How to Configure Remote Rsyslog To Accept TLS and Non-TLS in CentOS/RHEL?

Configure Remote Rsyslog To Accept TLS and Non-TLS in CentOS/RHEL, we need to have following servers.

  • Rsyslog server with TLS and non TLS : syslog-server.rootadminz.com
  • Client TLS : syslog-tls.rootadminz.com
  • Client Non TLS: syslog-non-tls.rootadminz.com

 

1. Setup the TLS on rsyslog-server and client.

 

2. Test the TLS is working correctly before continuing.

 

3. On Rsyslog Server, edit /etc/rsyslog.conf with the following options:

TLS connection will use port 1514
Non TLS connection will use por 514

 

Provides the ability to receive syslog messages via plain TCP syslog. This is a specialized input plugin tailored for high performance on Linux. It will probably not run on any other platform. Also, it does not provide TLS services. Encryption can be provided by using stunnel.
This module has no limit on the number of listeners and sessions that can be used.

 

# vi /etc/rsyslog.conf

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # reads kernel messages (the same are read from journald)

module(
load="imptcp"
Threads="2"
)

input(
type="imptcp"
port="514"
)

# Provides TCP syslog reception
$ModLoad imtcp

#Make gtls driver the default

$DefaultNetstreamDriver gtls

# certificate files

$DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca-cert.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/collector-cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/collector-key.pem

$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.rootadminz.com
$ActionSendStreamDriverMode 1

$InputTCPServerRun 10514

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.

$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state

$template RemoteLogsTesting,"/var/log//%HOSTNAME%/syslog.log"
if $fromhost-ip != '127.0.0.1' then -?RemoteLogsTesting
& stop

#Set the maximum number of files that the rsyslog process can have open at any given time
$MaxOpenFiles 2048

#### RULES ####

*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log

 

Restart the rsyslog services for the changes to take effect:

# systemctl rsyslog restart

 

4. On Rsyslog Client using TLS, edit /etc/rsyslog.conf

 # vi /etc/rsyslog.conf
#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal

# make gtls driver the default
$DefaultNetstreamDriver gtls

# certificate files
$DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca-cert.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/sender-cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/sender-key.pem

$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state

#### RULES ####

*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log

# remote host is: name/ip:port, e.g. 147.124.5.2:514, port optional
*.* @@14.47.51.187:10514

 

Restart the rsyslog services for the changes to take effect:

# systemctl rsyslog restart

 

5. On Rsyslog Client NON TLS, edit /etc/rsyslog.conf:

# vi /etc/rsyslog.conf
#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state

#### RULES ####

*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log

# remote host is: name/ip:port, e.g. 147.124.5.2:514, port optional
*.*@@14.47.51.187:514 

 

Restart the rsyslog services for the changes to take effect:

# systemctl rsyslog restart

 

Testing :

Client TLS:

[root@syslog-tls ~]# logger rootadminz TEST
[root@syslog-tls ~]# logger rootadminz TEST

 

Client NON TLS:

[root@syslog-non-tls ~]# logger rootadminz test
[root@syslog-non-tls ~]# logger rootadminz test

 

Rsyslog Server:

[root@syslog-server ]# ls
syslog-non-tls syslogtest
[root@syslog-server ]#

 

root@syslog-server syslog-non-tls]# tail -2 syslog.log
Sep 21 18:07:19 syslog-non-tls root: rootadminz test
Sep 21 18:07:20 syslog-non-tls root: rootadminz test

 

[root@syslog-server syslog-tls]# cat syslog.log
Stop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Sep 21 18:22:02 syslog-tls root: rootadminz TEST
Sep 21 18:22:03 syslog-tls root: rootadminz TEST
Sep 21 18:22:03 syslog-tls root: rootadminz TEST

 

[root@syslog-server ]# netstat -tulpan | grep -i 514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 2460/rsyslogd
tcp 0 0 0.0.0.0:10514 0.0.0.0:* LISTEN 2460/rsyslogd
tcp 0 0 14.47.51.187:514 10.157.193.131:14178 ESTABLISHED 2460/rsyslogd Non tls server
tcp 0 0 14.47.51.187:10514 10.157.193.159:47027 ESTABLISHED 2460/rsyslogd tls server
tcp6 0 0 :::514 :::* LISTEN 2460/rsyslogd
tcp6 0 0 :::10514 :::* LISTEN 2460/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 2460/rsyslogd
udp6 0 0 :::514 :::* 2460/rsyslogd
[root@syslog-server ]#

 

Was this answer helpful? 0 Users Found This Useful (0 Votes)