MonitorWare Knowledge Base

Hi all,

I'm failing on my first attempt of setting up rsyslog to use TLS...
The simplest possible scenario I can setup is made up by two boxes: rsyslog-client and rsyslog-server.

rsyslog-server seems to be fine. rsyslog comes up flawlessly and accepts messages via TCP and UDP, with or w/o TLS encryption. That's fine...

rsyslog-client won't come up cleanly.
I see the following error message on the local /var/log/messages file:
--
2008-10-03T07:15:18.977361-04:00 rsyslog-client rsyslogd:could not load module '/usr/lib/rsyslog/lmnsd_gtls.so', rsyslog error -2078
: No such file or directory
--

but oddly enough, the file is there:
--
# ls -l /usr/lib/rsyslog/lmnsd_gtls.so
-rwxr-xr-x 1 root root 82311 Sep 8 08:53 /usr/lib/rsyslog/lmnsd_gtls.so
--

I works only if I use UDP to send syslog messages from the client side...

am I overseeing something obvious??


Cheers,
Martin

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

Is lmsnd_gtls in the same directory where are imudp.so and the other modules?

Hi,

yes.

# pwd
/usr/lib/rsyslog
# ls -l
total 612
-rwxr-xr-x 1 root root 35928 Jul 16 11:28 imfile.so
-rwxr-xr-x 1 root root 61422 Jul 16 11:28 imklog.so
-rwxr-xr-x 1 root root 19727 Jul 16 11:28 immark.so
-rwxr-xr-x 1 root root 30210 Jul 16 11:28 imtcp.so
-rwxr-xr-x 1 root root 27293 Jul 16 11:28 imudp.so
-rwxr-xr-x 1 root root 28737 Jul 16 11:28 imuxsock.so
-rwxr-xr-x 1 root root 51256 Jul 16 11:28 lmnet.so
-rwxr-xr-x 1 root root 56607 Jul 16 11:28 lmnetstrms.so
-rwxr-xr-x 1 root root 82311 Sep 8 08:53 lmnsd_gtls.so <--- here it is!
-rwxr-xr-x 1 root root 55596 Jul 16 11:28 lmnsd_ptcp.so
-rwxr-xr-x 1 root root 19050 Jul 16 11:28 lmregexp.so
-rwxr-xr-x 1 root root 27179 Jul 16 11:28 lmtcpclt.so
-rwxr-xr-x 1 root root 59822 Jul 16 11:28 lmtcpsrv.so
-rwxr-xr-x 1 root root 23823 Jul 16 11:28 omtesting.so


Furthermore:
--
# file lmnsd_gtls.so
lmnsd_gtls.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), not stripped

# ldd lmnsd_gtls.so
linux-gate.so.1 => (0x00a3a000)
libgnutls.so.13 => /usr/lib/libgnutls.so.13 (0x00f12000)
libc.so.6 => /lib/libc.so.6 (0x00110000)
libz.so.1 => /usr/lib/libz.so.1 (0x00aee000)
libgcrypt.so.11 => /usr/lib/libgcrypt.so.11 (0x00d82000)
libgpg-error.so.0 => /usr/lib/libgpg-error.so.0 (0x00a58000)
/lib/ld-linux.so.2 (0x00b34000)
libnsl.so.1 => /lib/libnsl.so.1 (0x00b16000)
--

TIA,
Martin

Could you get me a debug log as described here?

http://www.rsyslog.com/doc-troubleshoot.html

Hi,

sure! but this is rsyslog 3.19.7 and the -N1 option is not implemented.
--
# /sbin/rsyslogd -c 3 -f /etc/rsyslog.conf -N1
/sbin/rsyslogd: invalid option -- N
usage: rsyslogd [-cversion] [-46AdnqQvwx] [-lhostlist] [-sdomainlist]
[-fconffile] [-ipidfile]
To run rsyslogd in native mode, use "rsyslogd -c3 <other options>"

For further information see http://www.rsyslog.com/doc
--

Anyway, I'm enclosing the output file from running the command "rsyslogd -c 3 -dn | tee rsyslog-client_debugFile.txt".


TIA,
Martin

Martin, please see this link under "debug log". I do not need the config check, but the log. It tells what happens during run (if instrumentation is sufficient for this case, which it usually is). sorry for the confusion.

Hi Rainer,

OK, here you are!
I hope this all makes sense...


Danke!
Martin

Oops ... I don't see any reference to this module in the debug file? Do you had the error message during that run? It looks like a directive was commented out (from that parts of the config I can see in the debug log).

Rainer

Hmm... this is the relevant part from the /etc/rsyslog.config file
--
# make gtls driver the default
$DefaultNetstreamDriver gtls
[...]
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
--

The only error I see on the logfile is the one I already posted:
--
2008-10-06T05:48:55.219149-04:00 rsyslog-client rsyslogd:could not load module '/usr/lib/rsyslog/lmnsd_gtls.so', rsyslog error -2078
: No such file or directory
--


Cheers,
Martin

... but that message is not in the debug log. So I assume what you see is from a previous run?

no... I see it right now on the /var/log/messages on the local machine and on the /var/log/system-hostname on the logserver, which only updates if I use UDP and not TCP...
In other words: I haven't changed anything since I sent the debug file.

Then the debug file does not match the run - or something really weired is going on. Can you pls also post your config. But if it is weired, I may not be able to look at it the next couple of days due to other work.

Hi,

this is the rsyslog-client conf file:
--
# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modules are not found.

$ModLoad immark.so # provides --MARK-- message capability
$ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command)
$ModLoad imklog.so # provides kernel logging support (previously done by rklogd)

# make gtls driver the default
$DefaultNetstreamDriver gtls

# certificate files
#$DefaultNetstreamDriverCAFile /etc/certs/ca.pem
$DefaultNetstreamDriverCertFile /etc/certs/rsyslogclient-cert.pem
$DefaultNetstreamDriverKeyFile /etc/certs/rsyslogclient-key.pem

$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer logserver.gci.igmg
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode


# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none -/var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog


# Log cron stuff
cron.* -/var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit -/var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log

# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName uniqName # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount 5 # five retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
*.* @logserver
--

note: this is using UDP for it to work. Using TCP won't send a single piece of information down the wire to logserver... which I think is normal due to the TLS encryption... or?

Well... With that config, you can not get the error message you claim to have gotten Simply because it can only occur in the case TCP is used - with UDP, you can not have TLS. So the reason you don't see anything when trying to use TCP is that *then* the error happens and thus the action will be disabled. Please switch back to tcp and then provide me a debug file of such a run.

Hi again,

sorry for the UDP thing. My bad.
This time TCP was used.


Martin