Author: john

Categories
Admin Perl

Counting active leases on an old ISC DHCP server

Intro
Checkpoint Gaia offers a DHCP service, but it ias based on a crude and old dhcp daemon implementation frmo ISC. Doesn’t give you much. Mostly just the file /var/lib/dhcpd/dhcpd.leases, which it constantly updates. A typical dhcp client entry looks like this:

 
lease 10.24.69.22 {
  starts 5 2018/11/16 22:32:59;
  ends 6 2018/11/17 06:32:59;
  binding state active;
  next binding state free;
  hardware ethernet 30:d9:d9:20:ca:4f;
  uid "\0010\331\331 \312O";
  client-hostname "KeNoiPhone";
}


The details
So I modified a perl script to take all those lines and make sense of them.
I called it lease-examine.pl.
Here it is

#!/usr/bin/perl
# from https://askubuntu.com/questions/219609/how-do-i-show-active-dhcp-leases - DrJ 11/15/18
 
my $VERSION=0.03;
 
##my $leases_file = "/var/lib/dhcpd/dhcpd.leases";
my $leases_file = "/tmp/dhcpd.leases";
 
##use strict;
use Date::Parse;
 
my $now = time;
##print $now;
##exit;
# 12:22 PM 11/15/18 EST
#my $now = "1542302555";
my %seen;       # leases file has dupes (because logging failover stuff?). This hash will get rid of them.
 
open(L, $leases_file) or die "Cant open $leases_file : $!\n";
undef $/;
my @records = split /^lease\s+([\d\.]+)\s*\{/m, <L>;
shift @records; # remove stuff before first "lease" block
 
## process 2 array elements at a time: ip and data
foreach my $i (0 .. $#records) {
    next if $i % 2;
    ($ip, $_) = @records[$i, $i+1];
    ($ip, $_) = @records[$i, $i+1];
 
    s/^\n+//;     # && warn "leading spaces removed\n";
    s/[\s\}]+$//; # && warn "trailing junk removed\n";
 
    my ($s) = /^\s* starts \s+ \d+ \s+ (.*?);/xm;
    my ($e) = /^\s* ends   \s+ \d+ \s+ (.*?);/xm;
 
    ##my $start = str2time($s);
    ##my $end   = str2time($e);
    my $start = str2time($s,UTC);
    my $end   = str2time($e,UTC);
 
    my %h; # to hold values we want
 
    foreach my $rx ('binding', 'hardware', 'client-hostname') {
        my ($val) = /^\s*$rx.*?(\S+);/sm;
        $h{$rx} = $val;
    }
 
    my $formatted_output;
 
    if ($end && $end < $now) {
        $formatted_output =
            sprintf "%-15s : %-26s "              . "%19s "         . "%9s "     . "%24s    "              . "%24s\n",
                    $ip,     $h{'client-hostname'}, ""              , $h{binding}, "expired"               , scalar(localti
me $end);
    }
    else {
        $formatted_output =
            sprintf "%-15s : %-26s "              . "%19s "         . "%9s "     . "%24s -- "              . "%24s\n",
                    $ip,     $h{'client-hostname'}, "($h{hardware})", $h{binding}, scalar(localtime $start), scalar(localti
me $end);
    }
 
    next if $seen{$formatted_output};
    $seen{$formatted_output}++;
    print $formatted_output;
}

Even that script produces a thicket of confusing information. So then I further process it. I call this script dhcp-check.sh:

