使 Rsyslog TLS 配置正常工作的问题

概述

我有一台从外部客户端接收 Syslog 数据的服务器，但我对这些客户端没有管理权限。目标是通过在 TCP 端口 6514 上为 Syslog 实施 TLS，将现有配置移至传输数据加密。所有网络、防火墙规则和 SELinux 配置均已验证，并且我已成功测试通过 TCP 端口 6514 接收非加密 Syslog 消息。我还下载了 rsyslog-gnutls 作为 TLS 驱动程序。

Syslog 服务器详细信息

$ cat /etc/os-release 
NAME="CentOS Linux"
VERSION="7 (Core)"

$ rsyslogd -v
rsyslogd 8.24.0-57.el7_9.3, compiled with:
        PLATFORM:                               x86_64-redhat-linux-gnu
        PLATFORM (lsb_release -d):
        FEATURE_REGEXP:                         Yes
        GSSAPI Kerberos 5 support:              Yes
        FEATURE_DEBUG (debug build, slow code): No
        32bit Atomic operations supported:      Yes
        64bit Atomic operations supported:      Yes
        memory allocator:                       system default
        Runtime Instrumentation (slow code):    No
        uuid support:                           Yes
        Number of Bits in RainerScript integers: 64

yum list installed | grep rsyslog-gnutls
rsyslog-gnutls.x86_64              8.24.0-57.el7_9.3

基本 Syslog 配置（/etc/rsyslog.conf）

这与之前通过端口 514/tcp 工作的非加密配置没有任何关系，但包含在这里以保证其完整性。

# rsyslog configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514

# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514

#### GLOBAL DIRECTIVES ####

# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state

$FileCreateMode 0640

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
#*.info;mail.none;authpriv.none;cron.none                /var/log/messages
*.*                                                     /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log all user comands
local3.*                                                /var/log/userCommands.log

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

包含配置（/etc/rsyslog.d/syslog-tls.conf）

这是我使用自定义配置创建的文件。下面的配置显示了端口 6514/tcp 上未加密的当前工作状态。这是 /etc/rsyslog.d 中唯一的 .conf 文件，因此不应导入其他配置。还有三个其他 .conf 文件，我将它们重命名为 .conf.bak，因此我假设 rsyslogd 不会读取这些文件，因为添加了扩展名。

########################################################################
#
# This file is included from /etc/rsyslog.conf as long as it is located
# in /etc/rsyslog.d/.
#
########################################################################
$umask 0000     #not supported in global() for rsyslog versions < 8.26

global(
preserveFQDN="on"
parser.escapeControlCharactersOnReceive="off"   #Prevent escaping of new lines
#defaultNetstreamDriver="gtls"
#defaultNetstreamDriverCAFile="/etc/rsyslog.d/certs/myCertAuthCertificate.pem"
#defaultNetstreamDriverCertFile="/etc/rsyslog.d/certs/mySyslogUfServerChainedCertificate.pem"
#defaultNetstreamDriverKeyFile="/etc/rsyslog.d/certs/mySyslogUfServerPrivKey.key"
)

module(
load="imtcp"
maxSessions="500"
disableLFDelimiter="off"
#streamDriver.Name="gtls"
#streamDriver.Mode="1"
#streamDriver.Authmode="x509/certvalid"
#streamDriver.PermittedPeers="172.16.32.155"
)

module(
load="builtin:omfile"
dirCreateMode="0750"
dirOwner="splunk"
dirGroup="splunk"
fileCreateMode="0640"
fileOwner="splunk"
fileGroup="splunk"
)

template(name="foo_test" type="string" string="/var/log/foo_test/%HOSTNAME%/%$year%_%$month%_%$day%.log")

ruleset(name="foo"){
    if ($fromhost-ip != '127.0.0.1') then
        action(type="omfile" dynaFile="foo_test")
    stop
}

input(type="imtcp" port="6514")

问题

如果我取消注释 syslog-tcp.conf 中与 TLS 相关的配置参数（DefaultNetstreamDriver 和 StreamDriver）并重新启动 rsyslog，端口 6514/tcp 不再显示在 netstat 下。这告诉我所选的配置参数和/或我定义它们的顺序有问题。

