syslog problems

robbo · #1 (**permalink**) 02-04-2004, 04:49 PM

Hi all,
i have setup a vpn tunnel between 2 ASL 4.019. the tunnel seems to work, but i can not syslog the one side onto the other side of the tunnel.
can anybody give me a hint, how to configure this?
i tried some vcarious configs e.g. ipsec-rules, intenal-interface rule, internal lan rule etc.
nothing i do seems to be the right one. only the ASLbox whitch is in the same LAN, loggs on the loghost.
I hope to get some hints - thanks so far robbo

Rob_F · #2 (**permalink**) 02-04-2004, 05:19 PM

are you allowing UDP port 514 to pass?

have you set the remote side to accept remote syslog events?

On the remote side restart syslogd with a -r

/etc/sysconfig/syslog on LINUX
add -r to the SYSLOGD_OPTIONS variable.

good luck.

robbo · #3 (**permalink**) 02-04-2004, 08:31 PM

yes, 514 is open. on the loghost, i get the entries from the local firewall (2 different machines) so i think, the configuration at the loghost is ok.
i don´t know, what is to do for the logging through the vpn. do i need an additional route? do i need a rule from ipsec to wan interface? etc.

cu robbo

robbo · #4 (**permalink**) 02-04-2004, 10:22 PM

Hi, i talk to a friend who knows cisco pix firewalls. he sad that the pix CAN NOT send logs to an external network. Can ASL do this? is it possible, to use a loghost in a lan whitch is reachable over IPSEC?
cu robbo

Udo_Seiler · #5 (**permalink**) 02-05-2004, 11:18 AM

Hi Robbo,
I think it is the same at PIX and at ASL.
Solution:
At the side from which you want to syslog enable at one machine in this subnet a syslog forwarder. then you could bring your syslog to the other side... I've done this with a PIX-VPN.
It is because the internal Card of the PIX couldn't route the traffic which is generated from itself in the VPN-Tunnels.

At this link you could find a windows syslog-server which could do a redirect:
www.winsyslog.de

HTH

Regards

Udo Seiler

cyclops · #6 (**permalink**) 02-05-2004, 04:46 PM

this problem is maybe related to the fact that the packets leaving the firewall have the external IP of the device as source IP address. A solution may be to SNAT syslog packets. Translate it from the external to the internal IP to make them go through the tunnel.

As said maybe a solution
cyclops

robbo · #7 (**permalink**) 02-09-2004, 11:24 PM

Hi ,
you may be right, but it seems that i have some problems to understand, what is happens on the asl.
whitch interface is creating the packet? whitch adress i must give this packet? internal or external? ihe problem may be, that the ip will be changed, when i do snat. so many different logfiles becomes the same ipadress?
other question in this way: ping goes through the tunnel. why traceroute is droped on ipsec, if i (for testing only) allow any - any - any?

cu robbo