centos - Rsyslog through TLS - Server Fault https://serverfault.

com/questions/579709/rsyslog-through-tls

Anybody can ask a question

Server Fault is a question and answer site for
system and network administrators. It only
takes a minute to sign up. Anybody can answer

Join this community

The best answers are voted up and
rise to the top

Rsyslog through TLS

Asked 7 years, 7 months ago Active 1 year, 10 months ago Viewed 14k times

1 of 11 10/19/21, 12:34
centos - Rsyslog through TLS - Server Fault https://serverfault.com/questions/579709/rsyslog-through-tls

I have been trying to get rsyslog to transmit through TLS with no luck so far.

1 There seems to be something wrong with my configuration, but I cannot pinpoint it.

this is my server conf file:

# rsyslog v5 configuration file

1
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ModLoad immark # provides --MARK-- message capability
$ModLoad imgssapi # provides GSSAPI syslog reception

# Provides TCP syslog reception

$ModLoad imtcp
$InputTCPServerRun 10514
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated

# make gtls driver the default

$DefaultNetstreamDriver gtls

# certificate files
$DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca-cert.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/rslserver-cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/rslserver-key.pem

# specify senders you permit to access

$AllowedSender TCP, 127.0.0.1, 10.111.1.0/24, *.evoltek.test.com

#add: define logfiles

## /var/log/secure
$template Auth_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.secure"
## /var/log/messages
$template Msg_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.messages"
## /var/log/maillog
$template Mail_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.maillog"
## /var/log/cron
$template Cron_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.cron"

2 of 11 10/19/21, 12:34
centos - Rsyslog through TLS - Server Fault https://serverfault.com/questions/579709/rsyslog-through-tls

$DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca-cert.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/rslclient-cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/rslclient-key.pem

$ModLoad imuxsock.so
$ModLoad imklog.so
$ModLoad imtcp

$DefaultNetstreamDriver gtls

$ActionSendStreamDriverAuthMode anon
$ActionSendStreamDriverMode 1

# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.

authpriv.* /var/log/secure

# Log all the mail messages in one place.

mail.* -/var/log/maillog

# Log cron stuff

cron.* /var/log/cron

# Everybody gets emergency messages

*.emerg *

# Save news errors of level crit and higher in a special file.

uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log

local7.* /var/log/boot.log

I have created the certificates following this guide : http://kb.kristianreese.com/index.php?View=entry&EntryID=148

My testing environment does not have FQDNs, so I have left blank the DNs fields and the FQDN ones and I have filled the IP field.

3 of 11 10/19/21, 12:34
centos - Rsyslog through TLS - Server Fault https://serverfault.com/questions/579709/rsyslog-through-tls

What OS are you using ? In CentOS/RedHat you also to enable the SSL rsyslog port in SElinux. – b13n1u Mar 4 '14 at 13:49

Just noticed it's CentOS:) – b13n1u Mar 4 '14 at 13:53

3 Answers Active Oldest Votes

4 of 11 10/19/21, 12:34
centos - Rsyslog through TLS - Server Fault https://serverfault.com/questions/579709/rsyslog-through-tls

Rsyslog 5.8 with Centos 6.9 works for me

4 Here is a video tutorial: https://youtu.be/eb9GlhD8XnY

Create the certificates on the CA (certificate authority)

sudo mkidr /etc/ssl/rsyslog/

cd /etc/ssl/rsyslog/

Install gnutls-utils

sudo yum install -y gnutls-utils

Generate CA private key (PROTECT THIS KEY!)

sudo certtool --generate-privkey --outfile CA-key.pem

sudo chmod 400 CA-key.pem

Generate CA public key

sudo certtool --generate-self-signed --load-privkey CA-key.pem --outfile CA.pem

Common name: CA.EXAMPLE.COM

The certificate will expire in (days): 3650
Does the certificate belong to an authority? (Y/N): y
Will the certificate be used to sign other certificates? (Y/N): y
Will the certificate be used to sign CRLs? (y/N): y

Create SERVERS private key on the CA (certificate authority)

sudo certtool --generate-privkey --outfile SERVER-key.pem --bits 2048

Create the certificate request for SERVER

5 of 11 10/19/21, 12:34
centos - Rsyslog through TLS - Server Fault https://serverfault.com/questions/579709/rsyslog-through-tls

Sign SERVER key and allow the key pair to be trusted by the other servers

sudo certtool --generate-certificate --load-request SERVER-request.pem --outfile SERVER-cert.pem --load-ca-

certificate CA.pem --load-ca-privkey CA-key.pem

The certificate will expire in (days): 1000

Is this a TLS web client certificate? (Y/N): y
Is this also a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: SERVER.EXAMPLE.COM

