Skip to content

Instantly share code, notes, and snippets.

@mzpqnxow

mzpqnxow/log-to-syslog.md

Last active March 27, 2024 21:21
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mzpqnxow/7d7d0564328b11014d081640a8a911af to your computer and use it in GitHub Desktop.
Save mzpqnxow/7d7d0564328b11014d081640a8a911af to your computer and use it in GitHub Desktop.
Download ZIP
EdgeRouter log DNS queries to syslog (not to file)
Raw
log-to-syslog.md

Logging EdgeRouter DNS queries from dnsmasq to syslog

This blog is the source of this info, there are a few others way to do it but this seems superior

Why?

Wouldn't you like to know what DNS requests are being made from your network? You ought to. Ideally, pipe it to logstash, do what you want with it (geolocation, etc.) and then send it to a datastore that Kibana can work with (ElasticSearch fits here, the good old "ELK Stack") ... you could also send it to greylog.

One thing that's nice to do is generate a report (daily) of "first time" DNS queries. This is especially useful in a "threat hunting" type scenario, though this guide isn't really aimed at enterprises ..

Backup the system file that sets the log-facility

The problem is you cannot set log-facility twice in dnsmasq.conf, and setting it to '' is the easiest way to accomplish getting queries to syslog. So there is no choice but to edit the script generating the syslog-facility

sudo cp /opt/vyatta/sbin/vyatta-dns-forwarding.pl ~/vyatta-dns-forwarding.pl.bak

Modify the perl script from VyattaOS

You will need to change the line that reads $output .= "log-facility=/var/log/dnsmasq.log\n";

To make it read $output .= "# log-facility=/var/log/dnsmasq.log\n";

Yes, folks, that's just commenting the line out so you there is a blank entry for log-facility. See dnsmasq documentation which explains what happens when there is no log-facility explicitly set.

This one-liner works as of 1.10.8 but probably won't change much for some time (if ever?) I suppose it depends on VyattaOS devs.. You will need to be root to perform the following command, which will do the replacement for you

sed -i 's/\$output \.= "log-facility/\$output \.= "# log-facility/' /opt/vyatta/sbin/vyatta-dns-forwarding.pl

Activate query logging in dnsmasq if you haven't already

sudo -i
configure
set service dns forwarding options log-queries
commit
save

Derp, derp, derp

Also, you will obvious need to set up a remote syslog server and tell your EdgeRouter to log to it. This is not hard to do.

sudo -i
configure
show system syslog 
 global {
     facility all {
         level info
     }
 }
 host 1.2.3.4 {
     facility all {
         level info
     }
 }

Enable receiving UDP Syslog messages on your log host

For rsyslog this is really easy, open up /etc/rsyslog.conf or whatever your main rsyslog configuration file is. You probably don't want this in /etc/rsyslog.d/ but I am not sure ...

Make sure /etc/rsyslog.conf contains the following (you don't really need the tcp since this guide doesn't covery anything like syslog over TCP, SSL+TCP, etc ..

@githubsean
Copy link

Thanks for this - exactly my problem, along with the duplicate entries in dnsmasq.conf.
It's unfortunate that we have to edit the vyatta scripts, but here we are.

@AJolly
Copy link

AJolly commented Mar 27, 2024

Also you can do set service dns forwarding options log-dhcp to allow logging of dhcp requests

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment