Mars syslog

Similar Messages

• CSM and MARS syslog

                     Hi i have CSM 3.3.1 and MARS, all devices syslog are pointing to them.
  I want to see live syslog messages , just like what kiwi do, is this applicable ??? how ??

  Hi Alkabeer,
  You can view real time syslog via ASDM. ( For PIX, ASA, or FWSM in the Security Manager device inventory).
  In an ASDM device manager launched from Security Manager, you can monitor system log messages in the Real-time Log Viewer window and the Log Buffer window. You can select a syslog message displayed in either window and navigate to the access-control rule in Security Manager that triggered the message, where you can update the rule as necessary.
  The Real-time Log Viewer is a separate window that lets you view syslog messages as they are logged. The separate Log Buffer window lets you view messages present in the syslog buffer.
  For IOS Router syslog, You can use SDM.
  In an SDM device manager launched from Security Manager, you can view a log of events categorized by security level under the Syslog tab of the Logging window. You can select a syslog message and navigate to the access-control rule in Security Manager that triggered the message, where you can update the rule as necessary.
  The Monitor > Logging option in SDM offers four log tabs; Syslog is the only one of these offering the Security Manager access-rule look-up option. The router contains a log of events categorized by severity level. The Syslog tab displays the router log, even if log messages are being forwarded to a syslog server.
  And
  In CS-MARS, You can generate reports to see devices syslogs.
  Keep Smiling, Peace

• CS-MARS syslog raw file import

  Hi, I need to import a raw syslog file of a device generated a few days before CS-MARS installation: how to ?
  thank you in advance

  Paul's right, it can't be done...at least not without some other application to read in the file and re-send the syslogs. It wouldn't serve much use anyway, last I checked MARS timestamped most events based on when they were received so the data would be all wrong. You might take a look at the 4.3.1 which was just released, it contains some sort of functionality to move data from the old hardware to the new.
  http://www.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/mars/4_3/rn431.pdf

• Cisco MARS Syslog messages

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  Hi,
  I've recently noticed that ALL the syslog messages that are sent to our Cisco MARS device are then being sent to our syslog server. Besides the messages from our MARS device, the syslog server also gets the original syslog messages from our ASA and PIX firewalls (which, of course, also send to our MARS device). I would like to have MARS send syslog messages to the syslog server that pertain only to changes/events happening directly to the MARS device. Can anyone help me with this?
  Thanks in advance!

  Kerry;
    To have CS-MARS specific incidents forward to your syslog server, you will most likely want to add an action to generate a syslog for the CS-MARS-specific inspection rules.  These rules can be found by navigatng to:
  RULES>Inspection Rules
  from the Group: drop-down choose "System: CS-MARS Issues"
    You can then edit the Action: section for the specific rules (one at a time) to add a syslog action.  Specifics are outlined here:
  http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/user/guide/combo/alerts.html
  Scott

• Welcome to the MARS Discussion

  Welcome to the Cisco Networking Professionals Cisco Security MARS Forum. This conversation will provide you the opportunity to discuss the product, solutions and issues surrounding Cisco Security MARS deployments, maintenance and integration. We encourage everyone to share their knowledge and start conversations about topics involving the Cisco Security MARS.
  Remember, just like in the workplace, be courteous to your fellow forum participants. Please refrain from using disparaging or obscene language or posting advertisements.
  We encourage you to tell your fellow networking professionals about the site.
  Dan Bruhn
  NetPro Community Manager

  Great to have a special forum for MARS !
  Are there any best practices documents that would get me up to speed with customizing MARS to show more focused alerts? For instance until I've configured IPS events into MARS, syslog events from ASA/FWSM were not enough for MARS to conclude that a scan is being performed.
  I tried to make a lot of "noise" with hacking tools such as Nessus across the firewalls w/o any special "Critical" level alerts.
  Thanks,
  Yigal

• Welcome to the Metro Discussion

  Welcome to the Cisco Networking Professionals Connection Service Provider Forum. This conversation will provide you the opportunity to discuss issues surrounding Metro. We encourage everyone to share their knowledge and start conversations on issues such as MAN, Metro IP, Metro Ethernet Switching, Metro Optical Transport, DPT, SDH/SONET, Gigabit Ethernet, WDM and any other topic concerning Metro.
  Remember, just like in the workplace, be courteous to your fellow forum participants. Please refrain from using disparaging or obscene language or posting advertisements.
  We encourage you to tell your fellow networking professionals about the site. If you would like us to send them a personal invitation simply send their names and e-mail addresses along with your name to us at [email protected]

