Professional Documents
Culture Documents
com/questions/579709/rsyslog-through-tls
1 of 11 10/19/21, 12:34
centos - Rsyslog through TLS - Server Fault https://serverfault.com/questions/579709/rsyslog-through-tls
I have been trying to get rsyslog to transmit through TLS with no luck so far.
1 There seems to be something wrong with my configuration, but I cannot pinpoint it.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ModLoad immark # provides --MARK-- message capability
$ModLoad imgssapi # provides GSSAPI syslog reception
# certificate files
$DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca-cert.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/rslserver-cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/rslserver-key.pem
2 of 11 10/19/21, 12:34
centos - Rsyslog through TLS - Server Fault https://serverfault.com/questions/579709/rsyslog-through-tls
$DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca-cert.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/rslclient-cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/rslclient-key.pem
$ModLoad imuxsock.so
$ModLoad imklog.so
$ModLoad imtcp
$DefaultNetstreamDriver gtls
$ActionSendStreamDriverAuthMode anon
$ActionSendStreamDriverMode 1
My testing environment does not have FQDNs, so I have left blank the DNs fields and the FQDN ones and I have filled the IP field.
3 of 11 10/19/21, 12:34
centos - Rsyslog through TLS - Server Fault https://serverfault.com/questions/579709/rsyslog-through-tls
What OS are you using ? In CentOS/RedHat you also to enable the SSL rsyslog port in SElinux. – b13n1u Mar 4 '14 at 13:49
4 of 11 10/19/21, 12:34
centos - Rsyslog through TLS - Server Fault https://serverfault.com/questions/579709/rsyslog-through-tls
Install gnutls-utils
5 of 11 10/19/21, 12:34
centos - Rsyslog through TLS - Server Fault https://serverfault.com/questions/579709/rsyslog-through-tls
Sign SERVER key and allow the key pair to be trusted by the other servers
Sign CLIENT key and allow the key pair to be trusted by the other servers
6 of 11 10/19/21, 12:34
centos - Rsyslog through TLS - Server Fault https://serverfault.com/questions/579709/rsyslog-through-tls
Configure SERVER
sudo vi /etc/rsyslog.d/rsyslog-tls.conf
# Add
# Listen for TCP
$ModLoad imtcp
# Set gtls driver
$DefaultNetstreamDriver gtls
# Certs
$DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/CA.pem
$DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/SERVER-cert.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/SERVER-key.pem
# Auth mode
$InputTCPServerStreamDriverAuthMode x509/name
# Only allow EXAMPLE.COM domain
$InputTCPServerStreamDriverPermittedPeer *.EXAMPLE.COM
# Only use TLS
$InputTCPServerStreamDriverMode 1
# Listen on port 6514
# If you want to use other port configure selinux
7 of 11 10/19/21, 12:34
centos - Rsyslog through TLS - Server Fault https://serverfault.com/questions/579709/rsyslog-through-tls
sudo vi /etc/rsyslog.d/rsyslog-tls.conf
# Add
# Set gtls driver
$DefaultNetstreamDriver gtls
# Certs
$DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/CA.pem
$DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/CLIENT-cert.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/CLIENT-key.pem
# Auth mode
$ActionSendStreamDriverAuthMode x509/name
# Only send log to SERVER.EXAMPLE.COM host
$ActionSendStreamDriverPermittedPeer SERVER.EXAMPLE.COM
# Only use TLS
$ActionSendStreamDriverMode 1
# Forward everithing to SERVER.EXAMPLE.COM
# If you use hostnames instead of IP configure DNS or /etc/hosts
*.* @@SERVER.EXAMPLE.COM:6514
8 of 11 10/19/21, 12:34
centos - Rsyslog through TLS - Server Fault https://serverfault.com/questions/579709/rsyslog-through-tls
It has probably been backported since then. The original question dates back more than 3 years. Thanks for the update – Bruno9779 Jun 27 '17
at 18:12
9 of 11 10/19/21, 12:34
centos - Rsyslog through TLS - Server Fault https://serverfault.com/questions/579709/rsyslog-through-tls
In CentOS/RedHat you also to enable the SSL rsyslog port in SElinux. Something like semanage port -a -t syslogd_port_t -p
tcp 10514 should do the trick.
3
You can check your current syslog port with sudo semanage port -l| grep syslog
Also you can try, to run rsyslog in debug mode, to see whats happening: Stop rsyslog daemon, then
export RSYSLOG_DEBUGLOG="/path/to/debuglog"
export RSYSLOG_DEBUG="Debug"
rsyslogd -dn
rsyslogd -N 1
Share Improve this answer Follow edited Mar 4 '14 at 14:30 answered Mar 4 '14 at 13:52
b13n1u
982 9 13
This is a CentOS 6 VE running in OpenVZ. It is only for testing, so I have SElinux removed from the template I use, to avoid headaches
– Bruno9779 Mar 4 '14 at 14:10
Have you tried to run rsyslog in debug mode ? – b13n1u Mar 4 '14 at 14:29
10 of 11 10/19/21, 12:34
centos - Rsyslog through TLS - Server Fault https://serverfault.com/questions/579709/rsyslog-through-tls
I could not find a working configuration for rsyslog 5.8 (from CentOS repos).
1 I have installed instead the official rsyslog repos and have got rsyslog 7.6.0 up and running in minutes with this configuration.
11 of 11 10/19/21, 12:34