我一直尝试让 rsyslog 通过 TLS 进行传输,但到目前为止还没有成功。
我的配置似乎有问题,但我无法查明原因。
这是我的服务器配置文件:
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ModLoad immark # provides --MARK-- message capability
$ModLoad imgssapi # provides GSSAPI syslog reception
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 10514
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated
# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca-cert.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/rslserver-cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/rslserver-key.pem
# specify senders you permit to access
$AllowedSender TCP, 127.0.0.1, 10.111.1.0/24, *.evoltek.test.com
#add: define logfiles
## /var/log/secure
$template Auth_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.secure"
## /var/log/messages
$template Msg_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.messages"
## /var/log/maillog
$template Mail_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.maillog"
## /var/log/cron
$template Cron_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.cron"
## /var/log/spooler
$template Spool_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.spooler"
## /var/log/boot.log
$template Boot_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.boot.log"
## emergency messages "*.emerg"
$template Emerg_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.emerg"
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none -?Msg_log
# The authpriv file has restricted access.
authpriv.* -?Auth_log
# Log all the mail messages in one place.
mail.* -?Mail_log
# Log cron stuff
cron.* -?Cron_log
# Everybody gets emergency messages
*.emerg -?Emerg_log
# Save news errors of level crit and higher in a special file.
uucp,news.crit -?Spool_log
# Save boot messages also to boot.log
local7.* -?Boot_log
这是我的客户端配置文件:
# rsyslog v5 configuration file
# certificate files
$DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca-cert.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/rslclient-cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/rslclient-key.pem
$ModLoad imuxsock.so
$ModLoad imklog.so
$ModLoad imtcp
$DefaultNetstreamDriver gtls
$ActionSendStreamDriverAuthMode anon
$ActionSendStreamDriverMode 1
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
*.* @@10.111.1.151:10514
我按照本指南创建了证书:http://kb.kristianreese.com/index.php?View=entry&EntryID=148
我的测试环境没有 FQDN,因此我将 DN 字段和 FQDN 字段留空,并填写了 IP 字段。
答案1
我使用 Rsyslog 5.8 和 Centos 6.9
以下是视频教程: https://youtu.be/eb9GlhD8XnY
在 CA(证书颁发机构)上创建证书
sudo mkidr /etc/ssl/rsyslog/
cd /etc/ssl/rsyslog/
安装 gnutls-utils
sudo yum install -y gnutls-utils
生成CA私钥(保护此密钥!)
sudo certtool --generate-privkey --outfile CA-key.pem
sudo chmod 400 CA-key.pem
生成CA公钥
sudo certtool --generate-self-signed --load-privkey CA-key.pem --outfile CA.pem
Common name: CA.EXAMPLE.COM
The certificate will expire in (days): 3650
Does the certificate belong to an authority? (Y/N): y
Will the certificate be used to sign other certificates? (Y/N): y
Will the certificate be used to sign CRLs? (y/N): y
在 CA(证书颁发机构)上创建服务器私钥
sudo certtool --generate-privkey --outfile SERVER-key.pem --bits 2048
为服务器创建证书请求
sudo certtool --generate-request --load-privkey SERVER-key.pem --outfile SERVER-request.pem
Common name: SERVER.EXAMPLE.COM
签署服务器密钥并允许其他服务器信任该密钥对
