Secure sending via rsyslog

Rsyslog is the default syslog package that is commonly used by Linux distributions.

  • It usually consists of a configuration file (/etc/rsyslog.conf) and a directory (/etc/rsyslog.d/) to store the filters and templates for processing rsyslog rules in a structured form and separated by files.
  • The use of SSL/TLS is supported by rsyslog in version 3.19.0 and later.
  • Rsyslog allows for the following three levels of SSL/TLS channel security:
    • Encrypted channel: The transportation channel is encrypted, no additional verification is performed.
    • Encrypted channel + peer checking: The transportation channel is encrypted and the server certificate is used for authentication. Rsyslogs must have the certificate verification chain (CA + subCAs) in order to make the validation.
    • Encrypted channel + peer checking + client authentication: The transportation channel is encrypted, the server certificate is used for authentication, and a client certificate is used to authenticate the user. Rsyslog must have access to the client certificate public and private keys.
  • An SSL/TLS secure channel with a client certificate is obligatory in order to send logs to Devo using a secure channel.

This article describes how to manually configure rsyslog to send events to Devo using an encrypted and authenticated channel. See Sending via rsyslog and File monitoring via rsyslog for more information.

For the primary Linux distributions, this configuration can be done automatically.

Note that SSL/TLS does not work correctly in Ubuntu 12.

Configuration

In order to use SSL/TLS with rsyslog, you need to install the rsyslog-gnutls package. 

Environments .DEB: apt-get install rsyslog-gnutls
Environments .RPM: yum install rsyslog-gnutls

However, the rsyslog-gnutls package is no longer required for Ubuntu systems running rsyslog 8.2 stable (or later). If you are running rsyslog 8.2 stable or later, you should skip this step. To check your version of rsyslog, run this command:

rsyslogd -version 

The only difference with a normal rsyslog configuration with TCP sending is that you need to add the following lines just before indicating the log destination as follows: 

  • For EU 

    # Enable rsyslog SSL/TLS mode
    $DefaultNetstreamDriver gtls # use gtls netstream driver
    $DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt # Devo CA
    $DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt # User public key
    $DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key # User private key
    $ActionSendStreamDriverMode 1 # require TLS for the connection
    $ActionSendStreamDriverAuthMode x509/name
    $ActionSendStreamDriverPermittedPeer eu.elb.relay.logtrust.net
  • For USA 

    # Enable rsyslog SSL/TLS mode
    $DefaultNetstreamDriver gtls # use gtls netstream driver
    $DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt # Devo CA
    $DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt # User public key
    $DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key # User private key
    $ActionSendStreamDriverMode 1 # require TLS for the connection
    $ActionSendStreamDriverAuthMode x509/name
    $ActionSendStreamDriverPermittedPeer us.elb.relay.logtrust.net
  • For VDC / Spain

    # Enable rsyslog SSL/TLS mode
    $DefaultNetstreamDriver gtls # use gtls netstream driver
    $DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt # Devo CA
    $DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt # User public key
    $DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key # User private key
    $ActionSendStreamDriverMode 1 # require TLS for the connection
    $ActionSendStreamDriverAuthMode x509/name
    $ActionSendStreamDriverPermittedPeer es.elb.relay.logtrust.net
  • You can obtain the ca.crt, user.crt and user.key files in Administration → Relays → X.509 Certificates in the Devo web application and store them in /etc/rsyslog.d.
  • Restrict the access permissions to these files to the syslog user: 

    cd /etc/rsyslog.d/; chmod 640 ca.crt user.crt user.key; chown :syslog ca.crt user.crt user.key
    
    -rw-r----- 1 root syslog 2090 Oct 24 13:02 ca.crt
    -rw-r----- 1 root syslog 1529 Oct 24 13:18 user.crt
    -rw-r----- 1 root syslog 1675 Oct 24 13:18 user.key

To send all internal system logs in securely, the configuration would be as follows:

/etc/rsyslog.d/49-logtrust.conf

$template boxunix,"<%PRI%>%timegenerated% %HOSTNAME% box.unix.%syslogtag%%msg%"

#ActionQueue section
$ActionQueueType                LinkedList
$ActionQueueFileName            ltboxq1
$ActionResumeRetryCount         -1
$ActionQueueSaveOnShutdown      on

# Enable rsyslog SSL/TLS mode
$DefaultNetstreamDriver gtls # use gtls netstream driver
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt # Devo CA
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt # User public key
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key # User private key
$ActionSendStreamDriverMode 1 # require TLS for the connection
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer collector

*.*    @@DEVO-RELAY:PORT;boxunix

To send the Apache logs securely, the configuration would be as follows:

/etc/rsyslog.d/45-apache.conf file monitoring example

$template apache,"<%PRI%>%timegenerated% %HOSTNAME% %syslogtag% %msg%"

# File1 access
$InputFileName /var/log/apache2/access.log
$InputFileTag web.apache.access-combined.pro.webFoobar.www1:
$InputFileStateFile stat-file1-ApacheAccess
$InputFileSeverity info
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor

# File2 access
$InputFileName /var/log/apache2/ssl_access.log
$InputFileTag web.apache.access-combined.pro.webFoobar-ssl.www1:
$InputFileStateFile stat-file2-ApacheAccess
$InputFileSeverity info
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor

# File1 Error
$InputFileName /var/log/apache2/error.log
$InputFileTag web.apache.error.pro.webFoobar.www1:  
$InputFileStateFile stat-file1-ApacheError
$InputFileSeverity info
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor

# File2 Error
$InputFileName /var/log/apache2/ssl_error.log
$InputFileTag web.apache.error.pro.webFoobar-ssl.www1:  
$InputFileStateFile stat-file2-ApacheError
$InputFileSeverity info
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor

# Enable rsyslog SSL/TLS mode
$DefaultNetstreamDriver gtls # use gtls netstream driver
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt # Devo CA
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt # User public key
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key # User private key
$ActionSendStreamDriverMode 1 # require TLS for the connection
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer collector

if $syslogtag contains 'web.apache.' and $syslogfacility-text == 'local7' then @@DEVO-RELAY:PORT;apache
:syslogtag, contains, "web.apache." ~
  • You must add this section just before indicating the send with "@@DEVO-RELAY:PORT" for each log you want to send securely.

Finally, restart rsyslog:

/etc/init.d/rsyslog restart

To make sure that the events are being forwarded, you can use the logger commands: 

$ logger "Hello from a secure log source1"
$ logger "Hello from a secure log source2"
$ logger "Hello from a secure log source3"
$ logger "Hello from a secure log source4"
$ logger "Hello from a secure log source5"
  • In Devo, go to Data Search and look for the box.unix table to confirm that these events were received.
  • If the system has SELinux enabled in enforcing mode (run the getenforce command to check the status) it may be necessary to add exceptions to the SELinux policy. See syslog & SELinux configuration for more information.

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US