I am trying to gather all of my network logs into graylog. It is expecting each sender to include the hostname. Every other device seems to do this as it is apparently standard. How can I get the WAX610 to send its hostname to the syslog server with each message?
HOSTNAME
The HOSTNAME field identifies the machine that originally sent the
syslog message.
The HOSTNAME field SHOULD contain the hostname and the domain name of
the originator in the format specified in STD 13 [RFC1034]. This
format is called a Fully Qualified Domain Name (FQDN) in this
document.
In practice, not all syslog applications are able to provide an FQDN.
As such, other values MAY also be present in HOSTNAME. This document
makes provisions for using other values in such situations. A syslog
application SHOULD provide the most specific available value first.
The order of preference for the contents of the HOSTNAME field is as
follows:
1. FQDN
2. Static IP address
3. hostname
4. Dynamic IP address
5. the NILVALUE
If an IPv4 address is used, it MUST be in the format of the dotted
decimal notation as used in STD 13 [Domain names - implementation and specification RFC1035]. If an IPv6 address is
used, a valid textual representation as described in [RFC4291],
Section 2.2, MUST be used.
How can I get the WAX610 to send its hostname to the syslog server with each message?
The WAX6xx Web UI allows to define the system FQDN in Management > Configuration > IP > LAN
===
Set an existing domain name You can specify an existing fully qualified domain name (FQDN) for the access point so that you can access the access point by using a domain name instead of an IP address.
---
===
The drawback is that the embedded Web server does now only allow the Web UI access with a referrer of this FQDN, you can no longer use just the IP address to access the Web UI, too. The documentation is in my opinion incomplete if not wrong. In general - leaving complex web server configs with multiple virtual servers to differentitate what is presented based on the calling FQDN - it should be possible to use a DNS FQDN as well as just the plain IP.
Said that, technically the config option for the WAX6xx and WAC5xx FQDN config is available, seemingly for some security by obscurity. The syslog does not make use of it, and defaults to the LAN IP. I would like to see the syslog providing the FQDN aifvailable, but not without prohibiting the Web access by IP. @RaghuHR please.
Thank you for the informative reply. I forgot to mention that graylog thinks configd[some number] is the hostname being sent since it is the first field I guess.
I use a public domain for a server I am running. I wonder if I could safely set a domain name in my cheap a$$ router for the local domain without messing that up.
I am upgrading my network backwards. First the wireless, then the switch, and then a server (still waiting to upgrade the router). Although, in my defense it was much cheaper to upgrade those components than it will be to build a new router.
I forgot to mention that graylog thinks configd[some number] is the hostname being sent since it is the first field I guess.
Guessing isn't a good advisor here - as there is definitivley something wrong with this syslog app, its config, or whatever. Check the native syslog information sent from the devices, here a hand full of examples, just copy-pasted a random selection of syslog messages collected, as a "complete" data feed on a much more advanced syslog application allowing to capture even the unexpected where the collector/filter/notification/whatever system might struggle. All entries show the IP addresses as part of the header for each record:
I use a public domain for a server I am running. I wonder if I could safely set a domain name in my cheap a$$ router for the local domain without messing that up.
There is nothing impossibe, you are free to configure a fully featured DNS server, taking care of any kind of local private or public domain, taking care of all VLANs and IP subnets, providing A and AAA, providing PTR, ... configure all your computers/clients for adding the local domains to a search path, so you can resolve hostname (just the name), a FQDN, to the IP address, and then you can configure every WAX6xx with a fully blown FQDN. and IP address reverse resolve to the IP address, ... The first thing I would strongly suggest is adding IP address reservations for each device MAC address, so the DHCP does always hand out the same IP address to the same device.
However, keep in mind you might need redundancy, if this nice DNS infrastructure does fail one day, you need at least a second and probably a third service, not difficult, but it must be done with replicaiton et all. Of course, you could also populate ann your computers with hosts files holding FQDNs - yet another never ending effort (depreciated in fact, but a last resolve if you are really keen to force the Web UI be called by that FQDN again, as IP does no longer work then.
I am upgrading my network backwards. First the wireless, then the switch, and then a server (still waiting to upgrade the router). Although, in my defense it was much cheaper to upgrade those components than it will be to build a new router.
Nothing wrong with that. First you need connectivity, read switching, power like PoE(+), wireless APs, ... then are the needs for a router with multiple VLANs, probably built-in DNS capabilities, ... The day you have the infrastructure ready for handling DNS for your VLANs, start to configure it.
Copied from logs page in web interface (cherry picked):
May 28 07:57:00 configd[3194]: Observed Active traffic on wifi1 radio
May 28 07:54:02 hostapd: wifi1vap1: STA [redacted] WPA: pairwise key handshake completed (RSN)
May 28 07:57:29 : Failed to get the accounttype [101] [no more rows available]
None of them have the IP or hostname in them, and this is exactly how graylog shows the message is received. This is why I posted here, as it seems to be neglecting to send the ip or hostname. Is there a tool I can use to collect the logs temporarily that will not mangle the raw data sent? Or should I just set up wireguard between the unit and graylog?
UPDATE:
I just gave the two "rogue" netgear devices their own syslog port so I can filter them properly.
Also, I just discovered that it is only sending limited logs to the remote syslog server. I only see entries from configd and none of the other daemons. How can I make it forward all log messages over syslog?
