Dashboard > Linux > Quick and dirty syslog-ng with stunnel howto
Linux Log In   View a printable version of the current page.
Quick and dirty syslog-ng with stunnel howto
Browse Space    
Added by Alex Polvi, last edited by Alex Polvi on Jul 30, 2004  (view change)
Labels: 
(None)

Abstract

The approach is simple: shove client side logs at stunnel, stunnel does its thing, server reads and filters logs. After all is said and configured, your loghost and client will contain all logs.

A diagram
syslog-ng (client)                                                                     syslog-ng (loghost)
   |                                                                                       |
   lo                                                                                      lo
   |                                                                                       |
stunnel                                                                                 stunnel
   |                                                                                       |
 eth0 -------------------------------------- ssl ---------------------------------------  eth0

Client side

These are configs for stunnel v.4 (Debian: stunnel4, Gentoo: stunnel), and syslog-ng

/etc/services

Decide what ports you want these services to run on.

syslog-ngs              5140/tcp
syslog-ng               514/tcp

Port choices are arbitrary

/etc/stunnel/stunnel.conf
# Sample stunnel configuration file
# Copyright by Michal Trojnara 2002

pid = /var/run/stunnel/stunnel.pid
setuid = nobody
setgid = nogroup

# Use it for client mode
client = yes

[syslog-ngs]
accept  = 127.0.0.1:syslog-ng
connect = log.foo.org:syslog-ngs

Be sure that /var/run/stunnel is writable by nobody:nogroup

/etc/syslog-ng/syslog-ng.conf

Append this to the end of your existing conf.

destination loghost { tcp("127.0.0.1" port(syslog-ng)); };
log { source(src); destination(loghost); };

You client is now 100% configured.

Server Side.

This will not cover filtering or layout.

/etc/services

This should match your choices from the client services

/etc/stunnel/stunnel.conf

Cert creation help here

# Sample stunnel configuration file
# Copyright by Michal Trojnara 2002

cert = /etc/stunnel/stunnel.pem
pid = /var/run/stunnel4/stunnel.pid
setuid = nobody
setgid = nogroup

[syslog-ngs]
accept = syslog-ngs
connect = 127.0.0.1:syslog-ng
/etc/syslog-ng/syslog-ng.conf

Add a new source entry

source client { tcp(ip("127.0.0.1") port(syslog-ng) keep-alive(yes)); };

Then fillter/log this source to your hearts desire

Testing it all.

On a client run:

logger "Test log"

Then on server run:

grep -r "Test log" /var/log/

Site powered by a free Open Source Project / Non-profit License (more) of Confluence - the Enterprise wiki.
Learn more or evaluate Confluence for your organisation.
Powered by Atlassian Confluence, the Enterprise Wiki. (Version: 2.2.7 Build:#524 Jul 28, 2006) - Bug/feature request - Contact Administrators