LINUX - WINDOWS - Test TCP or UDP port with netcat or telnet - setting up RSYSLOG

Most likely your server is a Linux server, if its a windows server then download wireshark and start captureing packets... If your using linux though...

First check if your server is listening on the correct ports:

# netstat -ntlp
# netstat -nulp

-n dont resolve names, u/t udp or tcp, l show listening ports, p show the program pid

You should see your server up and running, if not try to start it up:

sysvinit
/etc/init.d/<service name> stop
/etc/init.d/<service name> start

systemd(using systemctl)
systemctl stop <service>
systemctl start <service>
systemctl status <service>

We will use tcpdump to see if traffic arrives (extremely random note: if your using rsyslog, you can see if traffic arrives by monitoring the syslog file - more on this randomness in another article). We will use netcat (network cat) to send traffic across to udp or tcp ports. Its like the good ol' telnet test (which telnet can only test tcp, with netcat we can test both)

MONITOR TRAFFIC WITH TCPDUMP (EXAMPLE WITH RSYSLOG)

ON SERVER (WHERE LISTENING PORT IS AT)

using port 514 as example:

# tcpdump -i eth0 "tcp port 514" -X
 
 or for absolute seq numbers
 
# tcpdump -i eth0 "tcp port 514" -XS
 
 OR VERY VERBOSE:
 
# tcpdump -i eth0 "tcp port 514" -vvX
 
 or for absolute seq numbers
 
# tcpdump -i eth0 "tcp port 514" -vvXS

Legend:
-X show ascii output, vv very verbose, S show absolute seq numbers, -i interface

ON CLIENT

 On another pc (client)
 
 TCP:
 # nc -vt <ip> <port>
 # telnet <ip> <port> 
 NOTE: telnet works from MS WIN cmd prompt
 
 or
 
#  nc -vu <ip> <port>
 

Quick Notes on Flags:
 then start typing, note on tcpdumps flags
 
 Flag
 [S] = Syn
 [.] = Ack
 [P] = Push
 [F] = Fin
 
 
 UDP traffic intesrting: we dont have an ac for everything and we dont have 3 way connection obviously
 

HOW TO SETUP RSYSLOG TO LISTEN ON UDP AND TCP AND SAVE LOGS TO FOLDER BASED ON IP

 Testing with rsyslog server (syslog port 514 on udp and tcp), and pointing client at its ports. All of the ascii characters will show up as log messages
 
 apt-get install rsyslog
 vi /etc/rsyslog.conf (make sure conf like below)
 /etc/init.d/rsyslog restart
 
 root@debikos71:/var/log# cat /etc/rsyslog.conf 
### THIS SHOWS HOW I CONFIGURED MY RSYSLOG FOR UDP AND TCP AND ALSO FOR EACH HOST TO SAVE INFO IN /var/log/<ip>/ ###
$ModLoad imuxsock # provides support for local system logging
$ModLoad imklog   # provides kernel logging support
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$template FILENAME,"/var/log/%fromhost-ip%/syslog.log"
*.* ?FILENAME
### EVERYTHING BELOW IS TYPICAL DEFAULT CONFIG ###
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log
mail.info                       -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
mail.err                        /var/log/mail.err
news.crit                       /var/log/news/news.crit
news.err                        /var/log/news/news.err
news.notice                     -/var/log/news/news.notice
*.=debug;\
        auth,authpriv.none;\
        news.none;mail.none     -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none          -/var/log/messages
*.emerg                         :omusrmsg:*
daemon.*;mail.*;\
        news.err;\
        *.=debug;*.=info;\
        *.=notice;*.=warn       |/dev/xconsole

HOW TO ENABLE SYSLOG SERVER (from scratch - same as above instructions)


https://wiki.debian.org/DebianEdu/HowTo/syslog-ng

http://www.thegeekstuff.com/2012/01/rsyslog-remote-logging/

http://docs.openstack.org/trunk/openstack-ops/content/rsyslog_server_config.html

 

The old syslog software is syslog

Now the newer one is rsyslog, thats what my debikos machine has

 

vi /etc/rsyslog.conf

hit i to start writing

 

Unhash this part or add it in (For TCP):

 

$ModLoad imtcp

$InputTCPServerRun 514

 

If you want UDP unhash this - leave it with a hashmark if you dont want it:

 

$ModLoad imudp

$UDPServerRun 514

 

NOTE: whatever has a # is a comment

 

Add this last part in to get IPs:

# This one is the template to generate the log filename dynamically, depending on the client's IP address.

$template FILENAME,"/var/log/%fromhost-ip%/syslog.log"

*.* ?FILENAME

 

 

Save and quit with :wq!

 

/etc/init.d/rsyslog stop

/etc/init.d/rsyslog start

 

or

 

/etc/init.d/rsyslog restart

 

or

 

service rsyslog stop

service rsyslog start

 

or

 

service rsyslog restart

 
SelectionFile type iconFile nameDescriptionSizeRevisionTimeUser
Comments