# Remote logging through a SSH tunnel

## Jimini

Howdy,

I'd like to integrate my VPS into my logging system, which would look as following:

```
VPS---router/firewall---switch

                           |

clients

----------

## gentoo_ram

First of all, SSH forwards TCP.  Your config file specifies UDP.

----------

## Jimini

Thank you for this hint. Unfortunately, it does not work with TCP-traffic either.

Best regards,

Jimini

----------

## Veldrin

have a look at net-misc/stunnel. 

I ran a test setup which worked fine, but i would have to check, if i still have the configs laying around. 

in a nutshell, stunnel builds your encrypted channel through which you pipe your syslog.

V.

----------

## gentoo_ram

Looking at your configs again, there are more issues.  You are trying to forward TCP port 514.  On the client machine, the SSH client will be listening on 127.0.0.1, port 514.  So that's where the client machine syslog has to send the logs, to 127.0.0.1 port 514.

There's a problem on the server too.  You asked the syslog server to listen to interface "10.0.0.2".  Yet on your forwarding line on SSH, you asked the local port 514 to be forwarded to 127.0.0.1:514 on the remote side.  But syslog won't be listening there.  So either change your syslog server config or change the SSH forwarding command.

I haven't tried using TCP on syslog-ng, so I don't know how well that works.

----------

## Jimini

I finally got it working :)

First, I established a tunnel from my VPS to my router/firewall:

```
ssh -L 514:localhost:5140 -p 10101 jimini@jiminis.router.net
```

Afterwards, I built a tunnel from my router/firewall to the logging machine:

```
ssh -L 5140:localhost:514 user@jiminis.logging.machine
```

Perhaps I can replace that second tunnel with an iptables-rule?

And it works!

Here are my config files, again:

Server (as you can see, I enabled "chain_hostnames" to get the correct hostname of my VPS into my logfiles):

```
@version: 3.2

options {

   chain_hostnames(yes);

   check_hostname(yes);

   keep_hostname(yes);

   stats_freq(0);

   mark_freq(0);

};

source src       { unix-stream("/dev/log"); internal(); };

source src_remote    { udp ( ip(10.0.0.2) port(514) ); };

source kernsrc       { file("/proc/kmsg"); };

destination authlog    { file("/var/log/auth" owner("root") perm(0644) ); };

destination debug   { file("/var/log/debug" owner("root") perm(0644) );  };

destination mail    { file("/var/log/mail" owner("root") perm(0644)); };

destination messages    { file("/var/log/messages" owner("root") perm(0644)); };

filter f_auth       { facility(auth, authpriv); };

filter f_mail       { facility(mail); };

filter f_messages    { level(info..emerg) and not facility(auth, authpriv); };

log { source(src); filter(f_auth); destination(authlog); };

log { source(src); filter(f_mail); destination(mail); };

log { source(src); filter(f_messages); destination(mysql); destination(messages); };

log { source(src_remote); destination(mysql); destination(messages); };
```

And the config from my VPS:

```
@version: 3.1

options {

        chain_hostnames(no);

        mark_freq(0);

        stats_freq(0);

};

source src {

        unix-stream("/dev/log");

        internal();

};

destination remote { tcp("127.0.0.1" port(514)); };

filter f_messages { level(info..warn)

        and not facility(auth, authpriv, mail, news); };

log { source(src); filter(f_messages); destination(remote); };
```

Thanks for your helpful answers, folks!

Best regards,

Jimini

----------

## Jimini

I simplified my setup a little bit. Now the logging server itself establishes a connection directly to the VPS (I use autossh to keep the connection open):

```
autossh -N -M55555 -R 5140:localhost:514 -f user@jiminis.vps.net
```

Best regards,

Jimini

----------