#!/bin/sh
# DrJ 11/15/18
# bring over current dhcp lease file from firewall FW-1
date
echo fetching lease file dhcpd.leases
scp admin@FW-1:/var/lib/dhcpd/dhcpd.leases /tmp
# analyze it. this should show us active leases
echo analyze dhcpd.leases
DIR=`dirname $0`
$DIR/lease-examine.pl|grep active|grep -v expired > /tmp/intermed-results
# intermed-results looks like:
#10.24.76.124   : "android-7fe22a415ce21c55" (50:92:b9:b8:92:a0)    active Thu Nov 15 11:32:13 2018 -- Thu Nov 15 15:32:13 2018
#10.24.76.197   : "android-283a4cb47edf3b8c" (98:39:8e:a6:4f:15)    active Thu Nov 15 11:37:23 2018 -- Thu Nov 15 15:32:14 2018
#10.24.70.236   : "other-Phone"            (38:25:6b:79:31:60)    active Thu Nov 15 11:32:24 2018 -- Thu Nov 15 15:32:24 2018
#10.24.74.133   : "iPhone-de-Lucia"          (34:08:bc:51:0b:ae)    active Thu Nov 15 07:32:26 2018 -- Thu Nov 15 15:32:26 2018
#exit
# further processing. remove the many duplicate lines
echo count active leases
awk '{print $1}' /tmp/intermed-results|sort -u|wc -l > /tmp/dhcp-active-count
echo count is `cat /tmp/dhcp-active-count`

And that script gives my what I believe is an accurate count of the active leases. I run it every 10 minutes from SiteScope and voila, we have a way to make sure we’re coming close to running out of IP addresses.

Categories
Web Site Technologies

The IT Detective Agency: Cisco Jabber Carriage Return problem fixed

Intro
Cisco Jabber is a pretty good IM application. I’ve seen how it is a true productivity enhancer. But not so much when it doesn’t work right.

The symptoms
I hadn’t rebooted for awhile. I had a bunch of open conversations. Then all of a sudden, I could no longer send additional Jabbers (IMs, messages, or whatever you call them). I would type my message, hit ENTER (<CR>), and that action would just give send the cursor to the beginnning of a new line below the one I typed in my message box, like a typewriter. I soon realized that I had no way to SEND what I was typing because you use ENTER to do that!

A quick Internet search revaled nothing (hence this article). So I restarted Jabber and that got things working again, but of course I lost all my conversations.

As this happened again, I looked more closely. I eventually noticed this security pop-up was associated with this ENTER problem:

Being a security-minded person I kept clicking No to this pop-up.

Then I noticed the correlation. As soon a I clicked No on that pop-up, my ‘s began to work as expecetd. After a few minutes they stop working again, I hunt for the pop-up, and click No again. And it goes on like this all day.

Hint on finding the pop-up
Jabber has a main narrow window which cpontains all the contacts and other links, and the conversation window. Highlight the main narrow wnidow and the pop-up will appear (if therer is one). Otherwise it can be hard to find.

Why is there a security alert?
Being a srot of certificate expert, I felt obliged to delve into the certificate itself to help whoever may try to solve this. I captured the certificate and found that it is a self-signed certificate! No wonder it’s not accepted. So our Unified Communications vendor, in their infinite wisdom, used self-signed certificates for some of this infrastructure. Bad idea.

I suppose I could accept it, but I’d prefer they fix this. I don’t want end users becoming comfortable overriding security pop-ups.

Conclusion
The sudden inability to use ENTER within Cisco Jabber is explained and a corrective action is outlined.

Case closed!

Categories
Scams Spam

Latest spear phishing: your password plus extortion

Intro
Three users that I know at a certain company have all received spear phishing emails worded very much like this one:

Spear Phishing shows you your password and extorts you

The details
I don’t really have many more details. One user described it to me as follows. He got this email at work. It displayed to him a password which he uses for some of his personal accounts and maybe for a few work-related logins. He said the wording was very similar to the one I showed in the above screenshot.

This one comes from IP 40.92.6.45, which is a legitimate Microsoft-owned IP. So it has an air of legitimacy to traditoinal spam filters.

I htikn all the users are reluctant to pursue the normal methods o reporting phishing, which involve sending the entire email to some unknown group of analysts because the email does in fatc contain a legitimate password of theirs. This makes it that much harder for an incident repsonse team to kick into gear and start a detailed analysis.

I mentioned three users – those are just the ones brought to my attention, and I’m not even in the business any more. So by extrapolation, this has probably occurred to many more users at just this one company. It’s disturbing…

November update
Another one came in to a different user. I have the text of this one and have only changed the recipient information.

