0

I've setup managed to setup rsyslog to accept TLS traffic from a clients server. When I configured the certificate and the port originally, it all worked fine. The problem is it is dumping the logs into the same log file, /var/log/messages, as other logs. Using Rulesets I'm trying to separate my clients logs into their own file.

# cat /etc/rsyslog.d/remote_client.conf

#### MODULES ####
$ModLoad imtcp

#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$DefaultNetstreamDriver gtls


ruleset(name="alltcp"){
$AllowedSender TCP, 128.x.x.x, client-hosted.client-server.com

$DefaultNetstreamDriverCAFile /etc/pki/tls/private/client-ca.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/client.crt.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/client.key.pem

$InputTCPServerStreamDriverAuthMode anon
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode

$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer 128.x.x.x
$ActionSendStreamDriverPermittedPeer *.client-server.com
$ActionSendStreamDriverMode 1 # run driver in TLS-only modei
    *.* /var/log/all_client_logs.log # permissions are 755 on this file.
}
input(type="imtcp" port="6514" ruleset="alltcp")

My /etc/rsyslog.conf file is as stock as it gets:

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

module(load="imuxsock"    # provides support for local system logging (e.g. via logger command)
       SysSock.Use="off") # Turn off message reception via local log socket;
              # local messages are retrieved through imjournal now.
module(load="imjournal"         # provides access to the systemd journal
       StateFile="imjournal.state") # File to store the position in the journal
#module(load="imklog") # reads kernel messages (the same are read from journald)
#module(load="immark") # provides --MARK-- message capability

# Provides UDP syslog reception
# for parameters see http://www.rsyslog.com/doc/imudp.html
#module(load="imudp") # needs to be done just once
#input(type="imudp" port="514")

# Provides TCP syslog reception
# for parameters see http://www.rsyslog.com/doc/imtcp.html
#module(load="imtcp") # needs to be done just once
#input(type="imtcp" port="514")

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
global(workDirectory="/var/lib/rsyslog")

# Use default timestamp format
module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")

# Include all config files in /etc/rsyslog.d/
include(file="/etc/rsyslog.d/*.conf" mode="optional")

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### sample forwarding rule ###
#action(type="omfwd"
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#queue.filename="fwdRule1"       # unique name prefix for spool files
#queue.maxdiskspace="1g"         # 1gb space limit (use as much as possible)
#queue.saveonshutdown="on"       # save messages to disk on shutdown
#queue.type="LinkedList"         # run asynchronously
#action.resumeRetryCount="-1"    # infinite retries if host is down
# Remote Logging (we use TCP for reliable delivery)
# remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
#Target="remote_host" Port="XXX" Protocol="tcp")

The problem here, is that nothing is being written to the file. If I remove the ruleset and place the TCP/TLS rules in rsyslong.conf (and set a TCP bind for port 6514), it will print to /var/log/messages. What am I missing in this config?

itinneed2022_1
  • 1
  • 1

1 Answers1

0

Without standing up a server to test your specific config, the most noticeable difference is that you do not have a type set in your action.

Using RHEL 8.6, I have a very minimal test configuration that does what you are asking. The rsyslog version on 8.6 is 8.2102. There are changes made in the way newer versions of rsyslog handle TLS 8.2106+, so if you're running one of those I can look at a newer version of rsyslog:

[root@syslog opt]# cat /etc/rsyslog.conf
global(
  DefaultNetstreamDriverCAFile="/etc/ipa/ca.crt"
  DefaultNetstreamDriverCertFile="/etc/pki/tls/certs/syslog-server.crt"
  DefaultNetstreamDriverKeyFile="/etc/pki/tls/private/syslog-server.key"
)

module(
  load="imtcp"
  PermittedPeer=["*.nix.turnerfarms.net"]
  StreamDriver.AuthMode="x509/name"
  StreamDriver.Mode="1"
  StreamDriver.Name="gtls"
)
input(
  type="imtcp"
  port="6514"
  ruleset="remote"
)
template(
  name="rhel-hosts"
  type="string"
  string="/opt/%hostname%/syslog"
)
ruleset(name="remote") {
  action(
    type="omfile"
    dynaFile="rhel-hosts"
  )
}
cutrightjm
  • 344
  • 2
  • 13