对配置文件运行语法验证检查没有显示任何问题，但从我的研究来看，这仅表明语法良好，但在运行时仍可能存在问题。

$ sudo systemctl restart rsyslog
$ sudo systemctl status rsyslog
● rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2023-08-09 18:46:52 GMT; 3s ago
     Docs: man:rsyslogd(8)
           http://www.rsyslog.com/doc/
 Main PID: 22327 (rsyslogd)
   CGroup: /system.slice/rsyslog.service
           └─22327 /usr/sbin/rsyslogd -n

Aug 09 18:46:52 testbox01 systemd[1]: Starting System Logging Service...
Aug 09 18:46:52 testbox01 systemd[1]: Started System Logging Service.

$ rsyslogd -f /etc/rsyslog.conf -N1
rsyslogd: version 8.24.0-57.el7_9.3, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.

$ rsyslogd -f /etc/rsyslog.d/syslog-tls.conf -N3
rsyslogd: version 8.24.0-57.el7_9.3, config validation run (level 3), master config /etc/rsyslog.d/syslog-tls.conf
rsyslogd: End of config validation run. Bye.

这是我第一次尝试使用 TLS 进行 rsyslog 配置，在此之前我一般没有太多的 rsyslog 经验。我希望更精通 rsyslog 的人可以指出我的方法中的错误 :) 提前谢谢！

更新

8/9/23：我在调试模式下运行了 rsyslogd，得到了大量输出。下面提供了输出的截断版本，其中包含我认为与问题相关的消息。如果需要，我可以提供更多输出。我注意到，当 rsyslogd 在前台调试模式下运行时，端口 6514/tcp 会作为侦听端口出现。只要我终止调试模式并以正常方式重新启动 rsyslogd，端口 6514/tcp 就会保持关闭状态，即在 netstat 输出中不会显示侦听状态。

3144.701090845:main thread    : imtcp: trying to add port *:6514
3144.701096552:main thread    : ratelimit:tcperver:new ratelimiter:bReduceRepeatMsgs 0
3144.701103144:main thread    : caller requested object 'nsd_gtls', not found (iRet -3003)
3144.701107289:main thread    : Requested to load module 'lmnsd_gtls'
3144.701112377:main thread    : loading module '/usr/lib64/rsyslog/lmnsd_gtls.so'
3144.704593252:main thread    : source file nsd_gtls.c requested reference for module 'lmnet', reference count now 6
3144.704601962:main thread    : caller requested object 'nsd_ptcp', not found (iRet -3003)
3144.704606370:main thread    : Requested to load module 'lmnsd_ptcp'
3144.704613121:main thread    : loading module '/usr/lib64/rsyslog/lmnsd_ptcp.so'
3144.704740556:main thread    : source file nsd_ptcp.c requested reference for module 'lmnetstrms', reference count now 4
3144.704750825:main thread    : module lmnsd_ptcp of type 2 being loaded (keepType=0).
3144.704754868:main thread    : entry point 'isCompatibleWithFeature' not present in module
3144.704758844:main thread    : entry point 'setModCnf' not present in module
3144.704762675:main thread    : entry point 'getModCnfName' not present in module
3144.704766304:main thread    : entry point 'beginCnfLoad' not present in module
3144.704770744:main thread    : source file nsd_gtls.c requested reference for module 'lmnsd_ptcp', reference count now 1
3144.704785499:main thread    : GTLS CA file: '/etc/rsyslog.d/certs/myCertAuthCertificate.pem'
3144.705337400:main thread    : source file nsdsel_gtls.c requested reference for module 'lmnsd_ptcp', reference count now 2
3144.705344715:main thread    : module lmnsd_gtls of type 2 being loaded (keepType=1).
3144.705348930:main thread    : entry point 'isCompatibleWithFeature' not present in module
3144.705352660:main thread    : entry point 'setModCnf' not present in module
3144.705356421:main thread    : entry point 'getModCnfName' not present in module
3144.705360038:main thread    : entry point 'beginCnfLoad' not present in module
3144.705365118:main thread    : source file netstrms.c requested reference for module 'lmnsd_gtls', reference count now 1
3144.705373376:main thread    : GTLS certificate file: '/etc/rsyslog.d/certs/mySyslogUfServerChainedCertificate.pem'
3144.705377299:main thread    : GTLS key file: '/etc/rsyslog.d/certs/mySyslogUfServerPrivKey.key'
3144.716630033:main thread    : creating tcp listen socket on port 6514
3144.723178541:main thread    : We could initialize 1 TCP listen sockets out of 2 we received - this may or may not be an error indication.
3144.723190317:main thread    : Allocating buffer for 500 TCP sessions.
3144.723201696:main thread    : telling modules to activate config 0x55b2e2beaa20
3144.723206050:main thread    : activating config 0x55b2e2beaa20 for module builtin:omfile
3144.723210213:main thread    : activating config 0x55b2e2beaa20 for module builtin:ompipe
3144.723214794:main thread    : activating config 0x55b2e2beaa20 for module builtin:omfwd
3144.723219318:main thread    : activating config 0x55b2e2beaa20 for module imuxsock
3144.723223556:main thread    : activating config 0x55b2e2beaa20 for module imjournal
3144.723227739:main thread    : activating config 0x55b2e2beaa20 for module imtcp
3144.724453266:main thread    : Allowed TCP Senders:
3144.724459171:main thread    :         No restrictions set.
3144.724465166:main thread    : iterateAllActions calling into action 0x55b2e2c03ec0
3144.724472897:main thread    : action 1 queue: starting queue

