Rsyslog to direct log messages to local syslog host on port 5000 using TCP

Question

I have configured the below filter for rsyslog to direct a few SSH messages to a specific TCP port 5000 on the local system, so that the service running on the 5000 will process the SSH messages further.

if $fromhost-ip == '127.0.0.1' and ( ($msg contains 'SSH') and ($msg contains 'Test') ) then @@127.0.0.1:5000

Everything seems fine, but the messages are not redirected to the port 5000 and if we direct the messages to UDP port it is working fine.

Below is the filter for messages directing to UDP port.

if $fromhost-ip == '127.0.0.1' and ( ($msg contains 'SSH') and ($msg contains 'Test') ) then @127.0.0.1:5000

Could you please let me know, why TCP port do not work and UDP port works.

Answer 1

I think that you can use tunneling for this. For example

ssh username@serverAddress -L 5000:11.22.33.44:80

    # username - username on server
    # serverAddress - server address
    # 8080: - port on the local machine that will be opened on loopback interface (127.0.0.1)
    # 11.22.33.44 - IP address of the server that we'll create a tunnel to using SSH

Look here for more info: https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-tunneling-on-a-vps

I hope this helps!

Answer 2

May be you decide to use RELP? (https://en.wikipedia.org/wiki/Reliable_Event_Logging_Protocol)

As described at https://linux.die.net/man/5/rsyslog.conf

you need to replace your "then @127.0.0.1:5000" to "then :omrelp:127.0.0.1:5000"