How do I capture syslog data sent to a specific port - linux

I have a firewall that sends the data to our remote Linux server on the specific port. I would like to capture that data and parse it to store in DB.
So far I have tried tcpdump, nc and few others without much success. Any help is appreciated.
tcpdump -ni device port 1234 -s0 -w capture.pcap
ÿÿEH¶#0c:EJ"#Ϲ r¢"ó<30>device="SFW" date=2018-06-15 time=04:10:49
timezone="EDT" device_name="XG210" device_id=C2205ACMBG9B65A
log_id=010101600001 log_type="Firewall" log_component="Firewall Rule"
log_subtype="Allowed" status="Allow" priority=Information duration=0
fw_rule_id=2 policy_type=1 user_name="" user_gp="" iap=4
ips_policy_id=0 appfilter_policy_id=0 application=""
application_risk=0 application_technology="" application_category=""
in_interface="Port1" out_interface="" src_mac=00: 0:00: 0:00: 0
src_ip=111.11.1.111 src_country_code=R1 dst_ip=111.111.11.11
dst_country_code=USA protocol="TCP" src_port=61257 dst_port=80
sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=
tran_src_port=0 tran_dst_ip=111.16.1.1 tran_dst_port=3128
srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN"
dir_disp="" connevent="Start" connid="2721376288" vconnid=""
hb_health="No Heartbeat" message="" appresolvedby="Signature"

We have started using https://www.graylog.org. It was easy to configure on DigitalOcean hosting.
Steps:
Configure your firewall etc to send the data to your graylog on certain port
Configure graylog to listen to that particular port
Then you will see the data in graylog
Hope this helps.

Related

Linux command to send data to a remote tcp-client

I have a Linux Server running Redhat Rhel 7 and a Device called "Compoint Lan System (Colas)" (german manufacturer). The Colas has its own firmware so I don't know if it's based on linux. The Colas is set as a TCP-Client. It receives messages from its serial 1 port. I get the messages coming from the serial port 1 of the colas on my server with rsyslog.
Now what I want is to send a string (2 letters) from my server (tcp-server) to my colas's serial port 1 (tcp-client) to get information of the device attached to serial port 1.
Is there a command in linux to accomplish that? Something like "command 'string message' destination port"? I am sorry if it isn't written well.
Install netcat
yum install nc
Make it to listen to a particular port number
nc –l portnumber &
Lets validate it using netstat from a different console:
netstat -anlp |grep yourportnumber
PS: Change the installation command based on your linux flavor.
Ranadip Dutta's answer meets your requirement. The listen there doesn't mean listen for incoming data, it rather means listen for connection request from client. Of course you can't use rsyslog and nc as the server at the same time, but with nc you get the messages coming from the Colas displayed as well as the characters you enter sent.

Linux port blocked - This site can't be reached, refused to connect

I set my linux as an access point, and then run simple web-server that print "hello world" at port 3000.
and connect it with my smart phone successfully.
in linux terminal, http://localhost:3000 works well.
But in smart phone,
If I access to http://172.24.1.105:3000, can't connect to it. (172.24... is ap's ip)
the chrome's error message is
This site can't be reached. 172.24.1.105 refused to connect
I searched Google (https://serverfault.com/questions/725262/what-causes-the-connection-refused-message) and I suspicious linux's firewall.
pi#raspberrypi:~/prj/ap_server $ sudo tcpdump -n icmp
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
... when I access to port 3000,
15:07:13.102750 IP 192.168.0.3 > 168.126.63.2: ICMP 192.168.0.3 udp port 42531 unreachable, length 386
the log is above. so I couldn't reach ap's webserver.
so I wonder two things...
1. How can I disable to its port block?
2. in tcpdump log, I access to port 3000 actually, why the log print port 42531?
Plus)
even I type sudo service iptables stop, the problem is not solved
sudo netstat -ntlp | grep 3000 logs:
**tcp6 0 0 :::3000 :::* LISTEN 1999/nodejs**
+I followed this tutorial-> https://frillip.com/using-your-raspberry-pi-3-as-a-wifi-access-point-with-hostapd/ .
and there is ipv4 setting.
If you want to run it on your mobile it will work on Live IP (externel) address
if it is working fine on local address (localhost) and not on live IP then
enable routing from your router
and allow that specific port it will work fine.
I found the issue.
my dhcp set was
interface=wlan0 # Use interface wlan0
listen-address=172.24.1.1 # Explicitly specify the address to listen on
bind-interfaces # Bind to the interface to make sure we aren't sending things elsewhere
server=8.8.8.8 # Forward DNS requests to Google DNS
domain-needed # Don't forward short names
bogus-priv # Never forward addresses in the non-routed address spaces.
dhcp-range=172.24.1.50,172.24.1.150,12h # Assign IP addresses between 172.24.1.50 and 172.24.1.150 with a 12 hour lease time
like above.
I tried to connect the external ip(172.24.1.105) that I can see on mobile continuously but got failed. but when I tried with 172.24.1.1, then success.
I don't know why. maybe there is accurate ip address and something in mobile is temporal.
See similar topic at Node JS not listening to port 1337 on server
Your web server is not listening remote address.

retrieve IP address of client in logstash

I am new to ELK stack and sending the application log file to logstash server via tcp input method using the below command
cat test.log | nc server port
Please let me know how can i retrieve the ip address of the client machine as field in logstash configuration file.
Did you try adding the host IP when sending the message?

How can I find where node.js is running?

I have a VPS with node.js installed, I already uploaded a basic example to test it on the server, so I tried doing this:
I access by SSH, navigate to my project folder and run
node app.js
I get this message
Express server listening on port 8080
I thought i could see my app here
example.com:8080 or server.example:8080... but nothing. Then I tried with the info from os.networkInterfaces(); and os.host(); and still nothing happen
could you help me out? as you can see I am a total noob on node.js. What I'm doing wrong? or what should I do before running my app? Something related to DNS's? i have no idea
How do you ssh to your host? with ip or name? Is it something like:
ssh root#example.com
if so then at least you know your DNS is ok.
Once on the server do a
netstat -a
if you find *:8080 then your server is listening in the default ip. If you see something like 12.23.45.67:8080 then this number is the ip your server is listening.
ifconfig
will give you the servers ip. This should be the same as the ip of example.com. If not then maybe there is some router/firewall in front of your server and you have to configure that to allow port 8080 to reach your server.
if someone ever has the same problem this is how i solved on CentOS:
Open this file
/ Etc / csf / csf.conf
Add the required port
Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,26"
Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,37,43,53,80,110,113,443,587,873"
Restart
# # Csf-r

Trouble connecting the cassandra database via remote access through JAVA

I have started the Cassandra server, before that I have changed "rpc_address" in cassandra.yaml.I can access the cassandra from the same machine but I could not access the cassandra from remote machine through Java application using Hector Client. Please help me, Thanks in advance.
I could ping the machine. But I could not access the machine using telnet in windows. The servers is linux machine. Do you have any idea ?
Your firewall is blocking off the telnet port and probably the rest of the ports cassandra needs. You need to add an exception telling the firewall to open port 9160 (the client port). 9160 is the only port you really need to have open unless you want remote jmx management etc.
To add an exception to your linux firewall:
iptables -I INPUT -p tcp --dport 9160 --syn -j ACCEPT
And if you want to save the state:
service iptables save

Resources