Rsyslog TLS on AIX

aixelkgnutlsrsyslogtls

I am trying to forward logs with rsyslog (8.4.2) on AIX 7.1 and I need to encrypt with TLS. However it seems I need rsyslog-gnutls package. I can't seem to find this package anywhere for AIX. Best I could find is http://www.oss4aix.org/download/RPMS/rsyslog/ and that is for rsyslog version 5. I really don't want to downgrade. Can anyone point me to where I can get this installed? Or any alternative solutions.

Any help is appreciated

Best Answer

You can find the link to the download you are looking for here:

http://www-01.ibm.com/support/docview.wss?uid=isg3T1019934

You will need to create a IBM ID if you don't have one already to login. I logged in and the version you are looking for is available (V 8.4.2.0).

Related Solutions

Ubuntu – way to make TLS work with rsyslog in Ubuntu 12.04

The error page for 2078, which is mentioned in the error but not the number in the printed link, says:

This message occurs with TLS netstream driver. For TLS, certificates (.pem files) are needed to provide security credentials. This error is issued if there is a problem with these files. The message contains a more precise error description. That error text is taken directly from the underlying TLS library.

A common cause is that the file can not be found or accessed (permissions!). In that case, a rsyslogd-2040 error will follow.

Further, if you check /usr/lib/rsyslog/ and lmnsd_gtls.so really does not exist, it points at rsyslog-gnutls possibly not being installed.

Centos – Rsyslog through TLS

Rsyslog 5.8 with Centos 6.9 works for me

Here is a video tutorial: https://youtu.be/eb9GlhD8XnY

Create the certificates on the CA (certificate authority)

sudo mkidr /etc/ssl/rsyslog/   
cd /etc/ssl/rsyslog/

Install gnutls-utils

sudo yum install -y gnutls-utils

Generate CA private key (PROTECT THIS KEY!)

sudo certtool --generate-privkey --outfile CA-key.pem
sudo chmod 400 CA-key.pem

Generate CA public key

sudo certtool --generate-self-signed --load-privkey CA-key.pem --outfile CA.pem

Common name: CA.EXAMPLE.COM
The certificate will expire in (days): 3650
Does the certificate belong to an authority? (Y/N): y
Will the certificate be used to sign other certificates? (Y/N): y
Will the certificate be used to sign CRLs? (y/N): y

Create SERVERS private key on the CA (certificate authority)

sudo certtool --generate-privkey --outfile SERVER-key.pem --bits 2048

Create the certificate request for SERVER

sudo certtool --generate-request --load-privkey SERVER-key.pem --outfile SERVER-request.pem 

Common name: SERVER.EXAMPLE.COM

Sign SERVER key and allow the key pair to be trusted by the other servers

sudo certtool --generate-certificate --load-request SERVER-request.pem --outfile SERVER-cert.pem --load-ca-certificate CA.pem --load-ca-privkey CA-key.pem

The certificate will expire in (days): 1000
Is this a TLS web client certificate? (Y/N): y
Is this also a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: SERVER.EXAMPLE.COM

Create CLIENT private key on the CA (certificate authority)

sudo certtool --generate-privkey --outfile CLIENT-key.pem --bits 2048

Create certificate request for CLIENT

sudo certtool --generate-request --load-privkey CLIENT-key.pem --outfile CLIENT-request.pem 

Common name: CLIENT.EXAMPLE.ORG

Sign CLIENT key and allow the key pair to be trusted by the other servers

sudo certtool --generate-certificate --load-request CLIENT-request.pem --outfile CLIENT-cert.pem --load-ca-certificate CA.pem --load-ca-privkey CA-key.pem

The certificate will expire in (days): 1000
Is this a TLS web client certificate? (Y/N): y
Is this also a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: CLIENT.EXAMPLE.ORG

Delete request keys

sudo rm *-request.pem

Scp SERVER private/key and the CA.pem to SERVER.EXAMPLE.COM Copy the certificates with scp or a USB encrypted

sudo -u root scp -i ~/.ssh/id_rsa CA.pem SERVER-* root@172.16.9.30:/etc/ssl/rsyslog/

Scp CLIENT private/key and the CA.pem to CLIENT.EXAMPLE.COM

sudo -u root scp -i ~/.ssh/id_rsa CA.pem CLIENT-* root@172.16.9.40:/etc/ssl/rsyslog/

Install the gtls driver on SERVER and CLIENT

sudo yum install rsyslog-gnutls -y

Configure SERVER

sudo vi /etc/rsyslog.d/rsyslog-tls.conf

# Add
# Listen for TCP
$ModLoad imtcp
# Set gtls driver
$DefaultNetstreamDriver gtls
# Certs
$DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/CA.pem
$DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/SERVER-cert.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/SERVER-key.pem
# Auth mode
$InputTCPServerStreamDriverAuthMode x509/name
# Only allow EXAMPLE.COM domain
$InputTCPServerStreamDriverPermittedPeer *.EXAMPLE.COM
# Only use TLS
$InputTCPServerStreamDriverMode 1 
# Listen on port 6514
# If you want to use other port configure selinux
$InputTCPServerRun 6514

Open port 6514 on your firewall

sudo vi /etc/sysconfig/iptables

-A INPUT -m state --state NEW -m tcp -p tcp --dport 6514 -j ACCEPT

sudo /etc/init.d/iptables reload

Restart the rsyslog daemon

sudo /etc/init.d/rsyslog restart

Configure CLIENT

sudo vi /etc/rsyslog.d/rsyslog-tls.conf

# Add
# Set gtls driver
$DefaultNetstreamDriver gtls
# Certs
$DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/CA.pem
$DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/CLIENT-cert.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/CLIENT-key.pem
# Auth mode
$ActionSendStreamDriverAuthMode x509/name
# Only send log to SERVER.EXAMPLE.COM host
$ActionSendStreamDriverPermittedPeer SERVER.EXAMPLE.COM
# Only use TLS
$ActionSendStreamDriverMode 1
# Forward everithing to SERVER.EXAMPLE.COM
# If you use hostnames instead of IP configure DNS or /etc/hosts
*.* @@SERVER.EXAMPLE.COM:6514

Restart the rsyslog daemon

sudo /etc/init.d/rsyslog restart

To test on SERVER, run tcpdump and send logs from the CLIENT

sudo yum install tcpdump -y
sudo tcpdump -i eth0 tcp port 6514 -X -s 0 -nn

Best Answer

Related Solutions

Ubuntu – way to make TLS work with rsyslog in Ubuntu 12.04

Centos – Rsyslog through TLS

Related Topic