Centos rsyslog redirect

This procedure is to have successful and failed login attempts to the TMG unit sent to an external syslog server using rsyslog.

Contents 1 Prerequisites 2 Notes 3 Procedure For Syslog redirect 3.1 Make sure mgmt0 is available and active 3.2 Check if some firewall rules exist already 3.3 Firewall rules to the management port 3.3.1 Verify firewall rules 3.4 Install rsyslog 3.5 Add information to send to remote syslog 3.6 Instructions to access the web portal with SSH tunneling 3.7 Test the process 3.8 Other information 3.8.1 syslog on remote 3.8.2 rsyslog on remote 3.8.3 Default syslog port 3.8.4 Default log files

Prerequisites

To implement this, you need to remove the direct access to the web portal from your firewall, so the TMG unit must now be accessed through the SSH port, and the web portal with SSH tunneling.
We use the standard CentOS rsyslog to also send cron and messages to a syslog server

Notes

The default UDP port for the syslog server is 514 and this procedure redirects it to port 1524.
This procedure has been tested for CentOS 5. Change the hostname of the syslog server accordingly. In the procedure below, the hostname if the syslog server is : lab_syslog_server .
This procedure works for a standalone system. To allow 1+1 systems, please add the tcp port 3306 in the iptables for the database access.

Procedure For Syslog redirect

Make sure mgmt0 is available and active

Connect to SSH interface: Connect to SSH
Then do these commands

ifconfig -a mgmt0;ethtool mgmt0

Output:

mgmt0     Link encap:Ethernet  HWaddr 00:34:45:94:E3:F7
          inet addr:10.10.10.10  Bcast:10.10.10.1  Mask:255.255.255.0
...
Settings for mgmt0:
...
       Link detected: yes

If mgmt0 does not exist, we need to modify the procedure for this port. Please contact TelcoBridges support.

Check if some firewall rules exist already

iptables -L -v; iptables -t nat -L -n -v

Example of an empty table:

Chain INPUT (policy ACCEPT 602M packets, 157G bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 614M packets, 144G bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain PREROUTING (policy ACCEPT 1841K packets, 596M bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain INPUT (policy ACCEPT 1222K packets, 478M bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 13M packets, 4814M bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain POSTROUTING (policy ACCEPT 13M packets, 4814M bytes)
 pkts bytes target     prot opt in     out     source               destination

If some rules exist, we have to know why they are active and if they need to remain there. Please contact TelcoBridges support.

Firewall rules to the management port

Apply these firewall rules on the SSH interface. These rules include SSH, ICMP, DNS, SNMP and Port redirection (514 -> 1524):

iptables -P INPUT ACCEPT
iptables -F
iptables -N TMG-Firewall-All
iptables -A TMG-Firewall-All -p tcp --dport 22 -j ACCEPT
iptables -A TMG-Firewall-All -p icmp -j ACCEPT
iptables -A TMG-Firewall-All -p udp --sport 53 -j ACCEPT
iptables -A TMG-Firewall-All -p udp --dport 53 -j ACCEPT
iptables -A TMG-Firewall-All -p udp --dport 161 -j ACCEPT
iptables -A TMG-Firewall-All -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A TMG-Firewall-All -j DROP
iptables -A INPUT -i mgmt0 -j TMG-Firewall-All
iptables -t nat -A OUTPUT -p udp --dport 514 -j DNAT --to-destination :1524
service iptables save
service iptables restart

Verify firewall rules

iptables -L -v; iptables -t nat -L -n -v

Final firewall output:

Chain INPUT (policy ACCEPT 685K packets, 303M bytes)
 pkts bytes target     prot opt in     out     source               destination
 2441  390K TMG-Firewall-All  all  --  mgmt0  any     anywhere             anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 677K packets, 280M bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain TMG-Firewall-All (1 references)
 pkts bytes target     prot opt in     out     source               destination
  380 27568 ACCEPT     tcp  --  any    any     anywhere             anywhere            tcp dpt:ssh
  408 40586 ACCEPT     icmp --  any    any     anywhere             anywhere
   25  2994 ACCEPT     udp  --  any    any     anywhere             anywhere            udp spt:domain
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:domain
    0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp dpt:snmp
   90 10046 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
 1538  309K DROP       all  --  any    any     anywhere             anywhere
Chain test (0 references)
 pkts bytes target     prot opt in     out     source               destination
Chain PREROUTING (policy ACCEPT 2539 packets, 897K bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain POSTROUTING (policy ACCEPT 19007 packets, 7249K bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 19006 packets, 7249K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:514 to::1524

Install rsyslog

On some systems, rsyslog may not be installed by default. You can check with this command:

yum list installed | grep rsyslog

If it is not installed do these commands:

yum clean metadata
yum update
yum install rsyslog

Add information to send to remote syslog

For successful/failed login, messages and cron info, do this command:

echo -e "\n#Send to remote syslog\nauthpriv.*;*.info;cron.*                                @lab_syslog_server\n" >> /etc/rsyslog.conf

Then stop the default syslog service and start the rsyslog service:

service syslog stop
service rsyslog restart

And make is available on reboot:

chkconfig syslog off
chkconfig rsyslog on

If server hostname (syslog_server) is unreachable, edit the hosts file:

cat /etc/hosts

And add this line to the file:

 [IP of syslog server] syslog_server
 e.g. 192.168.77.88 lab_syslog_server

Instructions to access the web portal with SSH tunneling

See these links for setup. Local port must be a free one and remote port will be 12358
Tunneling with Secure CRT
Tunneling with Putty
How to setup SSH tunnel with Putty

Test the process

Tail the file on the syslog server and access the unit with SSH:

tail -f /var/log/secure

you will see something like this:

Jan  4 15:42:11 192.168.101.170 HOSTOSIRIS sshd[3867]: Accepted password for root from 204.23.12.53 port 26149 ssh2

Other information

syslog on remote

If the remote device uses syslog, make sure it can receive the events:

vim /etc/sysconfig/syslog
SYSLOGD_OPTIONS="-m 0 -r"
service syslog restart

rsyslog on remote

If the remote device uses rsyslog, make sure it can receive the events:

vim /etc/rsyslog.conf

uncomment these lines:

$ModLoad imudp
$UDPServerRun 514

Then restart the service:

service rsyslog restart

Default syslog port

If the remote syslog server is on the default port 514, remove this line from the iptables:

iptables -t nat -A OUTPUT -p udp --dport 514 -j DNAT --to-destination :1524

To delete iptables rules:

iptables -t nat -D OUTPUT 1
service iptables save
service iptables restart

Default log files

By default, access information will be sent to this file on the syslog server:

tail -f /var/log/secure

and system messages will be sent to this file:

tail -f /var/log/messages