Router syslog to Linux Syslog server

First , you need configure and enable "syslog server" as linux server ip in your router , such as, cisco RV-042

tcpdump -nvvX udp port 514 -s 1500

Try check in tcpdump for router syslog coming

-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 514 -j ACCEPT
/etc/init.d/iptables restart

If it is blocked by FW, add the rule, If it is passed , ignore this.

vi /etc/sysconfig/syslog

SYSLOGD_OPTIONS ="-m 0 -r"

enables logging from remote machines in config file.

vi /etc/syslog.conf

*.info  /var/log/router.log

*.info;mail.none;authpriv.none;cron.none;!daemon.info           /var/log/messages

- Add router syslog line
- If you have *.info set for /var/log/messages then add !daemon.info to the end of the line

vi /etc/logrotate.d/syslog

/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron /var/log/router.log {
...

Add in logrotate syslog file for rotation.

/etc/init.d/syslog restart
less /var/log/router.log

After all modification restart syslog and check the router syslog :)

#######################################################

cat /var/log/router.log |grep 'Flood' | awk '{print $14}' | sort | uniq -c | sort -nr

PS : you can use this example shell script to check the number source IP of "Block Syn Flood"

cat /var/log/messages | grep SRC | grep "Jul 3 10:" | awk '{print $9}' | sort | uniq -c | sort -nr

PS : you can use this example shell script to check the number source IP specific the hour timing