Syslog Server

Support for security such as Firewalls and securing linux
Post Reply
zamoralan
Posts: 5
Joined: 2020/09/14 15:51:04

Syslog Server

Post by zamoralan » 2020/09/14 16:11:06

Hello, I have a CentOs 7.6.1810 and I need to create a syslog server that receives syslog messages from a remote source, and forward it logs to a remote server, but does not send its own logs.

For example, I have this scenario:

A. Remote Syslog source (10.10.10.1)
B. Syslog Server (CentOs) (10.10.10.2)
C. Remote SIEM (20.20.20.1)

So, I need "B" to receive the logs from "A" and forward the logs from "A" to "C", but without sending its own logs ("B").

Can someone help me? I have very basic knowledge of Linux.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Syslog Server

Post by jlehtone » 2020/09/15 11:51:26

Is forwarding the only thing that B does, or does it log (A's messages) too?

Package rsyslog provides rsyslog.service. Documentation can be read with:

Code: Select all

man rsyslod
man rsyslog.conf
and http://www.rsyslog.com/doc

I have no idea, whether rsyslog's rules can filter/forward as you want.

tunk
Posts: 1205
Joined: 2017/02/22 15:08:17

Re: Syslog Server

Post by tunk » 2020/09/15 15:15:37

CentOS 7.6.1810 is out of date, you may want to run yum update to get 7.8.2003.

zamoralan
Posts: 5
Joined: 2020/09/14 15:51:04

Re: Syslog Server

Post by zamoralan » 2020/09/21 15:03:06

jlehtone wrote:
2020/09/15 11:51:26
Is forwarding the only thing that B does, or does it log (A's messages) too?

Package rsyslog provides rsyslog.service. Documentation can be read with:

Code: Select all

man rsyslod
man rsyslog.conf
and http://www.rsyslog.com/doc

I have no idea, whether rsyslog's rules can filter/forward as you want.
Just forwarding A's messages, B's, which are its own messages, I don't need it to send them to any destination.

zamoralan
Posts: 5
Joined: 2020/09/14 15:51:04

Re: Syslog Server

Post by zamoralan » 2020/09/21 15:03:31

tunk wrote:
2020/09/15 15:15:37
CentOS 7.6.1810 is out of date, you may want to run yum update to get 7.8.2003.
Ok, thanks.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Syslog Server

Post by jlehtone » 2020/09/21 15:10:02

zamoralan wrote:
2020/09/21 15:03:06
Just forwarding A's messages, B's, which are its own messages, I don't need it to send them to any destination.
Is there a reason, why A can't talk directly to C?

What if B merely routes traffic from A to C (syslog of B won't be involved)?

zamoralan
Posts: 5
Joined: 2020/09/14 15:51:04

Re: Syslog Server

Post by zamoralan » 2020/09/21 15:44:22

Because A needs to send his messages to three destinations, but he only has the ability to send them to one. That's why the syslog server (B) was put in the middle.

Well that's another way, but I don't know how to do it either, as I said in the original post, I have very little knowledge of Linux.

zamoralan
Posts: 5
Joined: 2020/09/14 15:51:04

Re: Syslog Server

Post by zamoralan » 2020/09/21 15:44:40

jlehtone wrote:
2020/09/21 15:10:02
zamoralan wrote:
2020/09/21 15:03:06
Just forwarding A's messages, B's, which are its own messages, I don't need it to send them to any destination.
Is there a reason, why A can't talk directly to C?

What if B merely routes traffic from A to C (syslog of B won't be involved)?
Because A needs to send his messages to three destinations, but he only has the ability to send them to one. That's why the syslog server (B) was put in the middle.

Well that's another way, but I don't know how to do it either, as I said in the original post, I have very little knowledge of Linux.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Syslog Server

Post by jlehtone » 2020/09/21 16:10:40

Okay, so the initial description did omit that A has to send to C, D, and E, but can only reach B.
The B should thus send (everything received from A) forward to C, D, and E.

If A would send everything in three copies to three different ports to B, then B could forward each port to different destination (C, D, E).
That assumes that A can do that.

If A sends to rsyslogd of B, then rsyslod has to send to the other three servers. I presume that documetation of rsyslog does explain that.

An additional point is that firewall of B must allow A to connect. CentOS does use FirewallD by default.
https://access.redhat.com/documentation ... _firewalls

Post Reply