Create CLIENT private key on the CA (certificate authority)

sudo certtool --generate-privkey --outfile CLIENT-key.pem --bits 2048

Create certificate request for CLIENT

sudo certtool --generate-request --load-privkey CLIENT-key.pem --outfile CLIENT-request.pem

Common name: CLIENT.EXAMPLE.ORG

Sign CLIENT key and allow the key pair to be trusted by the other servers

sudo certtool --generate-certificate --load-request CLIENT-request.pem --outfile CLIENT-cert.pem --load-ca-

certificate CA.pem --load-ca-privkey CA-key.pem

The certificate will expire in (days): 1000

Is this a TLS web client certificate? (Y/N): y
Is this also a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: CLIENT.EXAMPLE.ORG

6 of 11 10/19/21, 12:34
centos - Rsyslog through TLS - Server Fault https://serverfault.com/questions/579709/rsyslog-through-tls

sudo -u root scp -i ~/.ssh/id_rsa CA.pem CLIENT-* root@172.16.9.40:/etc/ssl/rsyslog/

Install the gtls driver on SERVER and CLIENT

sudo yum install rsyslog-gnutls -y

Configure SERVER

sudo vi /etc/rsyslog.d/rsyslog-tls.conf

# Add
# Listen for TCP
$ModLoad imtcp
# Set gtls driver
$DefaultNetstreamDriver gtls
# Certs
$DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/CA.pem
$DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/SERVER-cert.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/SERVER-key.pem
# Auth mode
$InputTCPServerStreamDriverAuthMode x509/name
# Only allow EXAMPLE.COM domain
$InputTCPServerStreamDriverPermittedPeer *.EXAMPLE.COM
# Only use TLS
$InputTCPServerStreamDriverMode 1
# Listen on port 6514
# If you want to use other port configure selinux

7 of 11 10/19/21, 12:34
centos - Rsyslog through TLS - Server Fault https://serverfault.com/questions/579709/rsyslog-through-tls

sudo vi /etc/rsyslog.d/rsyslog-tls.conf

# Add
# Set gtls driver
$DefaultNetstreamDriver gtls
# Certs
$DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/CA.pem
$DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/CLIENT-cert.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/CLIENT-key.pem
# Auth mode
$ActionSendStreamDriverAuthMode x509/name
# Only send log to SERVER.EXAMPLE.COM host
$ActionSendStreamDriverPermittedPeer SERVER.EXAMPLE.COM
# Only use TLS
$ActionSendStreamDriverMode 1
# Forward everithing to SERVER.EXAMPLE.COM
# If you use hostnames instead of IP configure DNS or /etc/hosts
*.* @@SERVER.EXAMPLE.COM:6514

Restart the rsyslog daemon

8 of 11 10/19/21, 12:34
centos - Rsyslog through TLS - Server Fault https://serverfault.com/questions/579709/rsyslog-through-tls

It has probably been backported since then. The original question dates back more than 3 years. Thanks for the update – Bruno9779 Jun 27 '17
at 18:12

9 of 11 10/19/21, 12:34
centos - Rsyslog through TLS - Server Fault https://serverfault.com/questions/579709/rsyslog-through-tls

In CentOS/RedHat you also to enable the SSL rsyslog port in SElinux. Something like semanage port -a -t syslogd_port_t -p
tcp 10514 should do the trick.
3
You can check your current syslog port with sudo semanage port -l| grep syslog

Also you can try, to run rsyslog in debug mode, to see whats happening: Stop rsyslog daemon, then

export RSYSLOG_DEBUGLOG="/path/to/debuglog"

export RSYSLOG_DEBUG="Debug"

now start rsyslog with:

rsyslogd -dn

To check if syntax used is valid use:

rsyslogd -N 1

Share Improve this answer Follow edited Mar 4 '14 at 14:30 answered Mar 4 '14 at 13:52
b13n1u
982 9 13

This is a CentOS 6 VE running in OpenVZ. It is only for testing, so I have SElinux removed from the template I use, to avoid headaches
– Bruno9779 Mar 4 '14 at 14:10

Have you tried to run rsyslog in debug mode ? – b13n1u Mar 4 '14 at 14:29

10 of 11 10/19/21, 12:34
centos - Rsyslog through TLS - Server Fault https://serverfault.com/questions/579709/rsyslog-through-tls

I could not find a working configuration for rsyslog 5.8 (from CentOS repos).

1 I have installed instead the official rsyslog repos and have got rsyslog 7.6.0 up and running in minutes with this configuration.

Share Improve this answer Follow answered Mar 5 '14 at 11:34

Bruno9779
172 1 1 12

11 of 11 10/19/21, 12:34