Rsyslog – Store and Forward messages to other hosts

Linux, Ubuntu
Forward by Bruce Berrien
Forward by Bruce Berrien

One of the problems I encountered in my job is to get syslog (udp/514) logs from a server that support only one syslog destination and resend these logs to two or more servers (log archiving, security appliance etc).

To do this I used rsyslog and Ubuntu Server (14.04 LTS) acting like a syslog relay.
In this scenario the remote appliance sends the log to the Ubuntu Server (listening on port udp/514) and the server store&forward the logs to one or more server/device. 

All configurations where done on Ubuntu Server 14.04

Edit file /etc/rsyslog.conf and uncomment (if not already done) following lines so the server listen on udp port 514. If you need you can also listen on port tcp/514, just uncomment proper lines.

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

You can restart the rsyslogd service and check if the service is listening

root@test-14:~# service rsyslog restart
rsyslog stop/waiting
rsyslog start/running, process 2126
root@test-14:~# netstat -tupnl | grep :514
udp 0 0 0.0.0.0:514 0.0.0.0:* 2126/rsyslogd 
udp6 0 0 :::514 :::* 2126/rsyslogd 
root@test-14:~#

Now create a new file /etc/rsyslog.d/90-store_forward.conf where we put the store&forward confguration

### Locally log received data
# log every host in a its own dir
$template RemoteHost,"/var/spool/rsyslog/%HOSTNAME%/%$YEAR%/%$MONTH%/%$DAY%/syslog.log"
# log everything in a single file
#$template RemoteHost,"/var/spool/rsyslog/received"

### Enable Remote Logging saving locally to the specified file
$RuleSet remote
*.* ?RemoteHost
# Send messages we receive to host
*.* @a.b.c.d:514 #UDP, just one @
*.* @e.f.g.h:514 #UDP
#*.* @@j.k.l.m:514 #TCP, two @

### Listeners (TCP/UDP)
# bind ruleset to the udp listener
$InputUDPServerBindRuleset remote
# and activate it on port udp/514:
$UDPServerRun 514

# bind ruleset to the tcp listener
#$InputTCPServerBindRuleset remote
# and activate it on port tcp/514:
#$InputTCPServerRun 514

Again you have to restart your rsyslogd service and try to send logs to the Ubuntu Server and you will see on the destination host/appliance

root@test-14:~# service rsyslog restart
rsyslog stop/waiting
rsyslog start/running, process 3155
root@test-14:~#

Have fun
@merlos

Published by merlos

Founder and president of Cyber Saiyan - www.cybersaiyan.it - a no profit organization founded to promote social initiatives to spread cyber security and ethical hacking culture; Cyber Saiyan organizes RomHack Conference and Camp romhack.camp

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.