Page 1 of 1

Get your syslog out

Posted: Fri May 22, 2020 5:36 pm
by vinistois
Envisalink has decided to restrict syslog to its own local subnet, which for some reason they have defined as matching the last octet of the ip address

Many users have the envisalink in a different subnet. This is one way to get the syslog out of there and do whatever you want with it.

Start a linux box / a raspberry pi / a vm / or whatever in the subnet your envisalink shares

Code: Select all

install rsyslog

Code: Select all

apt install rsyslog
or

Code: Select all

yum install rsyslog
depending on your os.

then edit the configuration file for rsyslog

Code: Select all

sudo vi /etc/rsyslog.conf
uncomment these two lines to accept remote syslog on port 514 over udp:

Code: Select all

module(load="imudp")
input(type="imudp" port="514")
add the following at the bottom to send everything logged to this host to a remote destination

Code: Select all

*.*    @remotesysloghost:port
for example, send everything to papertrail (setup your free papertrail account first to get your url)

Code: Select all

*.*    @logs5.papertrailapp.com:26587
open the port to accept incoming syslog:

Code: Select all

firewall-cmd --zone=public --add-port=514/udp --permanent
firewall-cmd --reload
restart rsyslog to grab the new config:

Code: Select all

systemctl restart rsyslog
look at the status if you have troubles:

Code: Select all

systemctl status rsyslog
if you find you are sending things you don't want to be sending, you can stop (drop) those messages in rsyslog.conf:

Code: Select all

:msg, contains, "some_string_in_a_message_i_dont_want_to_send" stop
*.*    @logs5.papertrailapp.com:26587
or, only send messages that match a specific string

Code: Select all

:msg, contains, "some_interesting_msg" @logs5.papertrailapp.com:26587

You can use various rules and regex here to get it just right.


point envisalink syslog to this host. It will catch all the syslog messages and ship them to your remote destination

Re: Get your syslog out

Posted: Sun Jun 07, 2020 2:43 am
by grabo
Another option would be a device that can NAT the raw IP traffic, without digesting it.

i.e., a relatively intelligent firewall. I did exactly this with a remote EVL4 and a Cisco ASA.

Re: Get your syslog out

Posted: Wed Feb 07, 2024 1:57 am
by grabo
Another option - because just ran into exactly this - is to run a syslog forwarder on Windows.

There's a lot of "free" syslog servers available for Windows, but they're usually crippled versions of other products.

I found one that's completely free, very simple to set up and use, and has a tiny footprint: FastVue Syslog Server.

Runs as a Windows service, so it's running as long as the Windows machine is running.

1. Install it on a Windows machine.
2. Point your EVL4 to the IP of your Windows machine
3. On the Windows machine, go to http://localhost:47279 (this is the admin interface for FastVue Syslog Server)
4. Configure a username/password if you want. Turn on "autodiscovery" so it will accept syslogs from new hosts.
5. Generate a syslog from your EVL4.
6. Once the syslog shows up in the web interface, you can "configure" the source, and you can go to the "Forwarding" tab to forward the messages to another host.