[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Syslog over SSH



I believe I have figure out my ssh tunnel problems, however, I am still unable to get it completly working. Here is the setup:

Srv1 ---> LogSrv

For SSH, I have setup public key encryption to keep from having to provide a password. Here are the commands I am using:

On the LogSrv
       nc -l -p 9999 | nc localhost -u syslog &

On Srv1
ssh -C -L 9999:192.168.190.153:9999 root 192 168 190 153 & ( To initiate the ssh connection)
nc -l -u -p syslog | nc localhost 9999 & (To redirect to correct ports)


I can get everything to connect, but when I try to send it logs, it does not receive them on LogSrv. I previously setup this test machine to log directly using syslog and changed the configuration to test with SSH tunnels. It worked previously. Now, here is what I get:

[2]+ Stopped nc -l -u -p syslog | nc localhost 9999

This usually shows up when I send a test entry using Logger Test, but not always. Any ideas or questions, just e-mail me or the list and I'll respond.

Nathaniel Hall
Intrusion Detection and Firewall Technician
Ozarks Technical Community College -- Office of Computer Networking

halln otc edu
417-799-0552



Nathaniel Hall wrote:

I am trying to setup a secure logging server using syslog (I know, use Syslog-NG). I did some research and found that I should use netcat, but I am unable to get it working correctly. So far, I have found this:
Netcat will happily pipe UDP into a TCP stream. On the client machine,


you would want to do something like:
nc -l -u -p syslog | nc localhost 9999
(as root, to bind to the syslog port)
On your syslog server end, you'd do something like:
nc -l -p 9999 | nc localhost -u syslog
Setup your ssh tunnel from port 9999 on the client machine to
port 9999 on the syslog server machine.
Setup syslogd on the client to log the messages to localhost. Also,
make sure that the client syslogd is set up to not receive messages
from the network.
You'll want to filter on the TCP listening port on the server to prevent
people from DoS'ing you with spurious messages.


< http://www.patoche.org/LTT/security/00000118.html >

I have tried this and have to been able to get it to work. Any ideas?





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]