From: [email protected] <[email protected]>
Sent: Thursday, November 29, 2018 11:55 AM
To: Dr J <[email protected]>
Subject: [email protected] has been hacked! Change your password immediately!
 
Hello!
 
I have very bad news for you.                                                                                                                                 03/08/2018 - on this day I hacked your OS and got full access to your account [email protected] On this day your account [email protected] has password: drj1234
 
So, you can change the password, yes.. But my malware intercepts it every time.
 
How I made it:
In the software of the router, through which you went online, was a vulnerability.
I just hacked this router and placed my malicious code on it.
When you went online, my trojan was installed on the OS of your device.
 
After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).
 
A month ago, I wanted to lock your device and ask for a not big amount of btc to unlock.
But I looked at the sites that you regularly visit, and I was shocked by what I saw!!!
I'm talk you about sites for adults.
 
I want to say - you are a BIG pervert. Your fantasy is shifted far away from the normal course!
 
And I got an idea....
I made a screenshot of the adult sites where you have fun (do you understand what it is about, huh?).
After that, I made a screenshot of your joys (using the camera of your device) and glued them together.
Turned out amazing! You are so spectacular!
 
I'm know that you would not like to show these screenshots to your friends, relatives or colleagues.
I think $709 is a very, very small amount for my silence.
Besides, I have been spying on you for so long, having spent a lot of time!
 
Pay ONLY in Bitcoins!
My BTC wallet: 1FgfdebSqbXRciP2DXKJyqPSffX3Sx57RF
 
You do not know how to use bitcoins?
Enter a query in any search engine: "how to replenish btc wallet".
It's extremely easy
 
For this payment I give you two days (48 hours).
As soon as this letter is opened, the timer will work.
 
After payment, my virus and dirty screenshots with your enjoys will be self-destruct automatically.
If I do not receive from you the specified amount, then your device will be locked, and all your contacts will receive a screenshots with your "enjoys".
 
I hope you understand your situation.
- Do not try to find and destroy my virus! (All your data, files and screenshots is already uploaded to a remote server)
- Do not try to contact me (you yourself will see that this is impossible, the sender address is automatically generated)
- Various security services will not help you; formatting a disk or destroying a device will not help, since your data is already on a remote server.
 
P.S. You are not my single victim. so, I guarantee you that I will not disturb you again after payment!
 This is the word of honor hacker
 
I also ask you to regularly update your antiviruses in the future. This way you will no longer fall into a similar situation.
 
Do not hold evil! I just do my job.
Good luck.

Conclusion
A new disturbing type of spear phishing campaign is presented. The email presents an actual password (no hint as to how the hacker obtained it) and then tries to extort the user for quite a bit of money to avoid reputation-damaging disclosures to their close associates.

References and related
This is a useful site, albeit a little frightening, that shows you the many sites that have leaked your Email address due to a data breach: https://haveibeenpwned.com/

Categories
Network Technologies

Voice and data vlans on one switch port, no vlan tagging: how does that work?

Intro
We had a Cisco video conference unit pick up an IP from a data vlan whereas we expected it to pick it up from a voice vlan, where we had assigned it a static IP. What happened?

The details
I have to admit I never paid attention to the switch ports in the offices. All these years and I didn’t really appreciate the fact that you can plug in either a PC or a Cisco phone to the same switch port, yet the PC “knows” to go onto a data vlan while the phone “knows” to put itself onto a voice vlan. How cuold that be?

Naively, just talking it out, I had this jumble of “facts” in my mind:

– sharing vlans on one switch port is done through vlan tagging
– the equipment plugged in must know the switch port is using vlan tagging or else disastrous results occur (see this post for some examples)
– if in addition you’re a PC using DHCP, how would you know which valn to go onto? How would you learn the connection is tagged?
– well, there can be a native vlan in addition to tagged vlans. Maybe they used that?

Fortunately I have some friends with access to the switch config. Here it is for one specific typical port:

interface FastEthernet0/2
description Data & Voice vlanC
switchport access vlan 103
switchport mode access
switchport voice vlan 703
...

I puzzled over that for awhile because, well, what does it mean?? In my world of servers you have two port types: access ports and truink ports. Trunk ports are the ones that have tagged vlans. Access ports provide a single unttagged vlan’s traffic to the port.

It’s pretty clearly declaring this switch port to be an access port, not a trunk port. And yet two vlans are referred to. There’s this command I’ve never seen or used before swithcport voice. How does this fit with the jumble of facts above? The jumble of facts need to be amended…

I asked another expert and he said he heard that the Cisco phones use something called LLDP – link layer discovery porotocol. From researching the predecessor protocol was CDP – Cisco Discovery protcol.

Switchport voice vlan 703 is something like introducing tagging for vlan703, if I read the Cisco documentation correctly.

The magic happens
This is often described as magic or voodoo so we will treat it like that too! A Cisco phone uses LLDP to learn from the switch that the voice vlan is 703. Then somehow it tags(?) its traffic to use only that vlan, even for its DHCP discover. A PC or any other normal host by contrast does not use LLDP and is only exposed to the data vlan 103 (the “native” vlan) so it gets an IP from doing DHCP discover on that vlan.

Do I believe my own explanation? Not really. It’s the best I got. I really should do a packet trace to confirm but who has the time?

That video conference unit? They say when they boot it a second time it jumps onto the correct vlan and picks up the desired static IP. Again, no one’s really sure why.

Conclusion
Strange DHCP behavious on the part of a Cisco video conference unit forces us to think through how data + voice on one switch port might actually be working on a typical Cisco-powered office environment. We probably – definitely – didn’t nail it, but we must be close to the essentially correct answer.

References and related
As always Wikipedia has an article somewhat explaining LLDP

Categories
Linux Raspberry Pi

Solution to this week’s NPR puzzle using simple Linux commands, again

Intro
As I understood it, this week’s NPR puzzle is as follows. Think of a figure from the Bible with five letters. Move each letter three back, e.g., an “e” becomes a “b.” Find the Biblical figure which becomes an ailment after doing this transformation.

Initial thoughts
I figured this would be eminently amenable to some simple linux commands like I’ve done with previous puzzles (most are not, by the way). I was having a hard time doing these transformations in my head while I was driving, and the first names I tried came up empty, such as Jesus or Moses.

So I figured I could write a program to do the character transformations on each and every word and I could probably find a downloadable text version of the Bible. I didn’t find a pure text version, but I did download an HTML version, which is close enough for our purposes.

Then I was going to just keep the five-letter words and do this transformation on all of them and match against dictionary words. Then I would have taken just those matches and scanned by hand to look for words that are ailments, hoping there wouldn’t be too many matched words to contend with.

Finally settled on a different approach
That looked like a bit of work so I thought about it and decided there had to be a resource for just the figures in the Bible, and voila, there is, in Wikipedia, see the references.

rot13
Rot13 is a famous cipher (encryption is too strong a word to describe this simple approach), where A becomes N, B becomes O, etc. I had a feeling the tr command in linux might be able to do this but didn’t know how. So I searched for linux, tr and rot13 and found an example online. It was easy to adapt.

We need what you could call a rot -3. Here is the command.

$ tr 'A‐Za‐z' 'X‐ZA‐Wx‐za‐w'

So I put the text of the Wikipedia page of Biblical figures into a text file on my linux server, into a file called list-of-biblical-figures. It looks like this:

Adam to David according to the Bible
Creation to Flood
 
    Adam Seth Enos Kenan Mahalalel Jared Enoch Methuselah Lamech Noah Shem
 
Cain line
 
    Adam Cain Enoch Irad Mehujael Methusael Lamech Tubal-cain
 
Patriarchs after Flood
 
    Arpachshad Cainan Shelah Eber Peleg Reu Serug Nahor Terah Abraham Isaac Jacob
 
Tribe of Judah to Kingdom
 
    Judah Perez Hezron Ram Amminadab Nahshon Salmon Boaz Obed Jesse David
...

