Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Remote logging through a SSH tunnel
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 595
Location: Germany

PostPosted: Thu Jan 26, 2012 12:01 pm    Post subject: Remote logging through a SSH tunnel Reply with quote

Howdy,
I'd like to integrate my VPS into my logging system, which would look as following:

Code:
VPS---router/firewall---switch
                           |
clients____________________|__logging machine

So the VPS sits somewhere out in the WAN and all my other boxes are placed behind a firewall.

Of course I could let the VPS connect to my router and forward the traffic to the logging machine - but this would be waaaay to insecure. So I would like to wrap the traffic from syslog-ng into a SSH tunnel, which points to my router, but for some reason the connection can not be established.

Here is the syslog-ng.conf of the logging server
Code:
@version: 3.2

options {
        chain_hostnames(no);
        check_hostname(yes);
        stats_freq(0);
        mark_freq(0);
};

source src              { unix-stream("/dev/log"); internal(); };
source src_remote       { udp ( ip(10.0.0.2) port(514) ); };
source kernsrc          { file("/proc/kmsg"); };

destination authlog     { file("/var/log/auth" owner("root") perm(0644) ); };
destination debug       { file("/var/log/debug" owner("root") perm(0644) );  };
destination mail        { file("/var/log/mail" owner("root") perm(0644)); };
destination messages    { file("/var/log/messages" owner("root") perm(0644)); };

filter f_auth           { facility(auth, authpriv); };
filter f_mail           { facility(mail); };
filter f_messages       { level(info..emerg) and not facility(auth, authpriv); };

log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_messages); destination(mysql); destination(messages); };
log { source(src_remote); destination(mysql); destination(messages); };


And here is the syslog-ng.conf from the client:
Code:
@version: 3.2

options {
        chain_hostnames(no);
        mark_freq(0);
        stats_freq(0);
};

source src {
        unix-stream("/dev/log");
        internal();
};

destination remote { udp("10.0.0.2" port(514)); };

filter f_messages { level(info..warn) and not facility(auth, authpriv, mail, news); };

log { source(src); filter(f_messages); destination(remote); };


After reading some tutorials, I ended up with "ssh -g -L 514:127.0.0.1:514 user@jiminis.router.net", but the only effect seems to be, that I log into my router. What am I doing wrong? I suppose, I do not need to open some ports on my firewall, because a connection via SSH works.

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
gentoo_ram
Guru
Guru


Joined: 25 Oct 2007
Posts: 418
Location: San Diego, California USA

PostPosted: Thu Jan 26, 2012 4:20 pm    Post subject: Reply with quote

First of all, SSH forwards TCP. Your config file specifies UDP.
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 595
Location: Germany

PostPosted: Fri Jan 27, 2012 3:15 pm    Post subject: Reply with quote

Thank you for this hint. Unfortunately, it does not work with TCP-traffic either.

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
Veldrin
Veteran
Veteran


Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland

PostPosted: Fri Jan 27, 2012 3:20 pm    Post subject: Reply with quote

have a look at net-misc/stunnel.

I ran a test setup which worked fine, but i would have to check, if i still have the configs laying around.
in a nutshell, stunnel builds your encrypted channel through which you pipe your syslog.

V.
_________________
read the portage output!
If my answer is too concise, ask for an explanation.
Back to top
View user's profile Send private message
gentoo_ram
Guru
Guru


Joined: 25 Oct 2007
Posts: 418
Location: San Diego, California USA

PostPosted: Fri Jan 27, 2012 3:35 pm    Post subject: Reply with quote

Looking at your configs again, there are more issues. You are trying to forward TCP port 514. On the client machine, the SSH client will be listening on 127.0.0.1, port 514. So that's where the client machine syslog has to send the logs, to 127.0.0.1 port 514.

There's a problem on the server too. You asked the syslog server to listen to interface "10.0.0.2". Yet on your forwarding line on SSH, you asked the local port 514 to be forwarded to 127.0.0.1:514 on the remote side. But syslog won't be listening there. So either change your syslog server config or change the SSH forwarding command.

I haven't tried using TCP on syslog-ng, so I don't know how well that works.
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 595
Location: Germany

PostPosted: Fri Jan 27, 2012 9:05 pm    Post subject: Reply with quote

I finally got it working :)
First, I established a tunnel from my VPS to my router/firewall:

Code:
ssh -L 514:localhost:5140 -p 10101 jimini@jiminis.router.net


Afterwards, I built a tunnel from my router/firewall to the logging machine:
Code:
ssh -L 5140:localhost:514 user@jiminis.logging.machine

Perhaps I can replace that second tunnel with an iptables-rule?

And it works!
Here are my config files, again:

Server (as you can see, I enabled "chain_hostnames" to get the correct hostname of my VPS into my logfiles):
Code:
@version: 3.2

options {
   chain_hostnames(yes);
   check_hostname(yes);
   keep_hostname(yes);
   stats_freq(0);
   mark_freq(0);
};

source src       { unix-stream("/dev/log"); internal(); };
source src_remote    { udp ( ip(10.0.0.2) port(514) ); };
source kernsrc       { file("/proc/kmsg"); };

destination authlog    { file("/var/log/auth" owner("root") perm(0644) ); };
destination debug   { file("/var/log/debug" owner("root") perm(0644) );  };
destination mail    { file("/var/log/mail" owner("root") perm(0644)); };
destination messages    { file("/var/log/messages" owner("root") perm(0644)); };

filter f_auth       { facility(auth, authpriv); };
filter f_mail       { facility(mail); };
filter f_messages    { level(info..emerg) and not facility(auth, authpriv); };

log { source(src); filter(f_auth); destination(authlog); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_messages); destination(mysql); destination(messages); };
log { source(src_remote); destination(mysql); destination(messages); };


And the config from my VPS:
Code:
@version: 3.1

options {
        chain_hostnames(no);
        mark_freq(0);
        stats_freq(0);
};

source src {
        unix-stream("/dev/log");
        internal();
};

destination remote { tcp("127.0.0.1" port(514)); };

filter f_messages { level(info..warn)
        and not facility(auth, authpriv, mail, news); };

log { source(src); filter(f_messages); destination(remote); };


Thanks for your helpful answers, folks!

Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
Jimini
Guru
Guru


Joined: 31 Oct 2006
Posts: 595
Location: Germany

PostPosted: Sun Jan 29, 2012 9:13 am    Post subject: Reply with quote

I simplified my setup a little bit. Now the logging server itself establishes a connection directly to the VPS (I use autossh to keep the connection open):
Code:
autossh -N -M55555 -R 5140:localhost:514 -f user@jiminis.vps.net


Best regards,
Jimini
_________________
"The most merciful thing in the world, I think, is the inability of the human mind to correlate all its contents." (H.P. Lovecraft: The Call of Cthulhu)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum