I have been trying to get rsyslog to transmit through TLS with no luck so far.
There seems to be something wrong with my configuration, but I cannot pinpoint it.
this is my server conf file:
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ModLoad immark # provides --MARK-- message capability
$ModLoad imgssapi # provides GSSAPI syslog reception
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 10514
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated
# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca-cert.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/rslserver-cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/rslserver-key.pem
# specify senders you permit to access
$AllowedSender TCP, 127.0.0.1, 10.111.1.0/24, *.evoltek.test.com
#add: define logfiles
## /var/log/secure
$template Auth_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.secure"
## /var/log/messages
$template Msg_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.messages"
## /var/log/maillog
$template Mail_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.maillog"
## /var/log/cron
$template Cron_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.cron"
## /var/log/spooler
$template Spool_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.spooler"
## /var/log/boot.log
$template Boot_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.boot.log"
## emergency messages "*.emerg"
$template Emerg_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.emerg"
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none -?Msg_log
# The authpriv file has restricted access.
authpriv.* -?Auth_log
# Log all the mail messages in one place.
mail.* -?Mail_log
# Log cron stuff
cron.* -?Cron_log
# Everybody gets emergency messages
*.emerg -?Emerg_log
# Save news errors of level crit and higher in a special file.
uucp,news.crit -?Spool_log
# Save boot messages also to boot.log
local7.* -?Boot_log
And this is my client conf file:
# rsyslog v5 configuration file
# certificate files
$DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca-cert.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/rslclient-cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/rslclient-key.pem
$ModLoad imuxsock.so
$ModLoad imklog.so
$ModLoad imtcp
$DefaultNetstreamDriver gtls
$ActionSendStreamDriverAuthMode anon
$ActionSendStreamDriverMode 1
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
*.* @@10.111.1.151:10514
I have created the certificates following this guide : http://kb.kristianreese.com/index.php?View=entry&EntryID=148
My testing environment does not have FQDNs, so I have left blank the DNs fields and the FQDN ones and I have filled the IP field.
Best Answer
Rsyslog 5.8 with Centos 6.9 works for me
Here is a video tutorial: https://youtu.be/eb9GlhD8XnY
Create the certificates on the CA (certificate authority)
Install gnutls-utils
Generate CA private key (PROTECT THIS KEY!)
Generate CA public key
Create SERVERS private key on the CA (certificate authority)
Create the certificate request for SERVER
Sign SERVER key and allow the key pair to be trusted by the other servers
Create CLIENT private key on the CA (certificate authority)
Create certificate request for CLIENT
Sign CLIENT key and allow the key pair to be trusted by the other servers
Delete request keys
Scp SERVER private/key and the CA.pem to SERVER.EXAMPLE.COM Copy the certificates with scp or a USB encrypted
Scp CLIENT private/key and the CA.pem to CLIENT.EXAMPLE.COM
Install the gtls driver on SERVER and CLIENT
Configure SERVER
Open port 6514 on your firewall
Restart the rsyslog daemon
Configure CLIENT
Restart the rsyslog daemon
To test on SERVER, run tcpdump and send logs from the CLIENT