pull logs from remote hosts with syslog-ng?
Is it possible to use syslog-ng to pull logs from a remote host? If you had a network where only inbound sessions were allowed but nothing was allowed to initiate a connection back, could you have a central syslog-ng server that went out and initiated connections/sessions to remote hosts and pulled back logs? Thanks, Jonathan
Jon Sabo wrote:
Is it possible to use syslog-ng to pull logs from a remote host? If you had a network where only inbound sessions were allowed but nothing was allowed to initiate a connection back, could you have a central syslog-ng server that went out and initiated connections/sessions to remote hosts and pulled back logs?
You could run an stunnel daemon on the remote host; from your centralized syslog-ng collector you would initiate the stunnel connection to said remote host. I.e. use the central collector in stunnel client mode, and set up an stunnel in server mode on the remote host. The premium/commercial syslog-ng supports TLS/SSL, but I don't know if you can differentiate between client and server the same way which you can do with an external tool such as stunnel. -Matt Cuttler
Why would stunnel be involved? I don't need to secure the communication across the link. I just want to know if and how to setup a syslog-ng server to pull logs from groups or remote hosts in contrast to receiving them like you would normally configure a syslog server to send logs to a remote host. So can you configure syslog-ng to pull logs? On Nov 13, 2007 10:23 PM, Matt Cuttler <mcuttler@bnl.gov> wrote:
Jon Sabo wrote:
Is it possible to use syslog-ng to pull logs from a remote host? If you had a network where only inbound sessions were allowed but nothing was allowed to initiate a connection back, could you have a central syslog-ng server that went out and initiated connections/sessions to remote hosts and pulled back logs?
You could run an stunnel daemon on the remote host; from your centralized syslog-ng collector you would initiate the stunnel connection to said remote host.
I.e. use the central collector in stunnel client mode, and set up an stunnel in server mode on the remote host.
The premium/commercial syslog-ng supports TLS/SSL, but I don't know if you can differentiate between client and server the same way which you can do with an external tool such as stunnel.
-Matt Cuttler _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Jon Sabo wrote:
Why would stunnel be involved? I don't need to secure the communication across the link. Not for encryption, in your case, but to have your centralized collector initiate the connection to your remote hosts.
I'm assuming that you've got some packet filtering, firewalls etc. in place, presumably something that keeps state? This is why I mention stunnel.
So can you configure syslog-ng to pull logs?
Not to my knowledge, unless perhaps you had some distributed filesystem. But of course that'd be another work-around (like stunnel). You might want to look at all the "sources" section of the administrators manual in case I missed something (very possible). -Matt Cuttler
Thanks for replying. On Nov 13, 2007 10:39 PM, Matt Cuttler <mcuttler@bnl.gov> wrote:
Jon Sabo wrote:
Why would stunnel be involved? I don't need to secure the communication across the link. Not for encryption, in your case, but to have your centralized collector initiate the connection to your remote hosts.
I'm assuming that you've got some packet filtering, firewalls etc. in place, presumably something that keeps state? This is why I mention stunnel.
So can you configure syslog-ng to pull logs?
Not to my knowledge, unless perhaps you had some distributed filesystem. But of course that'd be another work-around (like stunnel). You might want to look at all the "sources" section of the administrators manual in case I missed something (very possible).
-Matt Cuttler
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
Hit send too soon. Meant to also say: The way I see it, your remote hosts have to be servers of some sort, as they are accepting connections. And the centralized collection must behave as a client of some sort. So, although your setup is "backwards" in many respects, it's definitely do-able, a number of ways :) Matt Cuttler wrote:
Jon Sabo wrote:
Why would stunnel be involved? I don't need to secure the communication across the link.
Not for encryption, in your case, but to have your centralized collector initiate the connection to your remote hosts.
I'm assuming that you've got some packet filtering, firewalls etc. in place, presumably something that keeps state? This is why I mention stunnel.
So can you configure syslog-ng to pull logs?
Not to my knowledge, unless perhaps you had some distributed filesystem. But of course that'd be another work-around (like stunnel). You might want to look at all the "sources" section of the administrators manual in case I missed something (very possible).
participants (2)
-
Jon Sabo
-
Matt Cuttler