Remote Syslog

[Jon Irish]

I would like to send all of my ProxMox syslog messages to an external Splunk server. However, I have not been able to locate an option to forward syslog within the ProxMox GUI. A Google search did not have any results. I did see something for the mail gateway, but those settings don't appear to apply to VE. Is this simply setting up the syslog configuration of the underlying OS (Debian) to forward syslog?

Thanks,
Jon

 

[dietmar]

Is this simply setting up the syslog configuration of the underlying OS (Debian) to forward syslog?

yes

 

[Jon Irish]

yes

Thanks!
Jon

 

[RobFantini]

we use this on most pve systems and vm's:

# cat /etc/rsyslog.d/remote-logging.conf
#
*.*  @rsyslog.mydomain.com:514

 

[mir]

So you are sending all syslog data in clear text over the network! Seems scary to me.

 

[RobFantini]

So you are sending all syslog data in clear text over the network! Seems scary to me.

I see what you mean , however for us the systems are on a local protected network.

that said could you suggest a safer way ?

 

[mir]

use the gtls module: https://www.rsyslog.com/doc/v8-stable/tutorials/tls.html

 

[guletz]

Also it is possible to use openvpn for rsyslog.

 

[RobFantini]

use the gtls module: https://www.rsyslog.com/doc/v8-stable/tutorials/tls.html

Thank you Mir,

Peace, Rob

 

[Jon Irish]

we use this on most pve systems and vm's:

# cat /etc/rsyslog.d/remote-logging.conf
#
*.*  @rsyslog.mydomain.com:514

Thanks Rob...

Jon

 

[macleod]

Actually there is an even better method to forward the logs: relp-tls. You have encryption but also reliability. Works perfectly with rsyslogd.
Now I'm trying to understand where are all specific logs for proxmox, in order to verify that all that logs are correctly forwarded.

 

[RobFantini]

is there a Debian package for relp-tls ? I just searched and did not find using that word. We just happen to be converting to use rsyslog-gnutls and almost have that figured out.... so if what you mention is easier we'll test it out.

 

[macleod]

These are the packages needed for relp-tls (versions for debian 10).
rsyslog 8.1901.0-1
rsyslog-gnutls 8.1901.0-1
rsyslog-relp 8.1901.0-1

And to understand better, it's about using rsyslog relp protocol over a gnu-tls connection (in newer version you can use also openssl, not just gnutls).
It's not easier (but also not very harder), if you already had added the tls option relp will be "a piece of cake"

A very good article about how to implement everything is:
https://selivan.github.io/2017/02/0...save-filename-handle-multi-line-failover.html

 

[RobFantini]

thanks!

I am trying this: https://www.rsyslog.com/doc/v8-stable/tutorials/tls.html

will also check the selivan blog post.

 

[SamTzu]

Just installed Mail Gateway 8.0.7.
Remote logging works but FQDN stopped working.

$PreserveFQDN on

 

[fireon]

I see what you mean , however for us the systems are on a local protected network.

that said could you suggest a safer way ?

You can also use journalremotelogging (systemd) with https. https://deepdoc.at/dokuwiki/doku.ph...temd_journald_-_aktivierung_des_remotelogging

 

[SamTzu]

I have always felt journalctl was a step in wrong direction.
"KISS. Keep It Simple Stupid." Those are words to live by. Other as good is...
"If it's not broken don't try to fix it."