这是这样的场景:我有一个正在侦听端口6514 on TCP
日志的服务器。我在服务器上创建了 .key .crt 文件,如下所述:https://www.logzilla.net/2014/10/17/configuring-tls-tunnels-in-syslog-ng.html:
[root@server1 ~]$ openssl genrsa -des3 -out logserver.key 2048
Generating RSA private key, 2048 bit long modulus
.................................................+++
.+++
e is 65537 (0x10001)
Enter pass phrase for logserver.key:
Verifying - Enter pass phrase for logserver.key:
[root@server1 ~]$ openssl req -new -key logserver.key -out logserver.csr
Enter pass phrase for logserver.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@server1 ~]$ cp logserver.key logserver.key.org
[root@server1 ~]$ openssl rsa -in logserver.key.org -out logserver.key
Enter pass phrase for logserver.key.org:
writing RSA key
[root@server1 ~]$ openssl x509 -req -days 365 -in logserver.csr -signkey
logserver.key -out logserver.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting Private key
并将设置放置在名为的创建的文件中tls.conf in the /etc/syslog-ng/conf.d
我按照接下来的指示进行操作。
Connect to the Client and mkdir -p /etc/syslog-ng/ssl. Download/Upload the /etc/syslog-ng/ssl/logserver.crt (which was created earlier on the Server) to the Client system and put the file in /etc/syslog-ng/ssl on the Client.
Find the hash for your key by running openssl x509 -noout -hash -in /etc/syslog-ng/ssl/logserver.crt
Next, create a symbolic link to the certificate that uses the hash returned by the previous command, with an added .0 suffix.
ln -s /etc/syslog-ng/ssl/logserver.crt /etc/syslog-ng/ssl/84d92a45.0
一旦我添加 client-to-server.conf ,/etc/syslog-ng/conf.d/client-to-server.conf
其下就有以下内容
@version:3.14
@define allow-config-dups 1
@include "scl.conf"
destination d_tls {
tcp("192.168.1.7" port(6514)
tls( ca_dir("/etc/syslog-ng/ssl/")) );
};
log {
source(s_sys);
destination(d_tls);
};
syslog-ng 服务不会在客户端上启动。
systemctl restart syslog-ng.service
Job for syslog-ng.service failed because the control process exited with
error code. See "systemctl status syslog-ng.service" and "journalctl -xe"
for details.
[root@localhost conf.d]# systemctl status syslog-ng.service -l
● syslog-ng.service - System Logger Daemon
Loaded: loaded (/usr/lib/systemd/system/syslog-ng.service; enabled; vendor preset: enabled)
Active: failed (Result: start-limit) since Thu 2018-06-07 22:50:30 EEST; 7min ago
Docs: man:syslog-ng(8)
Process: 18196 ExecStart=/usr/sbin/syslog-ng -F $SYSLOGNG_OPTS -p /var/run/syslogd.pid (code=exited, status=2)
Main PID: 18196 (code=exited, status=2)
Status: "Starting up... (Thu Jun 7 22:50:30 2018"
Jun 07 22:50:30 localhost.localdomain systemd[1]: syslog-ng.service: main process exited, code=exited, status=2/INVALIDARGUMENT
Jun 07 22:50:30 localhost.localdomain systemd[1]: Failed to start System Logger Daemon.
Jun 07 22:50:30 localhost.localdomain systemd[1]: Unit syslog-ng.service entered failed state.
Jun 07 22:50:30 localhost.localdomain systemd[1]: syslog-ng.service failed.
Jun 07 22:50:30 localhost.localdomain systemd[1]: syslog-ng.service holdoff time over, scheduling restart.
Jun 07 22:50:30 localhost.localdomain systemd[1]: start request repeated too quickly for syslog-ng.service
Jun 07 22:50:30 localhost.localdomain systemd[1]: Failed to start System Logger Daemon.
Jun 07 22:50:30 localhost.localdomain systemd[1]: Unit syslog-ng.service entered failed state.
Jun 07 22:50:30 localhost.localdomain systemd[1]: syslog-ng.service failed.
[root@localhost conf.d]# journalctl -xe
-- Subject: Unit syslog-ng.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit syslog-ng.service has begun starting up.