I was going to tackle just pulling the figures with five-character names, but the whole list isn’t that long so I skipped even that step and just put the list through as is:

$ cat list-of-biblical-figures|tr 'A‐Za‐z' 'X‐ZA‐Wx‐za‐w'

comes back as

Xaxj ql Axsfa xzzloafkd ql qeb Yfyib
Zobxqflk ql Cilla
 
    Xaxj Pbqe Bklp Hbkxk Jxexixibi Gxoba Bklze Jbqerpbixe Ixjbze Klxe Pebj
 
Zxfk ifkb
 
    Xaxj Zxfk Bklze Foxa Jbergxbi Jbqerpxbi Ixjbze Qryxi-zxfk
 
Mxqofxozep xcqbo Cilla
 
    Xomxzepexa Zxfkxk Pebixe Bybo Mbibd Obr Pbord Kxelo Qboxe Xyoxexj Fpxxz Gxzly
 
Qofyb lc Graxe ql Hfkdalj
 
    Graxe Mbobw Ebwolk Oxj Xjjfkxaxy Kxepelk Pxijlk Ylxw Lyba Gbppb Axsfa
...
    Ebola
...

So it’s all gibberish as you might hope. Then towards the end you come across this one thing and it just pops out at you. As is my custom I won’t give it away before the deadline. [update] OK. Submission deadline has passed. Ebola just really popped out. Going back to the original text, you see it lines up with Herod. So there you have it.

I double-checked and confirmed this also works on a Raspberry Pi. I’ve come to realize that most people don’t have their own server, but hundreds of thousands or perhaps millions have a Raspberry Pi, which is a linux server, which makes techiques like this accessible. And fun.

Conclusion
I show a technique for using a linux server such as a Raspberry Pi to solve this week’s NPR puzzle. A very simple approach worked. In fact I was able to solve the puzzle and write this post in about an hour!

References and related
HTML version of Bible: https://ebible.org/Scriptures/eng-web_html.zip
Biblical figures: https://en.wikipedia.org/wiki/List_of_major_biblical_figures
An earlier NPR puzzle solved with linux command line techniques

Categories
DNS

The IT detective agency: rogue IPv6 device messes up DHCP for entire subnet

Intro
This was a fascinating case insofar as it was my first encounter with a real life IPv6 application. So it was trial by fire.

The details
I think the title of the post makes clear what happened. The site people were saying they can ping hosts by IP but not by DNS name. So basically nothing was working. I asked them to do an ipconfig /all and send me the output. At the top of the list of DNS servers was this funny entry:

IPv6 DNS server shows up first

I asked them to run nslookup, and sure enough, it timed out trying to talk to that same IPv6 server. Yet they could PING it.

The DNS servers listed below the IPv6 one were the expected IPv4 our enterprise system hands out.

My quick conclusion: there is a rogue host on their subnet acting as an IPv6 DHCP server! It took some convincing on my part before they got on board with that idea.

But I goofed too. In my haste to move on, I confused an IPv6 address with a MAC address. Rookie IPv6 mistake I suppose. It looked strange, had letters and even colons, so it kind of looks like a MAC address, right? So I gave some quick advice to get rid of the problem: identify this address on the switch, find its port and disable it. So the guy looked for this funny MAC address and of course didn’t find it or anything that looked like it.

My general idea was right – there was a rogue IPv6 DHCP server.

My hypothesis as to what happened
The PCs have both an IPv4 as well as an IPv6 stack, as does just about everyone’s PC. These stacks run independently of each other. Everyone blissfully ignores the IPv6 communication, but that doesn’t mean it’s not occurring. I think these PCs got an IPv4 IP and DNS servers assigned to them in the usual way. All good. Then along came a DHCPv6 server and the PC’s IPv6 stack sent out a DHCPv6 request to the entire subnet (which it probably is doing periodically all along, there just was never a DHCPv6 server answering before this). This time the DHCPv6 server answered and gave out some IPv6-relevant information, including a IPv6 DNS server.

