Configuring Rsyslog TCP/TLS

This is the place for you, if you got rsyslog up and running but wonder how to make it do what you want.

Moderator: rgerhards

Google Ads


Configuring Rsyslog TCP/TLS

Postby gsmith » Tue Dec 05, 2017 3:35 am

Hello All,
Having troubles with Rsyslog TLS/SSL Configuration on Linux clients send messages to graylog server with certificates.

Environment;
Total of 6 CentOS 7.3 Servers minimal install.
3 Servers with Graylog version 2.3 and Mongo version 3.4 ‘Clustered’
3 Servers with Elasticsearch 5.6.4 ‘Clustered’

Client Rsyslog Version;
rsyslog-8.24.0-12.el7.x86_64

To Summarize;
Created an Input on Graylog called Linux-TCP, using TLS cert, key, and password configuration.
Transferred Certificates using SCP from Graylog Server to a remote Linux server.
Certificate are placed in /etc/pki/rsyslog/ directory on remote Linux server.

Configure Remote Linux Server rsyslog.conf as;
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down

#driver
$DefaultNetstreamDriver gtls

#certificate files
$DefaultNetstreamDriverCAFile /etc/pki/rsyslog/cert.pem
$DefaultNetstreamDriverCertFile /etc/pki/rsyslog/graylog-cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/graylog-key.pem

#actions
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer lab-graylog-001.nseva-labs.net
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode

#remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
*. * @@FQDN:6514

Restarted Rsyslog Service
No Messages came through Linux-TCP Input

Rsyslog Status error “unexpected GnuTLS error -24 in nsd_gtls.c:205: Decryption has failed.”.
I check permissions on Certificates, and directory’s.
I went as far as giving everyone excess to certs and directory’s, No Joy.
Do I need to make Cert’s on remote Linux server, then transfer them to Graylog server?
Looking for a way on the remote Linux server to read Graylog Certs’, I think that is where the problem located, but I’m unsure. If so how do I get rsyslog to read these cert’s?

NOTE: I tired just using TCP Connection without Certs, no problems occurred, messages came through.
More Details are found here;
https://community.graylog.org/t/configu ... log/3261/7

Any other Ideas would be appreciated.
Thanks in advance
gsmith
New
 
Posts: 1
Joined: Tue Dec 05, 2017 2:07 am

Urgent Question?

  • Pulling out your Hair?
  • Wasting Time and Money?
  • Deadline Approaching?

Google Ads


Return to Configuration

Who is online

Users browsing this forum: No registered users and 0 guests

cron