2


I have a standard install of honeyd from Ubuntu repositories.
Honeyd is saving logs in two files:
/var/log/honeyd/honeyd.log
/var/log/honeyd/daemon.log
I have been trying to setup rsyslog to forward all logs from honeyd.log to a remote server and it is proving impossible.
My /etc/rsyslog.d/50-default.conf looks like this:

$ModLoad imfile
$InputFileName /var/log/honeypot/honeyd.log
$InputFileTag honeyd
$InputFileStateFile stat-honeyd
$InputFileSeverity debug
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
local7.* @@remoteserver:514
*.* @remoteserver

On my remote server I have created /var/rsyslog.d/honeyd.conf as so:

if $programname contains 'honeyd' then /var/log/honeyd.log
& ~

With this setup I get all the daemon logs for honeyd on the remote server (honeyd start stop) and arp reply packages for first time communication with a honeyd honeypot. However, logs from honeyd.log are not forwarded.
I have tried with UDP/TCP, making sure syslog has access to honeyd.log by adding the syslog user to the honeyd group but I just cant get it to work.
TCPdump confirms that logs from honeyd.log are not being sent.

honeyd.log entries look like this:

2013-07-10-16:31:07.5939 icmp(1) - sourceip destip: 8(0): 84
2013-07-10-16:31:08.5951 icmp(1) - sourceip destip: 8(0): 84

Does anyone know what I am missing? Thanks for any help in advance.

user2284355
  • 153
  • 1
  • 1
  • 6
  • 2
    Question belongs to Ask Ubuntu or SU imo, but don't see the need for down votes. – Rohan Jul 10 '13 at 16:58
  • @RohanDurve-Decode141 - Well I didn't feel there's any need for it either, but the downvotes on questions are removed on migration to other [SE] website, so I don't see it as a problem either. If the question gathered enough downvotes to not be listed on the front page, it would make room there for another question that is on topic. ;) – TildalWave Jul 10 '13 at 18:04
  • @TildalWave I see, right of course, wouldn't want to get into the way of that mechanic. ^_^" – Rohan Jul 10 '13 at 18:14

1 Answers1

0

I think your problem is here:

local7.* @@remoteserver:514
*.* @remoteserver

You're sending anything tagged with the local7 helper through TCP using the @@ designation. Below that you're sending ALL data via UDP. My guess would be that if you commented out the first command you would be fine since everything else seems to be getting there find via UDP.

Rick Chatham
  • 378
  • 1
  • 11