I further hypothesize that what I said above about the IPv4 and IPv6 stacks being independent is not entirely true. These stacks are joined in one place: the resolving nameservers. You only get one set of resolving namesevrers for your combined IPv4/IPv6 stacks, which sort of makes sense because DNS servers can answer queries about IPv6 objects if they are so configured. So, anyway, the DHCPv6 client decides to put the DNS server it has learned about from its DHCPv6 server at the front of the existing nameserver list. This nameserver is totally busted, however and sits on the request and the client’s error handling isn’t good enough to detect the problem and move on to the next nameserver in the list – an IPv4 nameserver which would have worked just great – despite the fact that it is designed to do just that. And all resolution breaks and breaks badly.

What was the offending device? They’re not saying, except we heard it was a router, hence, a host introduced by the LAN vendor who can’t or won’t admit to having made such an error, instead making a quiet correction. Quiet because of course they initially refused the incident and had us look elsewhere for the source of the “DHCP problem.”

Alternate theory
I see that IPv6 devices do not need to get DNS servers via DHCPv6. They can use a new protocol, NDP, neighbor discovery protocol. Maybe the IPv6 stack is periodically trying NDP and finally got a response from the rogue device and put that first on the list of nameservers. No DHCPv6 really used in that scenario, just NDP.

Useful tips for layer 2 stuff
Here’s how you can find the MAC of an IPv6 device which you have just PINGed:

netsh interface ipv6 show neighbors

from a CMD prompt on a Windows machine.

In Linux it’s

ip ‐6 neigh show

Conclusion
Another tough case resolved! We learn some valuable things about IPv6 in the process.

References and related
I found the relevant commands in this article: https://www.midnightfreddie.com/how-to-arp-a-in-ipv6.html

Categories
Web Site Technologies

Where is my IP without the aggressive ads

Intro
To locate where any IP address is located – known as geoip – you can do a simple duckduckgo search and get an idea, but you may also get sucked into one of those sites that provides a service while subjecting you to a lot of advertising. So I prefer to have the option to go to the source.

For that I kind of like this site: https://www.maxmind.com/en/geoip-demo

Maxmind also has a free downloadable database of all IPs known as GeoLite2. If I get time I may explore using it.

References and related
https://www.maxmind.com/en/geoip-demo

Categories
Consumer Tech

What credit card fraud looks like

Intro
A lost credit card. Or was it misplaced? Months later a whole bunch of “modest” charges appear all at once, a couple days after a few lower-value test charges were made.

Thank goodness I had the presence of mind to lower my alert limit on transactions from $200 to $50. I was not too late to have all the charges disputed despite the test charges being two days old.

What fraudulent credit card charges look like

I do not know how these charges were created – what is Google/Walmart or Google/Target.

I can guess how my address was matched to the card – it’s a sufficiently uncommon last name available from simple public records.

Conclusion
Well, now we know the card was lost or stolen, not misplaced. After all these years that’s the first time that has happened to us. We will not be responsible for the disputed charges.

Categories
Uncategorized

NJ homeowners: how to sell your SRECs from your solar panels

Intro
I was an enthusiast and got solar panels on my roof while there was still a tax credit for doing so. But then i became lazy and didn’t want to bother selling the SRECs I was awarded. Here is what I did.

The details
I got a recommendation from a friend who found a legitimate company who will buy my SRECs with a process so simple no registration is required! And, their prices seem competitive.

Here are the CEPS I’ve accumulated on the PJM-EIS web site. And no, I don’t really know how to use the site other than to report my generation. I just wasn’t that interested.

CEPS from Dr John’s home solar system

CEPS is a synonym for SRECs. SREC is a solar renewable energy credit. It’s a unit of measure = 1 Kilowatt Hour of generation by your system.

Here is the web site of the company I will sell them to: http://njsrec.com/

And their instructions – clearly written for someone not overly familiar with using a computer as everything is spelled out:

NJSREC.COM instructions

I haven’t sold them yet because I will have another one by tomorrow so I’ll wait for that one and bundle them all together. They get credited to your account on the last day of the month. My friend uses them however so I know they are to be trusted. They will simple send you a check in the mail for your CEPS after you follow those simple instructions!