  Great to have a special forum for MARS !
  Are there any best practices documents that would get me up to speed with customizing MARS to show more focused alerts? For instance until I've configured IPS events into MARS, syslog events from ASA/FWSM were not enough for MARS to conclude that a scan is being performed.
  I tried to make a lot of "noise" with hacking tools such as Nessus across the firewalls w/o any special "Critical" level alerts.
  Thanks,
  Yigal

• MARS didnt captured the Syslog for a Switch

  Hi All,
  I have CSMARS configured for my enterprise network. In one of the major incidents, one of the line card of my 6509 went faulty with following syslog,
  09-19-2010 09:59:40 UTC Local0.Error 192.168.228.3 150: Sep 19 15:19:32 IST: %EARL-SP-3-RESET_LC: Resetting module in slot 1. (Errorcode 1)
  09-19-2010 09:59:40 UTC Local0.Error 192.168.228.3 151: Sep 19 15:19:32 IST: %PF_ASIC-SPSTBY-3-ASIC_DUMP: [0:0x20C] ME_AR_P2MMU_FREE_TAIL = 0x28E
  However this syslog message was not captured by the CSMARS, or may be i am not getting a way to locate this error in the incidents tab.
  Please help me in understanding if CSMARS captures all the events or not. Or i have to enable some events to be forwarded to CSMARS. Or if the log is registered, how can i find this log in the MARS.

  EDIT:
  I just noticed the attachment in your last message.  It looks like you've mis-configured the device type in MARS. 
  If you are running Native IOS on your 6509 (such as 12.2SXH or SXI), the device type should be "Cisco Switch-IOS 12.2" to parse the logs correctly.  The device type "Cisco IOS 12.2" is for routers running IOS 12.2.
  I'm going to assume the faulty line card is not in the critical path between this switch and your MARS server (correct?).  Otherwise, halijenn's comment applies.
  Anyway, have you verified that you're receiving logs from that switch in MARS?  Have you verified they are being parsed correctly?  The easiest way is to run a query in MARS.
  - Run a query for the last 7 or more days
  - "Result Format" should be "All Matching Events" (or all matching sessions)
  - Under "Reporting Device", select the switch in question
  This will return any events from that switch, and verify that it's reporting (and being parsed) properly.
  If that's successful, I would run a second query.
  - Change the "Result Format" to "All Matching Event Raw Messages"
  - Limit the time frame to an hour before and after the timestamp on the log you pasted above
  - Under "Keyword", add "EARL\-SP\-3\-RESET\_LC" (without quotes), and set "Operation" to "OR"
  - In the second field, enter "PF\_ASIC\-SPSTBY\-3\-ASIC\_DUMP" (no quotes)
  This is a regular expression that should match the logs you're looking for.  Apply the settings and run the query.  This should tell you if MARS at least received the log.  If it did, then more work will need to be done to figure out why it didn't report properly.
  Just FYI -- it's very possible that MARS could not completely parse that specific log, which happens with a lot of messages from the 6509s.  It often reports them as "Generic IOS Syslog" or something similar.

• ISE offloading syslogs real time to MARS

  I am working on my implementation of ISE and I want to offload real time logs from ISE to MARS.  Is this possible and is there anything special that is needed to perform this?                  

  To collect logs externally, you configure external syslog servers, called targets.Logging targets are locations where the system logs are collected. In Cisco ISE, targets refer to the IP addresses of the servers that collect and store logs. You can generate and store logs locally, or you can FTP them to an external server. Cisco ISE has the following default targets, which are dynamically configured in the loopback addresses of the local system:
  •LogCollector—Default syslog target for the Log Collector.
  •ProfilerRadiusProbe—Default syslog target for the Profiler Radius Probe.
  To create an external logging target, complete the following steps:
  Step 1 From the ISE Administration Interface, choose Administration > System > Logging > Remote Logging Targets.
  The Remote Logging Targets page appears.
  Click Add.
  Step 2 The Log Collector page appears.
  Step 3 Configure the following fields:
  a. Name—Enter the name of the new target.
  b. Target Type—By default it is set to Syslog. The value of this field cannot be changed.
  c. Description— Enter a brief description of the new target.
  d. IP Address—Enter the IP address of the destination machine where you want to store the logs.
  e. Port—Enter the port number of the destination machine.
  f. Facility Code—Choose the syslog facility code to be used for logging. Valid options are Local0 through Local7.
  g. Maximum Length— Enter the maximum length of the remote log target messages. Valid options are from 200 to 1024 bytes.
  Step 4 Click Save.

• SYSLOG managers for CS-MARS

  Hi all,
  I have a question about “syslog” and “cisco mars”
  We have the Snare Event Reporter for sending syslog to CS-MARS, I would like to know if there is
  another software compatible with the appliance ...
  I know there is another similar event handler which is called "event reporter"
  And I would like to confirm if this is compatible whith CS-MARS, if not please, could you tell me if there is any other software I can work with?
  Thank you in advance and best regards.

  You can use any syslog exporter out there, but the problem is when the log is received by MARS, if MARS can parse it or not. MARS is looking for specific fields for data and if they are not there, it will just log the message as Unknown Event Type.
  I had this issue when I got MARS up and running in my company. I had Datagram Syslog Agent installed on a lot of servers, which is way better than SNARE, but MARS wouldnt recognize the message. Look below for an example of a log message, one sent with Syslog Agent and the other with SNARE. After I saw the difference between the two messages, it was obvious why Syslog Agent was not working for me.
  Since then, I have had to start rolling out SNARE to all my servers. Its possible to create a custom parser for MARS to accept a different format but it seemed mcuh easier to just switch over to SNARE.
  Syslog Agent
  12-17-2008 08:31:04 Local7.Error 127.0.0.1 Dec 17 08:31:02 x.x.x.x mysql[error] 100 C:\Program Files\Cisco Systems\Cisco IPS Manager Express\MYSQL\bin\mysqld-nt: Sort abortedFor more information, see Help and Support Center athttp://www.mysql.com.
  SNARE
  12-17-2008 08:29:57 Local0.Notice 127.0.0.1 Dec 17 08:29:57 x.x.x.x MSWinEventLog<009>1<009>Application<009>22<009>Wed Dec 17 08:29:52 2008<009>100<009>MySQL<009>Unknown User<009>N/A<009>Error<009>x.x.x.x<009>None<009><009>C:\Program Files\Cisco Systems\Cisco IPS Manager Express\MYSQL\bin\mysqld-nt: Sort aborted For more information, see Help and Support Center at http://www.mysql.com. <009>17

• Mars 6.0.7 Syslog Requirement for Enterasys Dragon NIDS 7.x

  Apparently the MARS docs are incorrect when it comes to fashioning a syslog message from a Dragon 7.x NIDS. I formatted the message as requested but MARS keeps displaying "Unknown Device Event". The Event IDs are correct but MARS does not recognize the syslog messages as coming from the Dragon. Does anyone know what the MARS parser is expecting for an Enterasys message? As I said, I used the example in the MARS 6.x Device Configuration Guide and it did not work. One of the MARS guides actually displays what is expected for a Snort message and I was hoping there was such an example for Dragon. Thanks.

  You can create a support package from the Dragon 6.x signatures provided by MARS and fashion them for 7.x. I wish I could provide the support package we created but we are not allowed to export it from the customer site. Basically here is what you do:
  1. Create your own Device Type for Dragon 7.x. You can define it as an appliance or software but we opted for "appliance".
  2. Modify your Dragon ESM to export syslog messages in the following format:
      %DATE% %TIME% SrcIP=%SIP% SrcPort=%SPORT% DstIP=%DIP% DstPort=%DPORT% Protocol=%PROTO% %NAME% %SENSOR%
  We tested this with an NMAP scan which resulted in the following syslog message as received by MARS:
  <175>alarmtool: 2010-08-11 15:12:22 SrcIP=172.16.1.1 SrcPort=0 DstIP=172.16.1.2 DstPort=0 Protocol=0 TCP-SCAN dragon-VS1
  3. Create one Device Event Type using the following parse pattern:
  Position    Key Pattern         Parsed Fld                       Value Type             Value Format                            Value Pattern
  1              alarmtool:            Device Time                   Time                         %Y-%m-%d %H:%M:%S        \d{4}-\d{1,2}-\d{1,2} \d{1,2}:\d{1,2}:\d{1,2}
  2             .+SrcIP\=             Source Address              IPV4 Dotted Quad                                                  (\d{1,3}\.){3}\d{1,3}
  3            .+SrcPort\=           Source Port                    Port Number                                                          ((0x[a-fA-F\d]{1,4})|(0\d{1,6})|([1-9]\d{0,4})|0)
  4            .+DstIP\=              Destination Address        IPV4 Dotted Quad                                                  (\d{1,3}\.){3}\d{1,3}
  5            .+DstPort\=           Destination Port              Port Number                                                          ((0x[a-fA-F\d]{1,4})|(0\d{1,6})|([1-9]\d{0,4})|0)
  6            .+Protocol\=          Protocol                         Protocol Number                                                    ((0x[a-fA-F\d]{1,2})|(0\d{1,3})|([1-9]\d{0,2})|0)
  7            .+TCP-SCAN         None                             String                                                                    ([\w-]+)\-?[\w-]{3}
  4. You can now export a support package that will give you the XML format needed for your new 7.x support package. The XML file will reside in the ZIP file created by the export process.
  5. You will now need the Device Event Numbers and Device Event IDs used by the Dragon 6.x signatures. These can be retrieved from within MARS by browsing to the Dragon 6.x NIDS Device Events. Make sure you view ALL of the Events by selecting the "10,000" rows per page option. Now right-click on this page and select "View Source". Save this to a file (Ex. Dragon6_Events.txt).
  6. You now have to extract the important data from the file created in step 5. This can be done with a few Linux grep statements and a text editor.
      a. To extract the Device Event Numbers, you can use the following grep script:
          grep '!--' Dragon6_Events.txt | grep -o -P '[0-9]{7,8}\ /?([0-9]{1,5})?' > Cisco_Dragon_Event_Numbers.txt
          NOTE: This file will be used to define the etList section of the XML file.
      b. Extract the Dragon Event IDs and numbers from the Dragon6_Events.txt file:
          grep -B2 '!--' Dragon6_Events.txt > Dragon6_Events_Stripped.txt
      c. Use grep or a text editor to remove everything from Dragon6_Events_Stripped.txt except for the Event IDs and numbers.
          When done your file should contain data in the following format:
          SPY:TOPREBATES-CONFIRM
          6503131
          ACROBAT:PDF-EXPLOIT-MALWARE
          6503132
  NOTE: If a Windows text editor was used for any of the edits you will want to run "dos2unix" against the files.
  7. Start creating your new support package XML file by:
      a. Open the "data_package.xml" file from the support package created in step 4.
      b. Copy the data up to the "etList" section and paste it into a new "data_package.xml" file.
      c. Use a bash script (see attached "create_etList.sh file) to read the Cisco_Dragon_Event_Numbers.txt file and export the data into a properly formatted "etList" section. Copy the etList section into the new "data_package.xml" file.
      d. Use another bash script (cannot attach it at this time) to read the Dragon6_Events_Stripped.txt file and export the data into a properly formatted "det id" section. Copy the new "det id" section into the new "data_package.xml" file.
      e. Finally, copy the lines after the "det id" section of the original data_package.xml file into the new XML file.
  NOTE: This process basically creates a new data_package.xml file containing approximately 4900 device events.
  8. Lastly, place the new XML file under a "dsf" directory and place it in a ZIP file. This becomes your new support package.
  We successfully imported the ZIP file as a Device Support Package. The import took a while - we went home and the next morning it was successful.
  Some items to note are:
  1. Make sure there are NO duplicates in the etList section. This can be accomplished by importing the Cisco_Dragon_Event_Numbers.txt dat into Excel and filtering out the duplicates.
  2. Make sure all of the "det id" entries have a corresponding etList entry otherwise you'll get a DSF failure when trying to import the Device Support Package.
  3. To check the validity of your XML format, load your XML file in Firefox. If there are any errors, Firefox will tell you which line contains the issue. IE did not correctly tell us where errors appeared.
  4. I will attach the second bash script when I can get around to re-typing it. It is basically the same script as the one attached except it echoes the lines needed to format the "det id" section. It also contains a switch to process the Event ID text then the Event Number.
  Good luck!
  Dave Grannas
  Senior Consultant
  Intelesys Corp.

• Cisco firewall rate limited syslogs and MARS

  We're getting a ton of informational packets (tcp build / teardown) from firewalls here.  I can kill this at the source (drop to "notification" level, filter out the build / teardown events, etc.) but would rather not throw this stuff away (good clues in an investigation).
  I can filter this on the MARS side so rules don't fire, but that doesn't address the performance hit at the firewall, or the traffic on the network.
  I can rate limit at the firewall - if I do will MARS be able to parse this out properly - i.e if there's a rule that fires on a 100 count for example, and a firewall that's set to rate limit a certain event to, say, every 200 instances of the event, and single syslog shows up at MARS with rate limited information in the packet, will the MARS rule fire?
  hope this makes sense - thanks

  What kind of firewall are you running?  ASA?  FWSM?  Something else?
  If you're running an ASA, the ideal solution would be to implement Netflow Secure Event Logging (NSEL).  This feature uses Netflow v9 to handle security event logging along with traffic flow data.  Using NSEL can provide performance improvements over syslog, both on the ASA, and on your network. 
  Part of the configuration process includes a command to disable the redundant syslog types already handled by NSEL.  Many of those are the same types of logs you mentioned (buildups/teardowns, etc).  It's very simple to configure - you can read more about it here, in the ASA 8.2 CLI Configuration Guide:
  Configuring Network Secure Event Logging (NSEL)
  If you're running a FWSM, the same option isn't available.  Instead, you might want to reconsider disabling some of the log types that aren't really providing much benefit relative to the load.  In fact, Cisco themselves recommend disabling some of the more unimportant (but frequent) log types.
  From the "Cisco SIEM Deployment Guide", one of the "Smart Business Architecture" design guides (emphasis mine):
  At logging level Informational, Cisco recommends disabling the following messages, as they are of little interest for SIEM analysis:     305010: The address translation slot was deleted     305011: A TCP, UDP, or ICMP address translation slot was created     305012: The address translation slot was deletedTo disable these messages, use the following configuration commands:     no logging message 305010     no logging message 305011     no logging message 305012For more aggressive tuning, you may also consider disabling the following messages:     302014: A TCP connection between two hosts was deleted     302016: A UDP connection slot between two hosts was deletedIf dynamic Network Address Translation (NAT) is not configured on the appliance, message 302013 (for TCP connection slot creation) can also be disabled.
  So, that's at least 6 possible log types that can be disabled with no impact: 302013, 302014, 302016, 305010, 305011, and 305012.  And that's straight from Cisco's own documentation.
  Now, to expand on that ...
  - if 302016 (UDP teardown) can be disabled, why not 302015 (UDP create)?
  - similarly, what about 302020 and 302021 (ICMP)? Disable those as well?
  Final list:
  302013
  302014
  302015
  302016
  302020
  302021
  305010
  305011
  305012
  In the end, though, only you can determine which options are acceptable for your environment.
  Note: all 3020xx log types listed are disabled automatically during the NSEL configuration process.

• Redirecting Syslogs from CiscoWorks to MARS

  I can see that CiscoWorks is capable of redirecting syslogs it receives to another syslog server. Though can it redirect them to MARS and will MARS be able to correlate the messages?
  Thanks in advance.
  Paul

  No, you have to do it the other way around AFAIK.
  Send all syslogs to MARS, and then have MARS forward it to LMS. The "Report Device's" IP is very important for MARS to correlate information.
  Regards
  Farrukh

• Syslog Forwarding in CS-MARS

  Hey all,
  Is their any documentation on configuring this? I dont see it on the User Guide For CS-MARS Local Controller. I have read this "Syslog Forwarding support in Cisco Security MARS will allow Cisco Security MARS to forward syslog messages it receives from syslog sources to another syslog receiver" But I cant find out how to do this.

  This is documented on the following link, but you cannot do this on the web-interface, you have to login via console/ssh:
  http://cio.cisco.com/univercd/cc/td/doc/product/vpn/ciscosec/mars/4_3/uglc/cfgover.htm#wp1300778
  Regards
  Farrukh

• MARS not understand syslog from ACS SW 4.2

  Hi!
  I have MARS ver 6.0.1 and ACS SW 4.2. Im configure ACS to send syslog to MARS (new mode without pnagent).
  MARS recive syslogs from ACS but "Unknow Event Type" in Report and Activity page (see attachment).