sudo certtool --generate-certificate --load-request SERVER-request.pem --outfile SERVER-cert.pem --load-ca-certificate CA.pem --load-ca-privkey CA-key.pem
The certificate will expire in (days): 1000
Is this a TLS web client certificate? (Y/N): y
Is this also a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: SERVER.EXAMPLE.COM
在 CA(证书颁发机构)上创建客户端私钥
sudo certtool --generate-privkey --outfile CLIENT-key.pem --bits 2048
为客户端创建证书请求
sudo certtool --generate-request --load-privkey CLIENT-key.pem --outfile CLIENT-request.pem
Common name: CLIENT.EXAMPLE.ORG
签署客户端密钥并允许其他服务器信任该密钥对
sudo certtool --generate-certificate --load-request CLIENT-request.pem --outfile CLIENT-cert.pem --load-ca-certificate CA.pem --load-ca-privkey CA-key.pem
The certificate will expire in (days): 1000
Is this a TLS web client certificate? (Y/N): y
Is this also a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: CLIENT.EXAMPLE.ORG
删除请求密钥
sudo rm *-request.pem
将 SERVER 私钥/密钥和 CA.pem 复制到 SERVER.EXAMPLE.COM 使用 scp 或 USB 加密复制证书
sudo -u root scp -i ~/.ssh/id_rsa CA.pem SERVER-* [email protected]:/etc/ssl/rsyslog/
将 CLIENT 私钥/密钥和 CA.pem 复制到 CLIENT.EXAMPLE.COM
sudo -u root scp -i ~/.ssh/id_rsa CA.pem CLIENT-* [email protected]:/etc/ssl/rsyslog/
在服务器和客户端上安装 gtls 驱动
sudo yum install rsyslog-gnutls -y
配置服务器
sudo vi /etc/rsyslog.d/rsyslog-tls.conf
# Add
# Listen for TCP
$ModLoad imtcp
# Set gtls driver
$DefaultNetstreamDriver gtls
# Certs
$DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/CA.pem
$DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/SERVER-cert.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/SERVER-key.pem
# Auth mode
$InputTCPServerStreamDriverAuthMode x509/name
# Only allow EXAMPLE.COM domain
$InputTCPServerStreamDriverPermittedPeer *.EXAMPLE.COM
# Only use TLS
$InputTCPServerStreamDriverMode 1
# Listen on port 6514
# If you want to use other port configure selinux
$InputTCPServerRun 6514
在防火墙上打开端口 6514
sudo vi /etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 6514 -j ACCEPT
sudo /etc/init.d/iptables reload
重新启动 rsyslog 守护进程
sudo /etc/init.d/rsyslog restart
配置客户端
sudo vi /etc/rsyslog.d/rsyslog-tls.conf
# Add
# Set gtls driver
$DefaultNetstreamDriver gtls
# Certs
$DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/CA.pem
$DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/CLIENT-cert.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/CLIENT-key.pem
# Auth mode
$ActionSendStreamDriverAuthMode x509/name
# Only send log to SERVER.EXAMPLE.COM host
$ActionSendStreamDriverPermittedPeer SERVER.EXAMPLE.COM
# Only use TLS
$ActionSendStreamDriverMode 1
# Forward everithing to SERVER.EXAMPLE.COM
# If you use hostnames instead of IP configure DNS or /etc/hosts
*.* @@SERVER.EXAMPLE.COM:6514
重新启动 rsyslog 守护进程
sudo /etc/init.d/rsyslog restart
要在服务器上测试,请运行 tcpdump 并从客户端发送日志
sudo yum install tcpdump -y
sudo tcpdump -i eth0 tcp port 6514 -X -s 0 -nn
答案2
在 CentOS/RedHat 中,您还必须在 SElinux 中启用 SSL rsyslog 端口。类似这样的操作
semanage port -a -t syslogd_port_t -p tcp 10514应该可以解决问题。
您可以使用以下方式检查当前的系统日志端口
sudo semanage port -l| grep syslog
您也可以尝试在调试模式下运行 rsyslog,看看发生了什么:停止 rsyslog 守护进程,然后
export RSYSLOG_DEBUGLOG="/path/to/debuglog"
export RSYSLOG_DEBUG="Debug"
现在使用以下命令启动 rsyslog:
rsyslogd -dn
要检查所用的语法是否有效,请使用:
rsyslogd -N 1
答案3
我找不到 rsyslog 5.8 的工作配置(来自 CentOS 存储库)。
我已经安装了官方的 rsyslog 存储库,并使用此配置在几分钟内启动并运行了 rsyslog 7.6.0。