Forward messages encrypted

Question

I have an rsyslog server at front and need to forward certain facilities to a remote server. I created a template for transport as HTTP body:

template(name="syslogforward" type="list") {
    constant(value="POST / HTTP/1.0\n")
    constant(value="Content-type: text/plain; charset=UTF-8\n")
    constant(value="\n")
    property(name="timereported")
    constant(value=" ")
    property(name="hostname")
    constant(value=" ")
    property(name="app-name")
    constant(value=": ")
    property(name="pri-text")
    property(name="msg")
}

local1.* action(
    Name="Forward_to_remote"
    type="omfwd"
    Template="syslogforward"
    Target="xxx.xxx.xxx.xxx"
    Port="8080"
    Protocol="tcp"
)

I'd like to forward these messages encrypted with HTTPS, do I have to launch another process opening a local socket and doing the HTTPS or is there another way built in?

I don't understand "upstream site", upstream regarding what? The syslog traffic towards my server is encrypted as shown in the [rsyslog docs](https://www.rsyslog.com/doc/master/tutorials/tls_cert_summary.html). I think I cannot use action type `omfwd` as syslog is plain text. I believe I need to setup a listener doing the encrypted forwarding (e.g. `curl`) and have rsyslog piping to it. — Marc0, Feb 14 '19 at 19:47
After checking the [omhttp description](https://www.rsyslog.com/doc/v8-stable/configuration/modules/omhttp.html) I'll check this module. — Marc0, Feb 17 '19 at 11:19
Module omhttp is [too new](https://github.com/rsyslog/rsyslog/commits/master/contrib/omhttp/omhttp.c). It's not included in Debians rsyslog version v8.24.0. — Marc0, Feb 17 '19 at 11:30

score 0 · Accepted Answer · answered Feb 17 '19 at 13:16

I solved my problem by writing a perl script opening a PIPE on the input end pumping the newline-terminated messages to the remote site using LWP::UserAgent giving me any freedom regarding TLS issues (use CA cert or not, verify host or not). And instead of omfwd I use ompipe.

My rsyslog config changed like this:

template(name="syslogforward" type="list") {
    property(name="timereported")
    constant(value=" ")
    property(name="hostname")
    constant(value=" ")
    property(name="app-name")
    constant(value=": ")
    property(name="pri-text")
    property(name="msg")
    # avoid buffering
    # maybe I should re-think this
    constant(value="\n")
}

local1.* action(
    Name="Forward_to_remote"
    Type="ompipe"
    # just a demo pipe
    Pipe="/tmp/mypipe"
    Template="syslogforward"
)

Next I'll go and change my puppet module...

Forward messages encrypted

1 Answers1