Quick method to send syslog events over a ssh tunnel to a remote syslog server. This procedure used two Ubuntu 12.04 machines using the upstart event based init daemon. The syslog daemon in use is rsyslog. This method will refer to the server running rsyslogd as the loghost, and the client that is sending the logs remotely will be referred to as the syslog client.
rsyslog-remote
rsyslog-remote:x:50514:50514::/home/rsyslog-remote:/bin/rbashrsyslog-remote user's /etc/group entry:
rsyslog-remote:x:50514:
rsyslog-remote
user's password is very hard to guess with tons of entropy....or better yet lock the account as we'll be using ssh keys for authentication.This assumes that both systems sshd is configured to allow authtication with public keys.
cd ~rsyslog-remote sudo -u rsyslog-remote ssh-keygen
root@loghost:~# scp /home/rsyslog-remote/.ssh/id_rsa.pub user@syslog-client.blackhole-networks.com:
authorized_keys
file for the rsyslog-remote usercat /home/user/id_rsa.pub >> /home/rsyslog-remote/.ssh/authorized_keys chown rsyslog-remote:rsyslog-remote /home/rsyslog-remote/.ssh/authorized_keys chmod 600 /home/rsyslog-remote/.ssh/authorized_keys
We'll originate a reverse ssh tunnel on the loghost that listens on port 50514 on the loopback interface (127.0.0.1 and ::1 ) on the client and empties out on our loghost on port 1514. So, any packet that is sent to 127.0.0.1:50514 on the syslog client, will be encrypted by the reverse ssh session and be available to be read on port 1514 on the loghost.
sudo -u rsyslog-remote ssh -nN -R 50514:loghost.blackhole-networks.com:1514 syslog-client.blackhole-networks.com
/etc/rsyslog.d/50-default.conf
or place it in a new file like /etc/rsyslog.d/60-remote-ssh-tunnel.conf
*.*
@@>
specifies to use TCP transport vice UDP*.* @@127.0.0.1:50514
service rsyslog restart
/etc/rsyslog.d/50-default.conf
file# provides TCP syslog reception $ModLoad imtcp $InputTCPMaxSessions 500 $InputTCPServerRun 1514
service rsyslog restart
user@loghost-1:~$ tail -f /var/log/syslog
logger
command-p
switch.user@syslog-client:~$ logger "This is a Stupid Test\!"
user@loghost:~$ tail -f /var/log/syslog Jan 8 23:21:07 syslog-client user: This is a Stupid Test\!
/etc/init
directory called /etc/init/rsyslog-rssh-syslog-client.conf
# ttyS0 - getty # # This service maintains a remote ssh reverse tunnel for syslog-ing start on stopped rc or RUNLEVEL=[2345] stop on runlevel [!2345] respawn exec sudo -u rsyslog-remote ssh -nN -R 50514:loghost.blackhole-networks.com:1514 syslog-client.blackhole-networks.com
root@loghost:~# start rsyslog-rssh-syslog-client rsyslog-rssh-syslog-client start/running, process 9816