capturing raw syslog messages with tcpdump - syslog

i am currently collecting logs from a cloud platform which i would like to keep anonymous. while trying to create a custom parser for the syslogs that i am collecting i am trying to capture the raw syslog by using tcpdump.exe for windows. the syntax that i am using to capture the raw syslog messages are: tcpdump.exe -s 0 -A udp port 514
the issue that i am having is that at the beginning of each syslog message it starts with:
..s....#._<133>
and ends with:
E..T..#.#..C#.?O
does anyone know what that means and/or how i can capture the raw syslog messages with tcpdump without the beginning and ending garbage?

Related

Log messages on Rsyslog server do not strictly follow RFC-5424 format

I am trying to log messages into a linux server which has Rsyslog installed on it
Here is one of the sample message
Feb 20 11:31:46 localhost - <46>1 2020-02-20T11:31:46+00:00 localhost [meta sequenceId="3"] -- MARK --#012
The part in bold is not part of RFC-5424 format
The Rsyslog agent seems to be adding this. How do I get rid of this ? And read only the remaining part
i too find rsyslog it confusing. I want to configure rsyslog to strictly for rfc5424, but cant seem to find how.
Also when i send a syslog to it over TCP, i dont see part at all, the messages logged simply start with timestamp.

Send Multiple Invites with sipsak

I'm trying to diagnose an issue with my asterisk server.
It occurs when INVITEs are sent simultaneously to the server.
I've got the following sipsak command but it only sends one invite, and when I run it multiple times for a bash script, it doesn't seem to have the intended effect.
sipsak --from sip:peer1#127.0.0.1 --auth-username peer1 -v --password 1234 --sip-uri sip:peer1#127.0.0.1 -f testdial1
How can I get sipsak to send multiple invites in one go?
Many thanks
Unfortanly really "simultaneously" UDP packets not posible things in linux network stack. They will go one after other anyway.
You can do multiple "calls" using sipp.
sipp -sn uac -d 20000 -s 2005 IP.OF.YOUR.BOX -l 30
This command will connect as a client, and give the duration of the call 20K miliseconds (or 20 seconds), will dial the server at ip IP.OF.YOUR.BOX, and try to reach the extension 2005, with a limit of 30 simultaneous calls

Sending Primitive Message across Internet using TCP/IP

Is there a very primitive method or protocol to send messages from two machines not on the same local network? I don't know what is available, but is there a terminal or prompt method for sending plaintext messages over the internet? Is it simple enough to code it from scratch?
Can I send a simple plaintext message from one machine to the next (if I have that machine's information) and then toy around with adding encryption and other crytopgraphy methods as an exercise?
You need netcat or sometimes called nc. It is on most Linux distros and OSX and available for Windows too.
Examples available here.
Documentation here.
On a server, run
$ nc -l 2389 > receivedfile
to listen on port 2389 and write whatever it receives to file "test"
And on the client, send a file to that port
cat yourfile | nc localhost 2389
or send a message
echo Hello | nc localhost 2389
Once you have got straightforward file transfer working, you can send an encrypted file like this:
openssl enc -aes-256-cbc -salt -in yourfile | nc localhost 2389
It sounds like telnet will do the job you're looking for. It's the most primitive protocol I can think of for this use case.
All data octets except 0377 are transmitted over the TCP transport as is. Therefore, a Telnet client application may also be used to establish an interactive raw TCP session[.]

nmap - repeatedly scan a port for a syn/ack reply and output to file

I need to hit a http server every second for an ack reply once every second repeatedly for various lengths of time, and to output the replies into a textfile with information such as the response time in ms. this is basically to check for latency, but for my purposes i need to do it with a syn/syn-ack.
I've gotten somewhere with
nmap -sS 1.1.1.1 -p 80 -o test.txt -v
this outputs well on screen, but not into the text file -- how do i get all the output that nmap runs into the file?
also, not sure how to run this every second - does nmap have a flag for repeating? or shall i just put it in a bash script?
This command is probably doing more than you want. Each time you run it, Nmap does the following:
Does a reverse-DNS (PTR) lookup of your target
Sends a host-discovery probe to make sure the target is "up." If you are root, this is a set of 4 ICMP and TCP probes. If not, it is 2 TCP connect calls.
Sends a TCP SYN probe to port 80. If you are running as root, the sequence is SYN, SYN/ACK, RST. Otherwise it is SYN, SYN/ACK, ACK, RST/ACK.
So instead, you can use some helpful flags to reduce this overhead and be more specific with what you are asking for.
nmap -n -sn -PS80 1.1.1.1
This command will skip the reverse-DNS lookup (-n) and use the host discovery phase to find the latency. -sn skips the port scan and -PS80 says to use TCP SYN to port 80 to do host discovery. Whether the TCP handshake is completed depends on whether you have root privilege or not.
nmap -n -Pn -p 80 1.1.1.1
This command will send the exact same probes as the previous, but will show the output as a port scan, not just a host discovery scan.
To repeat the scan, you'll have to put it in a shell loop. It would be better to use a dedicated tool for this, but I don't know which one would be best. Nmap comes with a tool called Nping that can send repeated probes and report the round-trip time, but I can't get it to display it per-packet; it just gives a summary at the end. You may have better luck with hping.

Linux Syslog Server Format

I am creating a syslog formatted message according to RFC3164 and sending it to my linux default syslog server which is listining of port 514.
The message i am sending is
<187>Nov 19 02:58:57 nms-server6 %cgmesh-2-outage: Outage detected on this device
I open a socket, make a datagram packet and send this packet on that socket.
Now in the var/log/syslog.log which i have configured to receive all the syslog messages as
. /var/log/syslog.log
I am getting this extra hostname getting inserted by the server automatically as show below
Nov 19 02:58:57 nms-server6 nms-server6 %cgmesh-2-outage: Outage detected on this device
as you see nms-server6 is getting repeated twice while i am sending it just once...so somehow the server is inserting it by default..
can some one share some knowledge on this ?
Are you adding the hostname in your message? If so, I don't think that's necessary as the hostname will be taken from the packet - which would explain the duplication.
Also, as a side note - it's nice that you've added the %fac-sev-mnemonic: portion, but that is not a standard, it's used by Cisco devices.
Here's a link to a good whitepaper that covers Cisco Mnemonics (and syslog management):
Building Scalable Syslog Management Solutions:
http://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-557812.html

Resources