Secure sending using rsyslog
This article describes how to manually configure rsyslog to send events to Devo using an encrypted and authenticated channel. This is the recommended procedure when you want to forward events over the internet, directly to the Devo Cloud. The configuration files are just the same as the ones described in Simple sending using rsyslog, but with the addition of some security-related settings.
In order to use SSL/TLS with rsyslog, you need to install the rsyslog-gnutls package.
If you are running Ubuntu 8.2 stable or later, you can skip this step because you will already have this package. Run
rsyslogd -version to check what version of Ubuntu you are running.
|In DEB environments:||In RPM environments:|
Download and save the certificates
Go to Administration → Credentials → X.509 Certificates in the Devo web application. Download the Certificate, Private key, and Chain CA. Save them all to
Restrict the access permissions to these files to the syslog user:
cd /etc/rsyslog.d/ chmod 640 ca.crt user.crt user.key chown :syslog ca.crt user.crt user.key -rw-r----- 1 root syslog 2090 Oct 24 13:02 ca.crt -rw-r----- 1 root syslog 1529 Oct 24 13:18 user.crt -rw-r----- 1 root syslog 1675 Oct 24 13:18 user.key
Create the Devo configuration files
You need to create two files in the
/etc/rsyslog.d/ directory. The
00-devo.conf file contains general connection settings. The
49-devo.conf file is responsible for forwarding the events to the Devo Relay.
The 00-devo.conf file
This file contains general connection settings. Create it with the following contents.
module( load="imfile" mode="inotify" ) module( load="immark" interval="60" ) module( load="imuxsock" SysSock.RateLimit.Interval="0" ) # Enable rsyslog SSL/TLS mode global( DefaultNetstreamDriver="gtls" DefaultNetstreamDriverCAFile="/etc/rsyslog.d/ca.crt" DefaultNetstreamDriverCertFile="/etc/rsyslog.d/user.crt" DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/user.key" workDirectory="/var/spool/rsyslog" )
The 49-devo.conf file
49-devo.conf file in your
/etc/rsyslog.d/ and add the following lines immediately before the final destination rule in the file.
template( name = "box-unix" type = "string" string = "<%PRI%>%timegenerated% %HOSTNAME% box.unix.%syslogtag% %msg%" ) action( type="omfwd" template="box-unix" queue.type="LinkedList" queue.filename="boxq1" queue.saveonshutdown="on" action.resumeRetryCount="-1" Target="xx.elb.relay.logtrust.net" Port="443" Protocol="tcp" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" StreamDriverPermittedPeers="xx.elb.relay.logtrust.net" )
Again, the added/modified parameters are:
They must be
It must have the same value as
This is the host address for the Devo Cloud for the region you are using. It should be one of:
After creating and saving the new files, restart rsyslog to activate the new configuration:
With the configuration activated, rsyslog should begin to forward events to your Devo Cloud.
Test the connection
You can make sure that the events are being forwarded to the Relay by using the logger command to write testing messages to the system log.
logger "Hello from machine01" logger "Hello from machine01" logger "Hello from machine01" logger "Hello from machine01" logger "Hello from machine01"
In the Devo web application, go to Data Search. Open the
box.unix data table to confirm that these logger events were forwarded and received correctly.