Rsyslog to direct log messages to local syslog host on port 5000 using TCP

Asked 21/2, 2017 at 3:40 Answered 2/3, 2017 at 7:6

I have configured the below filter for rsyslog to direct a few SSH messages to a specific TCP port 5000 on the local system, so that the service running on the 5000 will process the SSH messages further.

if $fromhost-ip == '127.0.0.1' and ( ($msg contains 'SSH') and ($msg contains 'Test') ) then @@127.0.0.1:5000

Everything seems fine, but the messages are not redirected to the port 5000 and if we direct the messages to UDP port it is working fine.

Below is the filter for messages directing to UDP port.

if $fromhost-ip == '127.0.0.1' and ( ($msg contains 'SSH') and ($msg contains 'Test') ) then @127.0.0.1:5000

Could you please let me know, why TCP port do not work and UDP port works.

Saenz answered 21/2, 2017 at 3:40 Comment(4)

Maybe a firewall is getting in the way. Does telnet 127.0.0.1 5000 connect successfully or give an error? – Morbihan 21/2, 2017 at 8:6

@MarkPlotnick, Telnet is working fine. root@blr09> telnet 127.0.0.1 5000 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. ^] telnet> – Saenz 21/2, 2017 at 14:58

Can you verify that rsyslog is actually listening to the port? netstat -tnlp | grep rsyslog? Then make sure that firewall is configured too (i.e., in fedora): firewall-cmd --zone=zone --add-port=5000/tcp – Oligoclase 1/3, 2017 at 0:19

@arash, rsyslog is running on UDP port. root@blr09> netstat -nlp | grep rsyslog udp 0 0 0.0.0.0:27129 0.0.0.0:* 11218/rsyslogd udp 0 0 0.0.0.0:29046 0.0.0.0:* 11218/rsyslogd – Saenz 1/3, 2017 at 3:15

I think that you can use tunneling for this. For example

ssh username@serverAddress -L 5000:11.22.33.44:80

    # username - username on server
    # serverAddress - server address
    # 8080: - port on the local machine that will be opened on loopback interface (127.0.0.1)
    # 11.22.33.44 - IP address of the server that we'll create a tunnel to using SSH

Look here for more info: https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-tunneling-on-a-vps

I hope this helps!

Haftarah answered 2/3, 2017 at 1:42 Comment(0)

May be you decide to use RELP? (https://en.wikipedia.org/wiki/Reliable_Event_Logging_Protocol)

As described at https://linux.die.net/man/5/rsyslog.conf

you need to replace your "then @127.0.0.1:5000" to "then :omrelp:127.0.0.1:5000"

Cinchonize answered 2/3, 2017 at 7:6 Comment(6)

i am getting below error when i add omrelp and restart rsyslog. "Mar 2 04:40:31 blr09 rsyslogd-2207: error during parsing file /etc/rsyslog.d/atl_security.conf, on or before line 1: errors occured in file '/etc/rsyslog.d/atl_security.conf' around line 1 [try rsyslog.com/e/2207 ]" root@blr09> cat /etc/rsyslog.d/atl_security.conf if $fromhost-ip == '127.0.0.1' and ( ($msg contains 'SSH') and ($msg contains 'Test') ) then :omrelp:127.0.0.1:5000 root@blr09> – Saenz 2/3, 2017 at 10:3

Can you please provide output of rsyslogd -v – Cinchonize 2/3, 2017 at 10:36

root@blr09> rsyslogd -v rsyslogd 7.4.7, compiled with: FEATURE_REGEXP: Yes FEATURE_LARGEFILE: No GSSAPI Kerberos 5 support: Yes FEATURE_DEBUG (debug build, slow code): No 32bit Atomic operations supported: Yes 64bit Atomic operations supported: Yes Runtime Instrumentation (slow code): No uuid support: Yes See rsyslog.com for more information. root@blr09> – Saenz 2/3, 2017 at 10:54

Hm! I supposed you use v8. Ok, let's start from the beginning rsyslog.com/doc/v7-stable/configuration/index.html As I understand you need another replacement: "then @@127.0.0.1:5000" – Cinchonize 2/3, 2017 at 11:43

Could you please explain more about the replacement. – Saenz 2/3, 2017 at 15:4

As I undersnand rsyslog version 7 syntax: @127.0.0.1:5000 == proto=UDP, host=127.0.0.1, port=5000. And the doubling @ as this: @@127.0.0.1:5000 - switches proto to TCP – Cinchonize 2/3, 2017 at 17:24

Recommended topics

Hot tags