Rsyslog listens on WAN - how to prevent

hnmdijkema · March 14, 2025, 9:27am

I've enabled rsyslog on my openwrt router to be able to use it with haproxy.

Now, rsyslog listens on UDP 514 on all interfaces.

I'd like rsyslog not to listen on udp 514 on the WAN interface.

There is a rsyslog configuration option to listen only e.g. on 127.0.0.1.

However, rsyslog is configured using UCI and I don't see a configuration option to let rsyslog listen on specific interfaces or IP addresses.

Can someone help me with this?

frollic · March 14, 2025, 9:28am

have you opened port 514 in the WAN firewall ?

hnmdijkema · March 14, 2025, 9:49am

Nmap reports 'open|filtered'. I think it doesn't respond, but I would like rsyslog not to listen at all on 0.0.0.0 or ::. Only on the LAN interfaces and localhost.

frollic · March 14, 2025, 9:54am

this scan is executed from where ?

have you done the same for all the other services (by default) listening on all interfaces ?

brada4 · March 14, 2025, 10:10am

That means UDP port did not respond, there is no telling service or firewall consumed the packet.

You can bind UDP socket to a particular interface address

hnmdijkema · March 14, 2025, 1:05pm

The scan is initiated from a VPS on the internet.
Yes, in principle yes. I'm still struggeling with dhcp, but otherwise all services that are not required for WAN => LAN connectivity do not bind on the WAN interface.

hnmdijkema · March 14, 2025, 1:34pm

@brada4: Thanks for the rsyslog configuration pointer.

There's seems to be no UCI configuration option for rsyslog to bind to a device, e.g. like udp_input_device "eth1,lo,br-lan".

So, I solved the issue as follows:

I disabled rsyslog al together in the UCI config:

@main-router:/etc/config> cat rsyslog

config syslog 'syslog'
        option tcp_input_port '514'
        option udp_input '0'
        option tcp_input '0'
        option udp_input_port '514'
        option default_template 'RSYSLOG_TraditionalFileFormat'
        list modules 'imuxsock'
        list modules 'imklog'

      (...)

I put three input modules in /etc/rsyslog.conf:

@main-router:/etc/config> cat /etc/rsyslog.conf
#
# The preferred way to configure rsyslogd is now UCI.
#
# This file can be still used and will be included
# on top of the final configuration inside /var/etc/rsyslog.conf
#
# Example of default configuration:
#
#$ModLoad imudp
#$UDPServerAddress 127.0.0.1 ::1
#$UDPServerRun 514

#module(load="imuxsock")
#module(load="imklog")

module(load="imudp")
input(type="imudp" port="514" device="lo")
input(type="imudp" port="514" device="eth1")
input(type="imudp" port="514" device="br-lan")

(...)

Now, rsyslog binds to the desired interfaces, i.e. my LAN and localhost and not to the WAN interface.

nmap reports a closed port:

@monitor:~> nmap  -sU thuis.dijkewijk.nl -p 514
Starting Nmap 7.93 ( https://nmap.org ) at 2025-03-14 13:32 UTC
Nmap scan report for thuis.dijkewijk.nl (86.92.61.120)
Host is up (0.021s latency).
Other addresses for thuis.dijkewijk.nl (not scanned): 2a02:a460:23f3:2::42:42
rDNS record for 86.92.61.120: 86-92-61-120.fixed.kpn.net

PORT    STATE  SERVICE
514/udp closed syslog

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds

@monitor:~> nmap -6  -sU thuis.dijkewijk.nl -p 514
Starting Nmap 7.93 ( https://nmap.org ) at 2025-03-14 13:32 UTC
Nmap scan report for thuis.dijkewijk.nl (2a02:a460:23f3:2::42:42)
Host is up (0.021s latency).
Other addresses for thuis.dijkewijk.nl (not scanned): 86.92.61.120
rDNS record for 2a02:a460:23f3:2::42:42: 2a02-a460-23f3-2--42-42.fixed6.kpn.net

PORT    STATE  SERVICE
514/udp closed syslog

Nmap done: 1 IP address (1 host up) scanned in 0.15 seconds
@monitor:~>

system · March 24, 2025, 1:35pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.