Es posible cambiar el puerto de destino de los mensajes de syslog desde un dispositivo Juniper con junos.
Por defecto el puerto de syslog es el udp/514
En la configuración del servidor syslog que recibirá los mensajes del firewall, ya sea rsyslog, syslog-ng etc, puede estar configurado un “listener” dedicado en otra ip o puerto para poder distinguir dónde agrupar estos mensajes en un fichero diferente al resto.
Veamos el ejemplo:
Enviaremos syslog a una servidor que escucha en un puerto diferente al udp/514
servidor de syslog = 10.8.8.4
puerto en escucha = udp/1514
Lo curioso es que en junos ( al menos en la versión que tengo ) el parámetro “port” está oculto:
admin@fw-primary# set system syslog host 10.8.8.4 ? Possible completions: any All facilities + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups authorization Authorization system change-log Configuration change log conflict-log Configuration conflict log daemon Various system processes dfc Dynamic flow capture explicit-priority Include priority and facility in messages external Local external applications facility-override Alternate facility for logging to remote host firewall Firewall filtering system ftp FTP process interactive-commands Commands executed by the UI kernel Kernel log-prefix Prefix for all logging to this host match Regular expression for lines to be logged ntp NTP process pfe Packet Forwarding Engine security Security related source-address Use specified address as source address user User processes {primary:node0}[edit]
Añadimos la configuración:
admin@fw-primary# set system syslog host 10.8.8.4 port 1514 any any admin@fw-primary# set system syslog host 10.8.8.4 interactive-commands any admin@fw-primary# set system syslog source-address 10.8.8.1
Verificamos y aplicamos:
admin@fw-primary# show | display set | match "syslog host 10.8.8.4" set system syslog host 10.8.8.4 any any set system syslog host 10.8.8.4 interactive-commands any set system syslog host 10.8.8.4 port 1514 admin@fw-primary# commit check node0: configuration check succeeds node1: configuration check succeeds admin@firewall-primario# commit node0: configuration check succeeds node1: commit complete node0: commit complete
Realizamos un tcpdump en el servidor de syslog para visualizar el tráfico que nos envía el firewall Juniper.
Observamos que el puerto de destino es efectivamente udp/1514
[root@borg remote]# tcpdump -nni bond0 host 10.8.8.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:37:38.948387 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 105
10:37:38.948884 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 181
10:37:38.948919 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 114
10:37:38.949645 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 155
10:37:38.949683 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 104
10:37:38.949912 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 146
10:37:38.950175 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 104
10:37:42.508528 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 201
10:37:42.547604 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 202
10:37:42.656530 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 98
10:37:42.656763 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 180