Configuring remote logging using SSH reverse tunnel

Logging to a remote syslog server can be made cryptographically secure by using SSH reverse tunnel. The syslog daemon on the switch forwards log messages to the SSH tunnel, and the SSH tunnel endpoint on the remote server host forwards messages to the listening syslog server.
NOTE:

This procedure includes sample configuration commands for a user-supplied syslog server based on Ubuntu 14.04.5 LTS with rsyslog. It is up to the user to check their server documentation and adjust the sample commands as required. Optionally see your server documentation for information on how to use the systemd and autossh services to automatically restore the SSH tunnel after system reboot.

Prerequisites

The user-supplied remote syslog server must be on a network that can reach the switch management interface.

Procedure
  1. Configure SSH server on the switch.
    1. Enter these commands (although this example uses the mgmt VRF, other VRFs can be used):
      switch(config)# interface mgmt
      switch(config-if-mgmt)# no shutdown
      switch(config-if-mgmt)# ip address <switch_mgmt_IP>
      switch(config-if-mgmt)# exit
      switch(config)# ssh server vrf mgmt
    2. If public key authentication is desired for remote SSH users, configure it on the switch:
      switch(config)# user admin authorized-key <PUBKEY>
  2. Configure logging on the switch to forward to localhost:
    switch(config)# logging localhost tcp <switch_tcp_port> vrf mgmt
                            include-auditable-events
  3. Configure the rsyslog server on the remote host:
    1. Make rsyslog accept TCP connections and specify the log file, by adding the following to /etc/rsyslog.conf:
      $ModLoad  imtcp
      $InputTCPServerRun <server_tcp_port>
      $template RemoteLogs,"/var/log/remote.log"
      *.* ?RemoteLogs
    2. To activate the added configuration, restart the rsyslog server:
      root@Ubuntu4479:~#sudo service rsyslog restart
  4. Establish an SSH reverse tunnel from the remote host to the switch:
    root@Ubuntu4479:~#ssh -nNTx –R
    <switch_tcp_port>:127.0.0.1:<server_tcp_port>
    admin@<switch_mgmt_IP>