Configuring remote logging using SSH reverse tunnel

Logging to a remote syslog server can be made cryptographically secure by using SSH reverse tunnel. Thesyslogdaemon on the switch forwards log messages to the SSH tunnel, and the SSH tunnel endpoint on the remote server host forwards messages to the listeningsyslogserver.
NOTE:

This procedure includes sample configuration commands for a user-supplied syslog server based on Ubuntu 14.04.5 LTS withrsyslog. It is up to the user to check their server documentation and adjust the sample commands as required. Optionally see your server documentation for information on how to use thesystemd一个nd一个utosshservices to automatically restore the SSH tunnel after system reboot.

Prerequisites

The user-supplied remote syslog server must be on a network that can reach the switch management interface.

Procedure
  1. Configure SSH server on the switch.
    1. Enter these commands (although this example uses the mgmt VRF, other VRFs can be used): 
      switch(config)#interface mgmtswitch(config-if-mgmt)#no shutdownswitch(config-if-mgmt)#ip addressswitch(config-if-mgmt)#exitswitch(config)#ssh server vrf mgmt
    2. If public key authentication is desired for remote SSH users, configure it on the switch: 
      switch(config)# user admin authorized-key
  2. Configure logging on the switch to forward to localhost: 
    switch(config)# logging localhost tcpvrf mgmt include-auditable-events
  3. Configure thersyslogserver on the remote host:
    1. Makersyslog一个ccept TCP connections and specify the log file, by adding the following to/etc/rsyslog.conf: 
      $ModLoad imtcp $InputTCPServerRun  $template RemoteLogs,"/var/log/remote.log" *.* ?RemoteLogs
    2. 激活添加配置,重新启动rsyslogserver: 
      root@Ubuntu4479:~#sudo service rsyslog restart
  4. Establish an SSH reverse tunnel from the remote host to the switch: 
    root@Ubuntu4479:~#ssh -nNTx –R :127.0.0.1: admin@