Replace MAC Addresses With Labels Using Syslog-NG


Replace MAC Addresses With Labels Using Syslog-NG.

Syslog-NG by BalaBit.

I send the logs of my RouterOS devices to a syslog-ng server located on my NAS box. Those logs usually contain MAC addresses which are not easy to connect to a specific device for humans and that’s where the logging server comes in handy.

Step by Step

This is the whole guide for this setup to work:

  1. Generate Configuration for Syslog, User-Manager and DNS Servers
  2. Replace MAC Addresses With Labels Using Syslog-NG (this part)
  3. User-Manager Setup For Static DHCP
  4. DNS Names For Static DHCP Leases

Solution

The first step is to setup syslog-ng depending on your available hardware. For many Linux distributions there are packages available or you might consider compiling it from the source code yourself. I’ll not go into any details for installation here since this should be straight forward.

RouterOS Setup

RouterOS Syslog Configuration

RouterOS Syslog Configuration

After you installed syslog-ng and got it working, make sure you send your logs to the server. This can be done in the menu System/Logging where you have to add a new action.

Configure your servers IP address and port (default is 514) and set your logging rules to that new action. After this is done, messages will be sent to your syslog server.

Syslog-NG Configuration

When you installed syslog-ng it probably came with a default configuration, which you will have to modify. Your setup might be slightly different but should nevertheless look almost like my example here.

# source configuration - UDP/514
source s_network {
  udp(port(514));
};

# destination file configuration
destination d_loghost {
  file("/opt/data/syslog-ng/log/$HOST/$YEAR/$MONTH/$FACILITY_$DAY.log"
    owner(syslog) group(syslog) perm(0644) dir_perm(0755) create_dirs(yes)
  );
};

The above part just configures the source of accepted messages and the file these messages should go to. So far there is nothing special about it and now comes the special feature why we do all this.

# logging configuration
log {
  source(s_network);
  rewrite(r_rewrite_mac);
  filter(f_remove_wireless);
  destination(d_loghost);
};

# filter known but unwanted wireless messages
filter f_remove_wireless {
  not level(debug);
  not program(".*wireless,debug.*");
  not match(".*>@[^:]+: connected$");
  not match(".*>@[^:]+: disconnected, ");
  not match(".*>@[^:]+: reassociating$");
  not match(".*>, sent deauth$");
};

# replace mac addresses with <mac/hostname>
rewrite r_rewrite_mac {
  subst("00:11:22:AA:BB:CC", "<00:11:22:AA:BB:CC/client-1>", value("MESSAGE"), flags(ignore-case));
  subst("33:44:55:DD:EE:FF", "<33:44:55:DD:EE:FF/client-2>", value("MESSAGE"), flags(ignore-case));
};

The filter f_remove_wireless is just there because the whole WLAN stuff is quite chatty and I am only interested in the unusual stuff. You can add more rules or remove the whole filter if you like.

The expressions for the rewrite rules come from the script I described in Shellscript to generate MAC/IP/DNS configuration.

After you modified the configuration and restarted the syslog-ng service, your logfiles should look like the following example. And as you see, the MAC addresses are pretty easy to read and it’s much easier to work with those logs.

Jan  8 13:49:47 192.168.100.2 dhcp,info dhcp homenetwork deassigned 192.168.100.100 from <00:11:22:AA:BB:CC/client-1>
Jan  8 13:49:47 192.168.100.2 dhcp,info dhcp homenetwork assigned 192.168.100.100 to <00:11:22:AA:BB:CC/client-1>
Jan  8 14:36:02 192.168.100.2 firewall,info final input: in:isp out:(none), src-mac <AA:BB:CC:DD:EE:FF>, proto TCP (ACK,PSH), 1.2.3.4:443->192.168.100.2:65143, len 105

The next post will be about configuring static IP addresses using Radius, User-Manager and DHCP. Stay tuned!

Leave a comment

Your email address will not be published. Required fields are marked *