Cheat Sheet: Syslog over a SSH Reverse Tunnel

Quick method to send syslog events over a ssh tunnel to a remote syslog server. This procedure used two Ubuntu 12.04 machines using the upstart event based init daemon. The syslog daemon in use is rsyslog. This method will refer to the server running rsyslogd as the loghost, and the client that is sending the logs remotely will be referred to as the syslog client.

Create syslog users

Configuring ssh public key authentication

This assumes that both systems sshd is configured to allow authtication with public keys.

Configuring ssh Rreverse Tunnel

We'll originate a reverse ssh tunnel on the loghost that listens on port 50514 on the loopback interface ( and ::1 ) on the client and empties out on our loghost on port 1514. So, any packet that is sent to on the syslog client, will be encrypted by the reverse ssh session and be available to be read on port 1514 on the loghost.

Configuring rsyslog


Automatic Tunnels with Upstart

Tested with Ubuntu 12.04