• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to Configure Remote Rsyslog To Accept TLS and Non-TLS in CentOS/RHEL

by admin

This post will show How to configure a CentOS/RHEL system to accept remote log messages using TLS and non TLS only. Let’s say we have following servers.

  • Rsyslog server with TLS and non TLS : syslog-server.geeklab.com
  • Client TLS : syslog-tls.geeklab.com
  • Client Non TLS: syslog-non-tls.geeklab.com

1. Use the following guide to setup the TLS on rsyslog-server and client:

How to Configure rsyslog Server to Accept Logs via SSL/TLS

2. Test the TLS is working correctly before continuing.

3. On Rsyslog Server, edit /etc/rsyslog.conf with the following options:

TLS connection will use port 1514
Non TLS connection will use por 514

Please refer to the following doc about imptcp module : http://www.rsyslog.com/doc/v8-stable/configuration/modules/imptcp.html

Provides the ability to receive syslog messages via plain TCP syslog. This is a specialized input plugin tailored for high performance on Linux. It will probably not run on any other platform. Also, it does not provide TLS services. Encryption can be provided by using stunnel.

This module has no limit on the number of listeners and sessions that can be used.

# vi /etc/rsyslog.conf

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # reads kernel messages (the same are read from journald)

module(
load="imptcp"
Threads="2"
)

input(
type="imptcp"
port="514"
)

# Provides TCP syslog reception
$ModLoad imtcp

#Make gtls driver the default

$DefaultNetstreamDriver gtls

# certificate files

$DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca-cert.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/collector-cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/collector-key.pem

$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.geeklab.com
$ActionSendStreamDriverMode 1

$InputTCPServerRun 10514

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.

$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state

$template RemoteLogsTesting,"/var/log//%HOSTNAME%/syslog.log"
if $fromhost-ip != '127.0.0.1' then -?RemoteLogsTesting
& stop

#Set the maximum number of files that the rsyslog process can have open at any given time
$MaxOpenFiles 2048

#### RULES ####

*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log

Restart the rsyslog services for the changes to take effect:

# systemctl rsyslog restart

4. On Rsyslog Client using TLS, edit /etc/rsyslog.conf

# vi /etc/rsyslog.conf
#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal

# make gtls driver the default
$DefaultNetstreamDriver gtls

# certificate files
$DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca-cert.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/sender-cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/sender-key.pem

$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state

#### RULES ####

*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log

# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
*.* @@10.157.193.9:10514

Restart the rsyslog services for the changes to take effect:

# systemctl rsyslog restart

5. On Rsyslog Client NON TLS, edit /etc/rsyslog.conf:

# vi /etc/rsyslog.conf
#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state

#### RULES ####

*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log

# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
*.*@@10.157.193.9:514

Restart the rsyslog services for the changes to take effect:

# systemctl rsyslog restart

Testing :

Client TLS:

[root@syslog-tls ~]# logger geeklab TEST
[root@syslog-tls ~]# logger geeklab TEST

Client NON TLS:

[root@syslog-non-tls ~]# logger geeklab test
[root@syslog-non-tls ~]# logger geeklab test

Rsyslog Server:

[root@syslog-server ]# ls
syslog-non-tls syslogtest
[root@syslog-server ]#
root@syslog-server syslog-non-tls]# tail -2 syslog.log
Sep 21 18:07:19 syslog-non-tls root: geeklab test
Sep 21 18:07:20 syslog-non-tls root: geeklab test
[root@syslog-server syslog-tls]# cat syslog.log
Stop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Sep 21 18:22:02 syslog-tls root: geeklab TEST
Sep 21 18:22:03 syslog-tls root: geeklab TEST
Sep 21 18:22:03 syslog-tls root: geeklab TEST
[root@syslog-server ]# netstat -tulpan | grep -i 514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 2460/rsyslogd
tcp 0 0 0.0.0.0:10514 0.0.0.0:* LISTEN 2460/rsyslogd
tcp 0 0 10.157.193.9:514 10.157.193.131:14178 ESTABLISHED 2460/rsyslogd Non tls server
tcp 0 0 10.157.193.9:10514 10.157.193.159:47027 ESTABLISHED 2460/rsyslogd tls server
tcp6 0 0 :::514 :::* LISTEN 2460/rsyslogd
tcp6 0 0 :::10514 :::* LISTEN 2460/rsyslogd
udp 0 0 0.0.0.0:514 0.0.0.0:* 2460/rsyslogd
udp6 0 0 :::514 :::* 2460/rsyslogd
[root@syslog-server ]#

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. How to Install gnome-session-wayland software package in Ubuntu
  2. calendar: Display upcoming events from a calendar file
  3. How to Configure rsyslog Server to Accept Logs via SSL/TLS
  4. How to configure VNC Server on CentOS/RHEL 6
  5. logsave Command Examples in Linux
  6. What does refid value “.LOCL.” mean in NTP
  7. dsniff Command Examples in Linux
  8. mkfs.btrfs Command Examples in Linux
  9. How to Limit/throttle rsync transfer speed in Linux
  10. How to Increase KVM Guest Memory Resources

You May Also Like

Primary Sidebar

Recent Posts

  • cf: Command-line tool to manage apps and services on Cloud Foundry
  • certutil: Manage keys and certificates in both NSS databases and other NSS tokens
  • cdk: A CLI for AWS Cloud Development Kit (CDK)
  • cd: Change the current working directory

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright