Syslog over SSH

Nathaniel Hall halln at otc.edu
Thu Sep 16 16:05:24 UTC 2004 

I believe I have figure out my ssh tunnel problems, however, I am still 
unable to get it completly working.  Here is the setup:

Srv1 ---> LogSrv

For SSH, I have setup public key encryption to keep from having to 
provide a password.  Here are the commands I am using:

On the LogSrv
        nc -l -p 9999 | nc localhost -u syslog &

On Srv1
       ssh -C -L 9999:192.168.190.153:9999 root at 192.168.190.153 & ( To 
initiate the ssh connection)
       nc -l -u -p syslog | nc localhost 9999 & (To redirect to correct 
ports)

I can get everything to connect, but when I try to send it logs, it does 
not receive them on LogSrv.  I previously setup this test machine to log 
directly using syslog and changed the configuration to test with SSH 
tunnels.  It worked previously.  Now, here is what I get:

    [2]+  Stopped                 nc -l -u -p syslog | nc localhost 9999

This usually shows up when I send a test entry using Logger Test, but 
not always.  Any ideas or questions, just e-mail me or the list and I'll 
respond.

Nathaniel Hall
Intrusion Detection and Firewall Technician
Ozarks Technical Community College -- Office of Computer Networking

halln at otc.edu
417-799-0552



Nathaniel Hall wrote:

> I am trying to setup a secure logging server using syslog (I know, use 
> Syslog-NG).  I did some research and found that I should use netcat, 
> but I am unable to get it working correctly.  So far, I have found this:
>      Netcat will happily pipe UDP into a TCP stream. On the client 
> machine,
>
>     you would want to do something like:
>     
>             nc -l -u -p syslog | nc localhost 9999
>     
>     (as root, to bind to the syslog port)
>     
>     On your syslog server end, you'd do something like:
>     
>              nc -l -p 9999 | nc localhost -u syslog
>     
>     Setup your ssh tunnel from port 9999 on the client machine to
>     port 9999 on the syslog server machine.
>     
>     Setup syslogd on the client to log the messages to localhost. Also,
>     make sure that the client syslogd is set up to not receive messages
>     from the network.
>     
>     You'll want to filter on the TCP listening port on the server to 
> prevent
>     people from DoS'ing you with spurious messages.
>
>     < http://www.patoche.org/LTT/security/00000118.html >
>
> I have tried this and have to been able to get it to work.  Any ideas?
>

More information about the redhat-list mailing list