Information: Forum is in read-only mode
For details and other support options see

Configuring Rsyslog TCP/TLS

This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Moderator: alorbach

Google Ads

Configuring Rsyslog TCP/TLS

Postby gsmith » Tue Dec 05, 2017 3:35 am

Hello All,
Having troubles with Rsyslog TLS/SSL Configuration on Linux clients send messages to graylog server with certificates.

Total of 6 CentOS 7.3 Servers minimal install.
3 Servers with Graylog version 2.3 and Mongo version 3.4 ‘Clustered’
3 Servers with Elasticsearch 5.6.4 ‘Clustered’

Client Rsyslog Version;

To Summarize;
Created an Input on Graylog called Linux-TCP, using TLS cert, key, and password configuration.
Transferred Certificates using SCP from Graylog Server to a remote Linux server.
Certificate are placed in /etc/pki/rsyslog/ directory on remote Linux server.

Configure Remote Linux Server rsyslog.conf as;
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down

$DefaultNetstreamDriver gtls

#certificate files
$DefaultNetstreamDriverCAFile /etc/pki/rsyslog/cert.pem
$DefaultNetstreamDriverCertFile /etc/pki/rsyslog/graylog-cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/graylog-key.pem

$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode

#remote host is: name/ip:port, e.g., port optional
*. * @@FQDN:6514

Restarted Rsyslog Service
No Messages came through Linux-TCP Input

Rsyslog Status error “unexpected GnuTLS error -24 in nsd_gtls.c:205: Decryption has failed.”.
I check permissions on Certificates, and directory’s.
I went as far as giving everyone excess to certs and directory’s, No Joy.
Do I need to make Cert’s on remote Linux server, then transfer them to Graylog server?
Looking for a way on the remote Linux server to read Graylog Certs’, I think that is where the problem located, but I’m unsure. If so how do I get rsyslog to read these cert’s?

NOTE: I tired just using TCP Connection without Certs, no problems occurred, messages came through.
More Details are found here; ... log/3261/7

Any other Ideas would be appreciated.
Thanks in advance
Posts: 1
Joined: Tue Dec 05, 2017 2:07 am

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Google Ads

Return to Configuration

Who is online

Users browsing this forum: No registered users and 3 guests