Great thing about Linux is the netcat tool. It always you to do quick network testing, network scanning, and can even establish reverse shells. I had an issue where I got syslog-ng setup on Ubuntu but for some reason the filter wasn’t working. In syslog filters are used to specify what IP your client will be sending from. I was doing this on a Cisco Meraki and specified the LAN of the client network. However no logs were coming through.
Since we know syslog is going over UDP port 514 we can stop syslog service that way its not using up port 514 on our Ubuntu server. sudo service syslog-ng stop then run the netcat command below. -u specifies udp and -n means to not use DNS. After doing this I started seeing traffic come in showing the source coming into the syslog server is different. As shown in the Expected Traffic Flow picture, traffic can come in through different ways. Since this was over a site-to-site vpn the LAN subnet filter wasn’t working.
sudo service syslog-ng
sudo nc -l -u -n -v -p 514
