I'm trying to test a setup of rsyslog that uses ssl. I'm (perhaps mis)-understanding that if I use starttls for the ssl traffic, I should be able to receive both ssl and plain syslog traffic on the same tcp port as the ssl session is negotiated if, as, and when needed.
However I have a testbed plaintext syslog client and a testbed ssl syslog client but i'm unable to make this occur. I can get traffic from either depending on the setting of $InputTCPServerDriverMode being 0 or 1, but not both at once.
So really i'm asking: Is this even possible ? If so, what's the rsyslog config syntax to achieve it ?
I understood that rsyslog could work with starttls, but now i'm starting to doubt it.
The server config looks a bit like this currently:
$ModLoad imuxsock $ModLoad imklog $ModLoad imtcp.so $DefaultNetstreamDriver gtls $DefaultNetstreamDriverCAFile /root/syslog-ca-cert.crt $DefaultNetstreamDriverCertFile /root/syslog-server-cert.crt $DefaultNetstreamDriverKeyFile /root/syslog-server-key.key $InputTCPServerStreamDriverMode 1 $InputTCPServerStreamDriverAuthMode x509/certvalid $InputTCPServerRun 514
Best Answer
According to rsyslog'd documentation the gtls driver supports EITHER unencrypted transmission just like the ptcp driver does with InputTCPServerStreamDriverMode set to 0, or TLS mode with it set to 1.
It also states:
Thus it appears you have to choose encrypted or not encrypted, at least for a particular IP address+port combination. So you will have to setup two ports, one using the ptcp driver, and one with the gtls driver. Or if every system you have logging supports encryption, only use encrypted syslog connections.