I am using CentOS 10, and I am trying to send the SSH logs to an external syslog server listening on port UDP 514. I changed the default logging facility of
sshd to local2 and tested it locally and it works.
root@localhost:~# cat /etc/ssh/sshd_config.d/50-redhat.conf
SyslogFacility LOCAL2
Local2 logs to /var/log/test.log:
local2.* /var/log/test.log
The logs are written correctly:
root@localhost:~# cat /var/log/test.log
Jun 27 00:07:15 localhost sshd-session: Failed password for juanb from 10.211.1.2 port 57465 ssh2
Jun 27 00:07:15 localhost sshd-session: Failed password for juanb from 10.211.1.2 port 57465 ssh2
However, after testing that the change of facilities works, I tried to configure rsyslog so all messages from facility LOCAL2 are sent to the external syslog server:
#Log SSH login messages to external syslog server
local2.* action(type="omfwd"
queue.type="LinkedList"
queue.filename="ssh_fwd"
action.resumeRetryCount="-1"
queue.saveonshutdown="on"
Target="10.211.1.2" Port="514" Protocol="udp"
)
I added this at the end of /etc/rsyslog.conf but is not working.
Asked by Juan Alejandro
(11 rep)
Jun 27, 2025, 07:13 AM
Last activity: Jul 9, 2025, 06:47 PM
Last activity: Jul 9, 2025, 06:47 PM