Page 1 of 1
Syslog Server
Posted: 2020/09/14 16:11:06
by zamoralan
Hello, I have a CentOs 7.6.1810 and I need to create a syslog server that receives syslog messages from a remote source, and forward it logs to a remote server, but does not send its own logs.
For example, I have this scenario:
A. Remote Syslog source (10.10.10.1)
B. Syslog Server (CentOs) (10.10.10.2)
C. Remote SIEM (20.20.20.1)
So, I need "B" to receive the logs from "A" and forward the logs from "A" to "C", but without sending its own logs ("B").
Can someone help me? I have very basic knowledge of Linux.
Re: Syslog Server
Posted: 2020/09/15 11:51:26
by jlehtone
Is forwarding the only thing that B does, or does it log (A's messages) too?
Package
rsyslog provides
rsyslog.service. Documentation can be read with:
and
http://www.rsyslog.com/doc
I have no idea, whether rsyslog's rules can filter/forward as you want.
Re: Syslog Server
Posted: 2020/09/15 15:15:37
by tunk
CentOS 7.6.1810 is out of date, you may want to run yum update to get 7.8.2003.
Re: Syslog Server
Posted: 2020/09/21 15:03:06
by zamoralan
jlehtone wrote: ↑2020/09/15 11:51:26
Is forwarding the only thing that B does, or does it log (A's messages) too?
Package
rsyslog provides
rsyslog.service. Documentation can be read with:
and
http://www.rsyslog.com/doc
I have no idea, whether rsyslog's rules can filter/forward as you want.
Just forwarding A's messages, B's, which are its own messages, I don't need it to send them to any destination.
Re: Syslog Server
Posted: 2020/09/21 15:03:31
by zamoralan
tunk wrote: ↑2020/09/15 15:15:37
CentOS 7.6.1810 is out of date, you may want to run yum update to get 7.8.2003.
Ok, thanks.
Re: Syslog Server
Posted: 2020/09/21 15:10:02
by jlehtone
zamoralan wrote: ↑2020/09/21 15:03:06
Just forwarding A's messages, B's, which are its own messages, I don't need it to send them to any destination.
Is there a reason, why A can't talk directly to C?
What if B merely routes traffic from A to C (syslog of B won't be involved)?
Re: Syslog Server
Posted: 2020/09/21 15:44:22
by zamoralan
Because A needs to send his messages to three destinations, but he only has the ability to send them to one. That's why the syslog server (B) was put in the middle.
Well that's another way, but I don't know how to do it either, as I said in the original post, I have very little knowledge of Linux.
Re: Syslog Server
Posted: 2020/09/21 15:44:40
by zamoralan
jlehtone wrote: ↑2020/09/21 15:10:02
zamoralan wrote: ↑2020/09/21 15:03:06
Just forwarding A's messages, B's, which are its own messages, I don't need it to send them to any destination.
Is there a reason, why A can't talk directly to C?
What if B merely routes traffic from A to C (syslog of B won't be involved)?
Because A needs to send his messages to three destinations, but he only has the ability to send them to one. That's why the syslog server (B) was put in the middle.
Well that's another way, but I don't know how to do it either, as I said in the original post, I have very little knowledge of Linux.
Re: Syslog Server
Posted: 2020/09/21 16:10:40
by jlehtone
Okay, so the initial description did omit that A has to send to C, D, and E, but can only reach B.
The B should thus send (everything received from A) forward to C, D, and E.
If A would send everything in three copies to three different ports to B, then B could forward each port to different destination (C, D, E).
That assumes that A can do that.
If A sends to rsyslogd of B, then rsyslod has to send to the other three servers. I presume that documetation of rsyslog does explain that.
An additional point is that firewall of B must allow A to connect. CentOS does use FirewallD by default.
https://access.redhat.com/documentation ... _firewalls