Hi, OpenWRT Community!
I've been trying to get my OpenWrt device to forward logs to my Splunk Dev Licensed container instance with port 514 opened for a few hours now. I tested working via 514/tcp with a Synology with no issues.
config rule
option target 'ACCEPT'
option dest 'lan'
option dest_port '514'
option name 'ACCEPT-LOG-DEVICE-LAN'
list dest_ip '192.168.1.24'
list proto 'tcp'
In Summary, I want my OpenWrt router to forward logs via port 514/tcp for it to be indexed by either Splunk, Wazuh, ELK, etc. This way, I can create nice queries and alert myself of incidents.
Hi @psherman ! Thanks for the quick reply.
I will go ahead and setup the data input to be received on 514/udp instead of tcp for testing purposes and go ahead and setup a dedicated syslog-ng for testing purposes.
But syslog generally does work on tcp to encrypt traffic especially for digesting to a cloud SIEM for example.
Could it be that OpenWrt requires additional configuration or dependencies to have tcp enabled ?
Noticed that 6514 might be used for tcp encrypted connections but let me first do as you suggested to have a regular syslog server receiving on udp 514 to make sure there are no issues with the OpenWrt device. Will get back with additional information.
Sure, syslog can be configured to use TCP.... but by default will use udp.
Maybe... honestly, I don't know -- I use syslog via udp.
If you're adding encryption to the mix, that would almost certainly require other changes to OpenWrt's default logging method.
Given that you're working on a local network (based on the RFC1918 address of your syslog server), there usually isn't a need to use TCP or encryption.
Note* that I had to configure the docker-compose.yml with - 514:514/udp and make sure to create a firewall-cmd rich rule for 514/udp as well on the rhel box I'm using.
The main reason for setting up TCP is to have a DR (Disaster Recovery) just in case anything happens for it to be automatically forwarded to Splunk Cloud as a fail back and we don't want that to be unencrypted coming out of the OpenWRT device if that were to happen.
I'll go ahead and now test with TCP on port 6514 and update with any findings.
Makes sense. The documentation suggests that OpenWrt supports TCP syslog out of the box, but I've never tried it.
As far as encryption -- my guess (and I could be wrong) is that this is not supported by OpenWrt as standard. You may have to install some packages and/or build from source so you can enable any relevant options.
Anyway, we now know that your general syslog is working as expected via UDP... if you want to hold this thread open for a resolution on TCP and/or encryption, feel free to do so. But...
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks!
