CentOS8 rsyslog-YAMAHA RTX1210連携

YAMAHA RTX1210のログをCentOS8のrsyslogの機能を使って蓄積していく。rsyslogの機能は豊富です。簡単にログが取れるか程度の記載となっています。

CentOS側

rsyslog.confの編集=コメント外しmoduleとinput行

vi /etc/rsyslog.conf
# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")

rsyslog.confの編集 ホストIPアドレス月毎のログファイル

IPアドレスのフォルダ⇒IPアドレスYYYYMM.log形式で保存

$template logFileName,"/var/log/syslog/%fromhost-ip%/%fromhost-ip%_%$year%%$month%.log"
*.*        -?logFileName

rsyslogサーバの再起動

# systemctl restart rsyslog

RTX1210側

syslog host rsyslog サーバのIPアドレス
syslog notice off
syslog debug off
save

ログが生成されているか

# pwd
/var/log/syslog/192.168.1.100

# ls
 192.168.1.100_202106.log

外部からRTX1210に対してL2TP IPsec VPNの接続~切断をみる

接続
Jun 29 13:58:18 _gateway  [IKE] respond ISAKMP phase to ***.***.***.***
Jun 29 13:58:18 _gateway  [IKE] respond IPsec phase to ***.***.***.***
Jun 29 13:58:18 IP Tunnel[22] Up
Jun 29 13:58:18 _gateway  [L2TP] TUNNEL[22] connected from ***.***.***.***
Jun 29 13:58:18 _gateway  [L2TP] TUNNEL[22] tunnel 60781 established
Jun 29 13:58:18 _gateway  [L2TP] TUNNEL[22] session 49871 established
Jun 29 13:58:18 _gateway PP[ANONYMOUS04] Call detected from user 'VPNユーザアカウント'
Jun 29 13:58:18 _gateway PP[ANONYMOUS04] PPP/IPCP up  (Local: 192.168.1.100, Remote: 192.168.1.104)
切断
Jun 29 14:00:16 _gateway  [L2TP] TUNNEL[22] disconnect session 49871 complete
Jun 29 14:00:16 _gateway  [L2TP] TUNNEL[22] disconnecting tunnel 60781
Jun 29 14:00:16 _gateway  [L2TP] TUNNEL[22] disconnect tunnel 60781 complete
Jun 29 14:00:16 IP Tunnel[22] Down
Jun 29 14:00:16 _gateway  [IKE] initiat

おまけ

cat /var/log/syslog/192.168.1.100/192.168.1.100_202107.log \
|grep -E 'Call detected|session'\
| sed -e 's/_gateway//g' \
| sed -e 's/PP\[ANONYMOUS[0-9][0-9]\] Call detected from user/VPN_USR/g' \
| sed -e 's/ \[L2TP\] TUNNEL//g' \
| sed -e 's/disconnect session/DISCONN/g' \
| sed -e 's/session/CONNECT/g' \
| sed -e 's/established/00/g' \
| sed -e 's/complete/02/' \
| sed -e 's/ / /g' \
| sed -e "s/'\$/' 01/g"

コメント