rsyslog: Configure TLS/SSL

Hi,

to setup a remote syslog server TLS encryption is strongly recommended.

First of all install rsyslog TLS support.

root@debdev ~ # apt install rsyslog-gnutls

Order a certificate for your host or for testing purposes use a selfsigned certificate. In this example I used a selfsigned certificate so CA File and the Cert File is the same.

Create a config file /etc/rsyslog.d/tls.conf

# make gtls driver the default and set certificate files
global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/root/myCert.pem"
DefaultNetstreamDriverCertFile="/root/myCert.pem"
DefaultNetstreamDriverKeyFile="/root/myKey.key"
)

# load TCP listener
module(
load="imtcp"
StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.Authmode="anon"
)

# start up listener at port 6514
input(
type="imtcp"
port="6514"
)

To restrict rsyslog to an IP range use the $AllowedSender parameter

$AllowedSender TCP,10.250.10.0/24

To write a separate logfile for each remote host. Create a folder ,

root@debdev ~ # mkdir -p /var/log/remote

define a template and define what to write into:

$template remote-logs, "/var/log/remote/%HOSTNAME%.log"
*.* ?remote-logs

Michael

5 thoughts on “rsyslog: Configure TLS/SSL”

  1. hi,
    I have used your example to configure my rsyslog server using TCP/TLS , configuration validation looks Okay but when I tried to validate the rsyslog listener by using openssl s_client command I got an error, it looks like certificate has not been loaded. Any idea what could be the problem?
    🙁
    [root@nsma2012-cb1143-1-clcm-01 ~]# openssl s_client -connect 100.73.145.22:3514
    CONNECTED(00000003)
    140029878425488:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

    no peer certificate available

    No client certificate CA names sent

    SSL handshake has read 0 bytes and written 289 bytes

    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    …..

    1. The client doesn’t need a certificate. But the client must trust root CA (and the intermediate CA if used) of the rsyslog server certificate.

      Michaek

Leave a Reply