Setting Up Linux Mint RSyslog Server to Log Vigor Router Data

Much off this Post is a brief intro to logging interface traffic in general, then viewing them at a basic level, and applies to most other devices that can send to UDP port 514 for logging.

My Vigor 2830 has a syslog feature that can send varied packet type data to another syslog server over the network – setup via it's SysMaintenance page:


It has an email alert function also that I have not ever received info from bar the first test mail! This is despite repeat pings to the external interface, which I would hope would trigger as a DoS attack, as ticked above and as shown sent in the video below…?

The setup for your linux server to accept these logs can be done in very few steps. First, check the current UDP port 514 of your server at below is not already setup and running, via nmap:

sudo nmap -sU -p 514

Starting Nmap 6.40 ( ) at 2016-07-31 22:37 BST

Nmap scan report for

Host is up (0.0018s latency).


514/udp closed syslog

MAC Address: 00:23:54:3A:EB:9A (Asustek Computer)

Uncomment the lines:

sudo vi /etc/rsyslog.conf

$ModLoad immark # provides –MARK– message capability

$ModLoad imudp

$UDPServerRun 514

Restart rsyslog:

sudo service rsyslog restart

rsyslog stop/waiting

rsyslog start/running, process 4219

Check that the service is now running for port 514:

sudo nmap -sU -p 514

Starting Nmap 6.40 ( ) at 2016-07-31 22:38 BST

Nmap scan report for

Host is up (0.0023s latency).


514/udp open|filtered syslog

MAC Address: 00:23:54:3A:EB:9A (Asustek Computer)

Now you should be able to test it by viewing log output from the router in real time using

tail -f /var/log/syslog

by sending the external interface some pings and an nmap scan. The dynamic WAN IP address for the router is found here:


You can see the varied ports nmap uses to probe the interface in the video:

If you want to scan the logs in future for Vigor specific data, you can grep for Vigor:

cat /var/log/syslog | grep Vigor

or view the output in real time:

tail -f /var/log/syslog | grep Vigor


or for nmap or DoS pings, you can grep for ICMP:

cat /var/log/syslog | grep ICMP


If you get suspicious looking traffic, you may then be able to check the source IP address using an Internet Whois service, but any decent potential hacker would be spoofing it anyway – but so you get an idea, say you are curious about


Ah, it's just google as I have my browser open…!

But why use the browser when Unix had these tools built in years ago, so you can check your gateway service IP for example, that shows up talking to your router:


% This is the RIPE Database query service.

% The objects are in RPSL format.


% The RIPE Database is subject to Terms and Conditions.

% See

% Note: this output has been filtered.

% To receive output for a database update, use the "-B" flag.

% Information related to ' –'

% Abuse contact for ' –' is ''

inetnum: –


descr: Private Circuit Customer Networks

country: GB

admin-c: BS1474-RIPE

tech-c: BS1474-RIPE


remarks: Please send abuse notification to

remarks: New netname

remarks: INFRA-AW

mnt-by: BTNET-MNT

mnt-lower: BTNET-MNT

mnt-routes: BTNET-MNT

created: 2003-08-20T09:18:52Z

last-modified: 2010-07-29T09:43:25Z

source: RIPE

role: BTnet Support

address: Adhara

address: Adastral Park

address: Martlesham Heath

address: Ipswich

address: SUFFLK IP5 3RE

address: GB

phone: +44 800 0858963 5

phone: +44 1473 336231

admin-c: FLS15-RIPE

tech-c: BS1474-RIPE

nic-hdl: BS1474-RIPE

remarks: For all queries contact

remarks: Please send delisting issues to

mnt-by: BTNET-MNT

created: 2002-04-30T07:54:10Z

last-modified: 2009-11-19T15:52:52Z

source: RIPE # Filtered

% Information related to ''


descr: BTnet

origin: AS2856


created: 1970-01-01T00:00:00Z

last-modified: 2014-07-30T09:23:02Z

source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.87.4 (BLAARKOP)

Perfectly legit as my ISP is Plusnet, owned by BT!

If you wish to view remote logs locally in a clearer window than vim, try the rather basic Log File Viewer found in Menu/Admin:

stevee@AMD ~ $ ssh -X hpmint

stevee@hpmint ~ $ gnome-system-log

Now you need to choose a suitable GUI analyzer to suit your preference:

If you are serious about logging interface traffic you need to install Snort. I may do a Post on it soon.

If you only want to use linux repo based tools you can explore log related options by hitting the tab key after "log" to research such as logster, loganalyzer etc.:

sudo apt-get install log
loganalyzer logfs-tools-dbg logisim logstalgia
logapp loggedfs logitech-applet logster
logaricheck loggedfs-dbg logjam logtail
logcentral loggerhead logkeys logtool
logcentral-tools loggerhead-doc logol logtools
logcheck logidee-tools logol-bin logtop
logcheck-database login logreq logwatch
logfs-tools login-duo logrotate

Logs you may want to investigate residing in /var/log: