Certificate setup.
Server Certificate.
Create the following directory
1 2 3 |
mkidr /etc/ssl/rsyslog/ cd /etc/ssl/rsyslog/ |
Install the following package to enable encryption on rsyslog.
1 2 |
yum install -y gnutls-utils |
Execute the following command which create the certificates.
1 |
certtool --generate-self-signed --load-privkey CA-key.pem --outfile CA.pem |
1 |
chmod 400 CA-key.pem |
1 |
certtool --generate-self-signed --load-privkey CA-key.pem --outfile CA.pem |
1 |
certtool --generate-privkey --outfile SERVER-key.pem --bits 2048\ |
1 |
certtool --generate-request --load-privkey SERVER-key.pem --outfile SERVER-request.pem |
1 |
certtool --generate-certificate --load-request SERVER-request.pem --outfile SERVER-cert.pem --load-ca-certificate CA.pem --load-ca-privkey CA-key.pem |
Client Certificate.
1 2 |
certtool --generate-privkey --outfile CLIENT-key.pem --bits 2048 |
1 |
certtool --generate-request --load-privkey CLIENT-key.pem --outfile CLIENT-request.pem |
1 |
certtool --generate-certificate --load-request CLIENT-request.pem --outfile CLIENT-cert.pem --load-ca-certificate CA.pem --load-ca-privkey CA-key.pem |
Copy the following three certificates to the client machine to the following location /etc/ssl/rsyslog/.
1 2 3 |
-rw-r--r-- 1 root root 1663 Dec 5 01:01 CA.pem -rw-r--r-- 1 root root 0 Dec 5 01:01 CLIENT-cert.pem -rw------- 1 root root 1675 Dec 5 01:01 CLIENT-key.pem |
Server Setup.
Create the following configuration file.
1 2 3 4 5 6 7 8 9 10 11 |
sudo vi /etc/rsyslog.d/rsyslog-tls.conf $ModLoad imtcp $DefaultNetstreamDriver gtls $DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/CA.pem $DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/SERVER-cert.pem $DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/SERVER-key.pem $InputTCPServerStreamDriverAuthMode x509/name $InputTCPServerStreamDriverPermittedPeer *.EXAMPLE.COM $InputTCPServerStreamDriverMode 1 $InputTCPServerRun 10514 |
Restart the server.
1 |
/etc/init.d/rsyslog restart |
This will allow the changes to take effect.
Running netstat will show you that its listen on encrypted and un-encrypted ports for logging traffic.
1 2 3 4 5 6 7 8 |
[root@f842608432ca rsyslog.d]# netstat -ntl Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:10514 0.0.0.0:* LISTEN tcp 0 0 :::514 :::* LISTEN tcp 0 0 :::10514 :::* LISTEN [root@f842608432ca rsyslog.d]# |
Client Setup.
1 2 3 4 5 6 7 8 9 10 |
sudo vi /etc/rsyslog.d/rsyslog-tls.conf $DefaultNetstreamDriver gtls $DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/CA.pem $DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/CLIENT-cert.pem $DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/CLIENT-key.pem $ActionSendStreamDriverAuthMode x509/name $ActionSendStreamDriverPermittedPeer SERVER.EXAMPLE.COM $ActionSendStreamDriverMode 1 *.* @@SERVER.EXAMPLE.COM:10514 |
Replace the SERVER with the IP address of your rsyslog server.
Restart rsyslog on the client so that changes can take effect.
1 |
/etc/init.d/rsyslog restart |
Now to test the logs are transmitted execute.
1 |
logger -i -t cron "Boom, shagalaga." |
To verify that the logs are received on the encrypted port, connect to the server and run the following.
1 |
tcpdump port 10514 |
This will listen for traffic on the encrypted port. Successful results should look like this.
1 2 3 4 5 6 7 8 9 |
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 03:45:29.688443 IP 172.17.0.4.59038 > f842608432ca.10514: Flags [S], seq 299354345, win 29200, options [mss 1460,sackOK,TS val 16418731 ecr 0,nop,wscale 7], length 0 03:45:29.688660 IP f842608432ca.10514 > 172.17.0.4.59038: Flags [S.], seq 3462609508, ack 299354346, win 28960, options [mss 1460,sackOK,TS val 16418731 ecr 16418731,nop,wscale 7], length 0 03:45:29.688903 IP 172.17.0.4.59038 > f842608432ca.10514: Flags [.], ack 1, win 229, options [nop,nop,TS val 16418731 ecr 16418731], length 0 03:45:29.689938 IP 172.17.0.4.59038 > f842608432ca.10514: Flags [F.], seq 1, ack 1, win 229, options [nop,nop,TS val 16418731 ecr 16418731], length 0 03:45:29.690544 IP f842608432ca.10514 > 172.17.0.4.59038: Flags [.], ack 2, win 227, options [nop,nop,TS val 16418732 ecr 16418731], length 0 03:45:29.764463 IP f842608432ca.10514 > 172.17.0.4.59038: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 16418739 ecr 16418731], length 0 03:45:29.764599 IP 172.17.0.4.59038 > f842608432ca.10514: Flags [.], ack 2, win 229, options [nop,nop,TS val 16418739 ecr 16418739], length 0 |