Intercepting Syslog log Traffic to a Custom UDP Server

0
votes

I'm trying to intercept application specific syslog log traffic from a custom UDP server in ubuntu. For testing purposes, I stopped the default syslogd daemon running in port 514 and configured a UDP server to listen to UDP traffic on port 514. I have faced the following questions in doing so:

  1. The remote logging feature has to be enabled in /etc/default/syslogd file using SYSLOGD="-r". However, since I stopped the syslogd daemon and am running my own UDP server on port 514, is there any other way to enable remote logging (programmatically, etc.) without using syslog.conf file so that log traffic is sent to the port 514?

  2. Is there a way to direct syslog log traffic to another port with the default port 514 (traffic must be sent to both ports)? If this is the case, I can easily run a custom UDP daemon in the second port and intercept log traffic.

Thanks.

1
cloggingudpsyslog
Have you looked at wireshark? It can sniff all traffic coming into and out of your computer. It is open source, so you could access the source code if you needed something more specific than what it can provide. wireshark.orggrieve
@grieve no I haven't. but I think wireshark might be an overkill here. If I can get a simple UDP server working that will do perfectly.Izza
You can send traffic on both ports, you just need to open another socket on the second port and resend the message there.Youssef G.
@YoussefG. can you please explain a bit more? what I need to do is write to another UDP port while keeping the existing one as well. So the log message should go to both port 514 and the new port. Thanks.Izza
@Izza: Have you looked at IpTables? There is a unix stackexchange answers that appears to be what you want to do. unix.stackexchange.com/a/10607grieve

1 Answers

1
votes

You can't have two daemons listening on the same port. Set up your UDP test server (e.g. netcat) to listen on another port (e.g. 1514) and configure your ubuntu server to send logs to this port.