logging feature has to be enabled in /etc/default/syslogd file using SYSLOGD="-r". However, since I stopped the syslogd daemon and am running my own UDP server on port 514, is there any other way to enable remote logging (programmatically, etc.) without using syslog.conf file so that log traffic is sent to the port 514?

  2. Is there a way to direct syslog log traffic to another port with the default port 514 (traffic must be sent to both ports)? If this is the case, I can easily run a custom UDP daemon in the second port and intercept log traffic.

Thanks.

grieve
  • 13,220
  • 10
  • 49
  • 61
Izza
  • 2,389
  • 8
  • 38
  • 60
  • Have you looked at wireshark? It can sniff all traffic coming into and out of your computer. It is open source, so you could access the source code if you needed something more specific than what it can provide. http://www.wireshark.org/ – grieve Oct 03 '12 at 14:30
  • @grieve no I haven't. but I think wireshark might be an overkill here. If I can get a simple UDP server working that will do perfectly. – Izza Oct 03 '12 at 14:32
  • You can send traffic on both ports, you just need to open another socket on the second port and resend the message there. – Youssef G. Oct 03 '12 at 15:28
  • @YoussefG. can you please explain a bit more? what I need to do is write to another UDP port while keeping the existing one as well. So the log message should go to both port 514 and the new port. Thanks. – Izza Oct 03 '12 at 16:59
  • @Izza: Have you looked at IpTables? There is a unix stackexchange answers that appears to be what you want to do. http://unix.stackexchange.com/a/10607 – grieve Oct 03 '12 at 18:46
  • I am speaking from a programming perspective. My suggestion is write up and post the code for your C-based udp server and you will understand what I am saying then. OTherwise, look into disabling the remote connection on your syslogd:http://www.sunsolarisadmin.com/solaris-7/disable-remote-logging-in-syslog-daemon/. In most cases, if you have to send it on two ports all the time, then there is probably a better way to do it. – Youssef G. Oct 03 '12 at 19:23
  • @YoussefG.The link is about disabling a host acting like a syslog log collecting server. What I want to do is intercept the udp traffic at the syslog client machine (which sends the data to a syslog central server), by duplicating the traffic flow to UDP 514 port. – Izza Oct 04 '12 at 04:14

1 Answers1

1

You can't have two daemons listening on the same port. Set up your UDP test server (e.g. netcat) to listen on another port (e.g. 1514) and configure your ubuntu server to send logs to this port.

b0ti
  • 2,319
  • 1
  • 18
  • 18