Conclusion
We recommend NJSREC.COM as the simplest way to sell your SRECs and know you are not being taken advantage of. As of this writing July 2018 a quantity of 4 – 10 CEPS is worth $201 per CEPS. The prices have been going down (mostly) and will continue to go down. So don’t hold on too long, i.e., years.

References and related
The GATS web site is https://www.pjm-eis.com/
The buyer’s web site: http://njsrec.com/

Categories
Admin Linux Network Technologies SLES

Linux tip: how to enable remote syslog on SLES

Intro
I write this knowing I still don’t know anything to speak of about syslog, but, sometimes you gotta act without knowing. I needed to send syslog to somewhere in a big hurry so I figured out the absolute minimum I needed to do to get it running on one of my other systems.

The details
This all started because of a deficiency in the F5 ASM. At best it’s do slow when looking through the error log. But in particular there was one error that always timed out when I tried to bring up the details, a severity 5 error, so it looked pretty important. Worse, local logging, even though it is selected, also does not work – the /var/log/asm file exists but contains basically nothing of interest. I suppose there is some super-fancy and complicated MySQL command you could run to view the logs, but that would take a long time to figure out.

So for me the simplest route was to enable remote syslog on a Linux server and send the ASM logging to it. This seems to be working, by the way.

The minimal steps
Again, this was for Suse Enterprise Linux running syslog-ng.

  1. modify /etc/sysconfig/syslog as per the next step
  2. SYSLOGD_PARAMS=”-r”
  3. modify /etc/syslog-ng/syslog-ng.conf as per the next step
  4. uncomment this line: udp(ip(“0.0.0.0”) port(514));
  5. launch yast (I use curses-based yast [no X-Windows] which is really cantankerous)
  6. go to Security and Users -> Firewall -> Allowed services -> Internal Zone -> Advanced
  7. add udp port 514 as additional allowed Ports in internal zone and save it
  8. service syslog stop
  9. service syslog start
  10. You should start seeing entries in /var/log/localmessages as in this suitably anonymized example (I added a couple line breaks for clarity:
Jul 27 14:42:22 f5-drj-mgmt ASM:"7653503868885627313","50.17.188.196","/Common/drjohnstechtalk.com_profile","blocked","/drjcrm/bi/tjhmore345","0","Illegal URL,Attack signature detected","200021075","Automated client access ""curl""","US","<!--?xml version='1.0' encoding='UTF-8'?-->44e7f1ffebff2dfb-800000000000000044f7f1ffebff2dfb-800000000000000044e7f1ffe3ff2dfb-80000000000000000000000000000000-000000000000000042VIOL_ATTACK_SIGNATURErequest200021075
7VXNlci1BZ2VudDogY3VybC83LjE5LjcgKHg4Nl82NC1yZWRoYXQtbGludXgtZ251KSBsaWJjdXJsLzcuMTkuNyBOU1MvMy4yNy4xIHpsaWIvMS4yLjMgbGliaWRuLzEuMTggbGlic3NoMi8xLjQuMg0KSG9zdDogYWctaW50ZWw=
01638
VIOL_URL","GET /drjcrm/bi/tjhmore345 HTTP/1.1\r\nUser-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2\r\nHost: drjohnstechtalk.com\r\nAccept: */*\r\n\r\n"

Observations
Interestingly, there is no syslogd on this particular system, and yet the “-r” flag is designed for syslogd – it’s what turns it into a remote syslogging daemon. And yet it works.

It’s easy enough to log these messages to their own file, I just don’t know how to do it yet because I don’t need to. I learn as I need to. just as I learned enough to publish this tip.

Conclusion
We have demonstrated activating the simplest possible remote syslogger on Suse Linux Enterprise Server.

References and related

Want to know what syslog is? Howtonetwork has this very good writeup: https://www.howtonetwork.com/technical/security-technical/syslog-server/