1

I am attempting to add TLS support to my syslog-ng service running on an AWS EC2 instance (logs are being sent to loggly). The basic configuration without TLS works, but when I replace the destination in the config with :

destination d_loggly {
    tcp("logs-01.loggly.com" port(6514) 
    tls(peer-verify(required-untrusted) ca_dir('/opt/syslog-ng/keys/ca.d/'))
    template(LogglyFormat));
};

I get the following error when I restart the syslog-ng service:

[ec2-user@ip-10-0-1-123 syslog-ng]$ sudo /etc/init.d/syslog-ng restart
Stopping syslog-ng: [ OK ]
Error parsing afsocket, syntax error, unexpected LL_IDENTIFIER, expecting ')' in /etc/syslog-ng/syslog-ng.conf at line 74, column 5:

tls(peer-verify(required-untrusted) ca_dir('/opt/syslog-ng/keys/ca.d/'))
^^^

syslog-ng documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
mailing list: https://lists.balabit.hu/mailman/listinfo/syslog-ng

I can confirm the certificates are located at /opt/syslog-ng/keys/ca.d/:

[ec2-user@ip-10-0-1-123 /]$ ls -l /opt/syslog-ng/keys/ca.d/
total 16
-rw-r--r-- 1 root root 1968 Jul 18 11:39 loggly.com.crt
-rw-r--r-- 1 root root 5241 Jul 18 11:39 loggly_full.crt
-rw-r--r-- 1 root root 3273 Jul 18 11:39 sf_bundle.crt

Any help to get TLS support working would be greatly appreciated.

MarcF
  • 213
  • 2
  • 11

1 Answers1

2

After many hours of searching I found the answer here:

http://www.syslog.org/forum/syslog-ng/tls-configuration-syntax-problem/

It's a limitation of the syslog-ng package in RHEL/EPEL: syslog-ng is in /sbin while openssl libraries are installed under /usr/lib. As /usr can be a separate partition unavailable during early boot, crypto support can't be enabled in the RHEL package.

And since AWS Linux is based on RHEL, the same limitation applies here.

I used the following guides to compile syslog-ng from source and now everything is working as expected:

https://www.balabit.com/sites/default/files/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/compiling-syslog-ng.html

https://czanik.blogs.balabit.com/2011/06/compiling-syslog-ng-with-database-support-for-centos-5-co/

http://www.packetwatch.net/documents/guides/2007062002.php

MarcF
  • 213
  • 2
  • 11
  • Note that this is the case for RHEL 5 and 6, but doesn't apply to 7 which has everything in `/usr`. As for Amazon Linux, it was forked from RHEL 5 years ago and hasn't been stable since. I wouldn't recommend it for anything important. – Michael Hampton Jul 20 '15 at 16:01