Ask Your Question
0

rsyslog RSH packet

asked 2019-12-19 09:51:01 +0000

Flatternschu gravatar image

updated 2019-12-19 10:15:11 +0000

grahamb gravatar image

Hello!

So I'm using wireshark to find out how does remote logging works in rsyslog. I found out that RSH packet with Client -> Server data is transmitted each time the remote logging occurs. The RSH data itself looks something like this:

0040   33 06 3c 33 39 3e 4e 6f 76 20 31 34 20 30 38 3a   3.<39>Nov 14 08:
0050   31 32 3a 35 36 20 6c 6f 63 61 6c 68 6f 73 74 20   12:56 localhost 
0060   72 6f 6f 74 3a 20 72 65 61 64 20 74 68 69 73 0a   root: read this.

The message being logged is:

Nov 14 08: 12:56 localhost root: read this.

I'd much appreciate if someone could explaing how rsyslog on server understands that this message is meant for it and whether it needs to log it. I don't understand what <39> stands for in data either.

I'm new to this so please help!

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-12-19 10:14:43 +0000

Guy Harris gravatar image

I'd much appreciate if someone could explaing how rsyslog on server understands that this message is meant for it

Because it's sent to an IP address and TCP/UDP port that, on the remote machine, belongs to a socket used by rsyslog. I.e., it's the same way that, if you receive an envelope in the mail, and it has your name and address on it, you know it's meant for you.

and whether it needs to log it.

That depends on the server's rules, but, generally, a syslog daemon is expected to log everything it's sent.

I don't understand what <39> stands for in data either.

See RFC 5424 "The Syslog Protocol". In particular, see section 6.2.1 "PRI", which explains the first field in a message.

edit flag offensive delete link more

Comments

Thank you! Much appreciate it

Flatternschu gravatar imageFlatternschu ( 2019-12-19 10:21:10 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-12-19 09:51:01 +0000

Seen: 156 times

Last updated: Dec 19 '19