I have configured the below filter for rsyslog to direct a few SSH messages to a specific TCP port 5000 on the local system, so that the service running on the 5000 will process the SSH messages further.
if $fromhost-ip == '127.0.0.1' and ( ($msg contains 'SSH') and ($msg contains 'Test') ) then @@127.0.0.1:5000
Everything seems fine, but the messages are not redirected to the port 5000 and if we direct the messages to UDP port it is working fine.
Below is the filter for messages directing to UDP port.
if $fromhost-ip == '127.0.0.1' and ( ($msg contains 'SSH') and ($msg contains 'Test') ) then @127.0.0.1:5000
Could you please let me know, why TCP port do not work and UDP port works.
TCP is a connection-oriented and reliable transmission protocol that can use the same port 514 to send syslog messages to syslog daemons. TCP is used by default for data transmission in syslog collecting tools like rsyslog and syslog-ng.
The directive you just added above defines that the Rsyslog service should send all facilities with all priority levels (in other words, all logs) to the IP address ( 0.0. 0.0 in the above example) of the centralized server at TCP port 514.
To configure a machine to send logs to a remote rsyslog server, add a line to the rules section in the /etc/rsyslog. conf file. In place of the file name, use the IP address of the remote rsyslog server. To use UDP, prefix the IP address with a single @ sign.
TCP port 10514 is often used. This is a rsyslog specific protocol, which is more reliable than TCP and prevents message loss.
I think that you can use tunneling for this. For example
ssh username@serverAddress -L 5000:11.22.33.44:80
# username - username on server
# serverAddress - server address
# 8080: - port on the local machine that will be opened on loopback interface (127.0.0.1)
# 11.22.33.44 - IP address of the server that we'll create a tunnel to using SSH
Look here for more info: https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-tunneling-on-a-vps
I hope this helps!
May be you decide to use RELP? (https://en.wikipedia.org/wiki/Reliable_Event_Logging_Protocol)
As described at https://linux.die.net/man/5/rsyslog.conf
you need to replace your "then @127.0.0.1:5000" to "then :omrelp:127.0.0.1:5000"
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With