Jun 07 22:50:30 localhost.localdomain syslog-ng[18190]: [2018-06-07T22:50:30.022361] Error setting up TLS session context; tls_error='(null):(null):(null)'
Jun 07 22:50:30 localhost.localdomain syslog-ng[18190]: [2018-06-07T22:50:30.022410] Error initializing message pipeline; plugin name='tcp', location='/etc/syslog-ng/conf.d/client-to-server.conf:5:7'
Jun 07 22:50:30 localhost.localdomain systemd[1]: syslog-ng.service: main process exited, code=exited, status=2/INVALIDARGUMENT
Jun 07 22:50:30 localhost.localdomain systemd[1]: Failed to start System Logger Daemon.
-- Subject: Unit syslog-ng.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit syslog-ng.service has failed.
--
-- The result is failed.
Jun 07 22:50:30 localhost.localdomain systemd[1]: Unit syslog-ng.service entered failed state.
Jun 07 22:50:30 localhost.localdomain systemd[1]: syslog-ng.service failed.
Jun 07 22:50:30 localhost.localdomain systemd[1]: syslog-ng.service holdoff time over, scheduling restart.
Jun 07 22:50:30 localhost.localdomain systemd[1]: Starting System Logger Daemon...
-- Subject: Unit syslog-ng.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit syslog-ng.service has begun starting up.
Jun 07 22:50:30 localhost.localdomain syslog-ng[18193]: [2018-06-07T22:50:30.281966] Error setting up TLS session context; tls_error='(null):(null):(null)'
Jun 07 22:50:30 localhost.localdomain syslog-ng[18193]: [2018-06-07T22:50:30.282017] Error initializing message pipeline; plugin name='tcp', location='/etc/syslog-ng/conf.d/client-to-server.conf:5:7'
Jun 07 22:50:30 localhost.localdomain systemd[1]: syslog-ng.service: main process exited, code=exited, status=2/INVALIDARGUMENT
Jun 07 22:50:30 localhost.localdomain systemd[1]: Failed to start System Logger Daemon.
-- Subject: Unit syslog-ng.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit syslog-ng.service has failed.
--
-- The result is failed.
Jun 07 22:50:30 localhost.localdomain systemd[1]: Unit syslog-ng.service entered failed state.
Jun 07 22:50:30 localhost.localdomain systemd[1]: syslog-ng.service failed.
Jun 07 22:50:30 localhost.localdomain systemd[1]: syslog-ng.service holdoff time over, scheduling restart.
Jun 07 22:50:30 localhost.localdomain systemd[1]: Starting System Logger Daemon...
-- Subject: Unit syslog-ng.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit syslog-ng.service has begun starting up.
Jun 07 22:50:30 localhost.localdomain syslog-ng[18196]: [2018-06-07T22:50:30.522580] Error setting up TLS session context; tls_error='(null):(null):(null)'
Jun 07 22:50:30 localhost.localdomain syslog-ng[18196]: [2018-06-07T22:50:30.522870] Error initializing message pipeline; plugin name='tcp', location='/etc/syslog-ng/conf.d/client-to-server.conf:5:7'
Jun 07 22:50:30 localhost.localdomain systemd[1]: syslog-ng.service: main process exited, code=exited, status=2/INVALIDARGUMENT
Jun 07 22:50:30 localhost.localdomain systemd[1]: Failed to start System Logger Daemon.
-- Subject: Unit syslog-ng.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit syslog-ng.service has failed.
--
-- The result is failed.
Jun 07 22:50:30 localhost.localdomain systemd[1]: Unit syslog-ng.service entered failed state.
Jun 07 22:50:30 localhost.localdomain systemd[1]: syslog-ng.service failed.
Jun 07 22:50:30 localhost.localdomain systemd[1]: syslog-ng.service holdoff time over, scheduling restart.
Jun 07 22:50:30 localhost.localdomain systemd[1]: start request repeated too quickly for syslog-ng.service
Jun 07 22:50:30 localhost.localdomain systemd[1]: Failed to start System Logger Daemon.
-- Subject: Unit syslog-ng.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit syslog-ng.service has failed.
--
-- The result is failed.
Jun 07 22:50:30 localhost.localdomain systemd[1]: Unit syslog-ng.service entered failed state.
Jun 07 22:50:30 localhost.localdomain systemd[1]: syslog-ng.service failed.
我究竟做错了什么?
答案1
带有 tls 的 syslog-ng 客户端配置部分应如下所示:
destination d_tls {
network("192.168.1.7" port(6514)
transport("tls")
tls( ca-dir("/etc/syslog-ng/ssl/ca.d")
key-file("/etc/syslog-ng/ssl/mykey.key")
cert-file("/etc/syslog-ng/ssl/mykey.pem")) );
};
log {
source(s_sys);
destination(d_tls);
};