1

I am using CentOS 10, and I am trying to send the SSH logs to an external syslog server listening on port UDP 514. I changed the default logging facility of sshd to local2 and tested it locally and it works.

root@localhost:~# cat /etc/ssh/sshd_config.d/50-redhat.conf
SyslogFacility LOCAL2

Local2 logs to /var/log/test.log:

local2.*    /var/log/test.log

The logs are written correctly:

root@localhost:~# cat /var/log/test.log
Jun 27 00:07:15 localhost sshd-session[10242]: Failed password for juanb from 10.211.1.2 port 57465 ssh2
Jun 27 00:07:15 localhost sshd-session[10242]: Failed password for juanb from 10.211.1.2 port 57465 ssh2

However, after testing that the change of facilities works, I tried to configure rsyslog so all messages from facility LOCAL2 are sent to the external syslog server:

#Log SSH login messages to external syslog server
local2.* action(type="omfwd"
    queue.type="LinkedList"
    queue.filename="ssh_fwd"
    action.resumeRetryCount="-1"
    queue.saveonshutdown="on"
    Target="10.211.1.2" Port="514" Protocol="udp"
    )

I added this at the end of /etc/rsyslog.conf but is not working.

Improve this question
10
  • 1
    Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's currently written, it's hard to tell exactly what you're asking. Commented Jun 27 at 8:13
  • Please don't post images of text. Commented Jun 27 at 14:28
  • Where did you put the rsyslog config you should us? How did you tell rsyslogd to re-read its config? Commented Jun 27 at 14:57
  • Hello, I added the rsyslog config to the end of the /etc/rsyslog.conf file. I also tried to put it on a separate file on /etc/rsyslog.d/19-ssh.conf, and it still does not work. The only way I got it working has been using Vector and specifying to read /var/log/secure and send it to a cloud based syslog server like BetterStack Commented Jun 27 at 19:29
  • It seems to me like you're mixing legacy and RainerScript format. If I remember correctly, if $syslogfacility-text == 'local2' then { action(...) } should work (See: rsyslog properties and/or rsyslog filters). However, I can't test it and I'm not 100% sure about it. Commented Jul 1 at 14:18

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.