  Your attachment is not uploaded properly, but I belive you are hitting bug ID CSCsu78913.
  Upgrade to 6.0.2 for the fix.
  RJ

• Can't get syslog to work

  I have been trying to get syslog to work to accept logging from my router (which is directed to syslog to the IP address of my primary Mac), but with no success.
  I've gone through Aaron Adams' procedures:
  http://www.aaronadams.net/index.php/2005/06/02/configuringsyslogd_to_accept_logsfrom
  I've edited my /etc/syslog.conf file:
  .err;kern.;auth.notice;authpriv,remoteauth,install.none;mail.crit /dev/console
  *.notice;authpriv,remoteauth,ftp,install.none;kern.debug;mail.criti /var/log/system.log
  # COMMENT this out for now to see any local4 messages on system log?
  # ;local4.none
  # Send messages normally sent to the console also to the serial port.
  # To stop messages from being sent out the serial port, comment out this line.
  #.err;kern.;auth.notice;authpriv,remoteauth.none;mail.crit /dev/tty.serial
  # The authpriv log file should be restricted access; these
  # messages shouldn't go to terminals or publically-readable
  # files.
  authpriv.*;remoteauth.crit /var/log/secure.log
  lpr.info /var/log/lpr.log
  mail.* /var/log/mail.log
  ftp.* /var/log/ftp.log
  netinfo.err /var/log/netinfo.log
  install.* /var/log/install.log
  install.* @127.0.0.1:32376
  local0.* /var/log/ipfw.log
  *.emerg *
  local0.* /var/log/Airport.log
  local4.* /var/log/local4.log
  # DEBUG: what happens on the other local facilities?
  local1.* /var/log/local1.log
  local2.* /var/log/local2.log
  local3.* /var/log/local3.log
  local5.* /var/log/local5.log
  local6.* /var/log/local6.log
  local7.* /var/log/local7.log
  I've re-loaded /System/Library/LaunchDaemons/com.apple.syslogd.plist, and edited /etc/daily.local, and those mechanisms are working, but always local4.log is an empty file. Empty log files exist in /var/log:
  $ ls -al /var/log | grep "local"
  -rw-r--r-- 1 root wheel 0 Dec 11 11:56 local1.log
  -rw-r--r-- 1 root wheel 41975 Mar 16 16:38 local2.log
  -rw-r--r-- 1 root wheel 0 Dec 11 11:56 local3.log
  -rw-r--r-- 1 root wheel 0 Mar 20 03:15 local4.log
  -rw-r--r-- 1 root wheel 0 Dec 11 11:56 local5.log
  -rw-r--r-- 1 root wheel 0 Dec 11 11:56 local6.log
  -rw-r--r-- 1 root wheel 0 Dec 11 11:56 local7.log
  netstat shows two syslog connections:
  $netstat -f inet -a | grep "syslog"
  udp4 0 0 *.syslog .
  udp46 0 0 *.syslog .
  But a port scan (Apple network Utility) from another LAN computer doesn't show port 514 open. I am not running Apple's software firewall.
  It seems to me that without port 514 open, I'll never get anything, but how do I open it. I had assumed that all of the syslog set-up gyrations would cause it to be open.
  Any ideas?
  G4 "Gigabit" Dual-500   Mac OS X (10.4.8)   1.5GB RAM, 1TB internal, SCSI, 802.11g, USB2.0

  Your question about local4 got me to dig further into a few things.
  Aaron Adams has a couple of good posts on how to set up the syslog.conf and daily actions:
  http://www.aaronadams.net/index.php/2005/06/02/configuringsyslogd_to_accept_logsfrom
  But the following article is what got me on the local4 bandwagon (I don't know why it assumes local4 would be used):
  http://www.macosxhints.com/article.php?story=20060327074531639
  As we now know nothing happens on local4 unless it is specifically set up to do so. The following article has the best big-picture summary and references on how to handle logs from different sources (i.e., setting up syslog to redirect messages from the IP address of my router to a special log:
  http://macosx.com/forums/howto-faqs/47791-howto-syslog-remote-events-etc.html
  Anyway, to make a long story short, the router IS actually sending to syslog (I was expecting messages in local4 and never saw anything in syslog because it only shows *.notice and above, and the router mainly spews out *.info. It took a bunch of playing with tcpdump to figure it out (I can't seem to get tcpflow to show UDP, even though the man page says it uses the same library and expresions as tcpdump). So everything is good now, messages are coming in to a special log and overwhelming syslog, logs get rotated properly overnight, with some filtering I get the distilled info I want, and via GeekTool even see it on my desktop in real-time. Thanks for your help!