Junior as syslog archiver

Idea

You have a Junior box or equivalent sitting at the heart of your home network and want to use it as a network syslog archiver for all of your machines.

Aim

All Unix machines on your network store their syslog messages locally and also send them to Junior through UDP packets, where they are stored in separate files for each machine.

Solution

install syslog-ng

The default Debian syslog has the capability to log network-based syslog messages coming from other machines on the same subnet (-r option). Unfortunately, syslog cannot be easily configured to store logs separately
for each machine, so everything ends up in the same files, mixing information from all hosts as well as local messages. This can get quite confusing.

Enters syslog-ng: this new generation brings a lot of useful features, among which the capability to do much better filtering on incoming messages and how to store them. The procedure to install it is as follows:


apt-get install syslog-ng


This will install syslog-ng and remove syslog.

For this example I assume we have a machine on the local network called ‘billy’ at address 192.168.1.10. Modify your /etc/syslog-ng/syslog-ng.conf configuration file as follows:

Add a UDP listener by un-commenting udp() in the source list:

source s_all {
# message generated by Syslog-NG
internal();
# standard Linux log source (this is the default place for the syslog()
# function to send logs to)
unix-stream("/dev/log");
# messages from the kernel
file("/proc/kmsg" log_prefix("kernel: "));
# use the following line if you want to receive remote UDP logging messages
# (this is equivalent to the "-r" syslogd flag)
udp();
};


Add another destination for log files generated by billy:

destination df_billy { file("/var/log/billy/messages.log"); };


Add a filter based on IP:

# all messages from billy
filter f_billy { netmask("192.168.1.10/32"); };


There are probably better ways to do filtering than providing a static IP address. Bear with me, I did not want to get any deeper into syslog-ng documentation since this fits the bill.

Add a rule to combine filter and output directory:

# Billy logs
log {
source(s_all);
filter(f_billy);
destination(df_billy);
};


On billy, make sure syslogd is started with option -R x.x.x.x where the latter is the IP address of your syslog archive box.

You should now get messages logged in /var/log/billy/messages.log.

Wake-on-LAN

Looking through the BIOS for Junior, I could find no option to activate Wake-on-LAN. The way to achieve that is actually to configure the Ethernet chip directly. Under Debian, this is done with:
# ethtool -s eth0 wol g

The ‘g’ option for wake-on-lan (wol) actually specifies that you want to wake up on magic packets, but there are other interesting options if you want to wake up on other network events. Read the documentation for ethtool.

One important point: this setting only survives until the next boot. If you want to make it persistent, create a file called e.g. wol in /etc/network/if-up.d with the following contents:

#!/bin/bash
if [ "$IFACE" == "eth0" ]; then
ethtool -s eth0 wol g
fi


Make the file executable by chmod +x wol

I can now wake Junior from another Linux machine on the same subnet using tools like wakeonlan or etherwake. The former does not need root privileges to perform, which is safer.

Bricked… and back

I bricked Junior by mistake.

The little box only has 128 MBytes of RAM which very soon become insufficient, even when running limited pure-network processes. Adding up swap on a Compact Flash is not a good idea, so I was desperately trying to squeeze the last Megs of RAM from the box. I did something stupid and disabled shared video memory in the BIOS. This bricked the box: no boot, no video, no response to keyboard inputs.

Do not disable shared video memory on these boxes!

To unbrick the box: remove the 4 bottom screws. Remove also the screws on the video plug on the back (one on each side), and the screw on the wireless antenna if you have one. Now you should be able to move the parts but be really gentle. Slide out the grey cover, starting from the back, and you should now also be able to remove the bottom part of the box. The upper part stays soldered to the CPU so do not even try to remove it by force.

If you examine carefully the top part you should see the battery. You will not be able to get to it, but you can see where it is soldered because there are two plugs coming out on the other side. Short-circuit these two plugs with a paper-clip, keep it for several seconds. Try booting the box again, just plugging in a screen and keyboard, and see if you got it back. If you did not, short-circuit the plugs again for more seconds.

Re-build the box when you are done.

I guess I will have to make do with 128 Megs. Re-compiling the kernel may not be such a bad idea after all…