Juniper Junos – Enviar syslog a otro puerto

Es posible cambiar el puerto de destino de los mensajes de syslog desde un dispositivo Juniper con junos.

Por defecto el puerto de syslog es el udp/514
En la configuración del servidor syslog que recibirá los mensajes del firewall, ya sea rsyslog, syslog-ng etc, puede estar configurado un “listener” dedicado en otra ip o puerto para poder distinguir dónde agrupar estos mensajes en un fichero diferente al resto.

Veamos el ejemplo:

Enviaremos syslog a una servidor que escucha en un puerto diferente al udp/514
servidor de syslog = 10.8.8.4
puerto en escucha = udp/1514

Lo curioso es que en junos ( al menos en la versión que tengo ) el parámetro “port” está oculto:

admin@fw-primary# set system syslog host 10.8.8.4 ?
Possible completions:
  any                  All facilities
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  authorization        Authorization system
  change-log           Configuration change log
  conflict-log         Configuration conflict log
  daemon               Various system processes
  dfc                  Dynamic flow capture
  explicit-priority    Include priority and facility in messages
  external             Local external applications
  facility-override    Alternate facility for logging to remote host
  firewall             Firewall filtering system
  ftp                  FTP process
  interactive-commands  Commands executed by the UI
  kernel               Kernel
  log-prefix           Prefix for all logging to this host
  match                Regular expression for lines to be logged
  ntp                  NTP process
  pfe                  Packet Forwarding Engine
  security             Security related
  source-address       Use specified address as source address
  user                 User processes
{primary:node0}[edit]

Añadimos la configuración:

admin@fw-primary# set system syslog host 10.8.8.4 port 1514 any any 

admin@fw-primary# set system syslog host 10.8.8.4 interactive-commands any

admin@fw-primary# set system syslog source-address 10.8.8.1

Verificamos y aplicamos:

admin@fw-primary# show | display set | match "syslog host 10.8.8.4" 
set system syslog host 10.8.8.4 any any
set system syslog host 10.8.8.4 interactive-commands any
set system syslog host 10.8.8.4 port 1514

admin@fw-primary# commit check 
node0: 
configuration check succeeds
node1: 
configuration check succeeds

admin@firewall-primario# commit 
node0: 
configuration check succeeds
node1: 
commit complete
node0: 
commit complete

Realizamos un tcpdump en el servidor de syslog para visualizar el tráfico que nos envía el firewall Juniper.
Observamos que el puerto de destino es efectivamente udp/1514

[root@borg remote]# tcpdump -nni bond0 host 10.8.8.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond0, link-type EN10MB (Ethernet), capture size 65535 bytes

10:37:38.948387 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 105
10:37:38.948884 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 181
10:37:38.948919 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 114
10:37:38.949645 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 155
10:37:38.949683 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 104
10:37:38.949912 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 146
10:37:38.950175 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 104
10:37:42.508528 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 201
10:37:42.547604 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 202
10:37:42.656530 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 98
10:37:42.656763 IP 10.8.8.1.514 > 10.8.8.4.1514: SYSLOG local7.info, length: 180

 

Leave a Reply

Your email address will not be published. Required fields are marked *