8/10/23：我SYSLOGD_OPTIONS="-d"向 /etc/sysconfig/rsyslog 添加了该选项，如下所示。自 v3 以来，该选项已被弃用，并且未在文件注释中指定的兼容模式下运行，这是否存在问题？

# Options for rsyslogd
# Syslogd options are deprecated since rsyslog v3.
# If you want to use them, switch to compatibility mode 2 by "-c 2"
# See rsyslogd(8) for more details
SYSLOGD_OPTIONS="-d"

我现在在启动 rsyslog 时看到错误消息，如下所示。

$ sudo systemctl status rsyslog
● rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2023-08-10 13:21:36 GMT; 6s ago
     Docs: man:rsyslogd(8)
           http://www.rsyslog.com/doc/
 Main PID: 9362 (rsyslogd)
   CGroup: /system.slice/rsyslog.service
           └─9362 /usr/sbin/rsyslogd -n -d

Aug 10 13:21:36 testbox01 systemd[1]: Starting System Logging Service...
Aug 10 13:21:36 testbox01 rsyslogd[9362]:  [origin software="rsyslogd" swVersion="8.24.0-57.el7_9.3" x-pid="9362" x-info="http://www.rsyslog.com"] start
Aug 10 13:21:36 testbox01 rsyslogd[9362]: error reading certificate file '/etc/rsyslog.d/certs/myCertAuthCertificate.pem' - a common cause is that the file  does not ex...com/e/2078 ]
Aug 10 13:21:36 testbox01 rsyslogd[9362]: could not load module '/usr/lib64/rsyslog/lmnsd_gtls.so', rsyslog error -2078  [v8.24.0-57.el7_9.3 try http://www.rsyslog.com/e/2068 ]
Aug 10 13:21:36 testbox01 systemd[1]: Started System Logging Service.
Aug 10 13:21:36 testbox01 rsyslogd[9362]: tcpsrv could not create listener (inputname: 'imtcp') [v8.24.0-57.el7_9.3 try http://www.rsyslog.com/e/2068 ]
Aug 10 13:21:36 testbox01 rsyslogd[9362]: activation of module imtcp failed [v8.24.0-57.el7_9.3 try http://www.rsyslog.com/e/2068 ]
Hint: Some lines were ellipsized, use -l to show in full.

将 SELinux 设置为 Permissive 模式可使 rsyslog 成功启动且不会出现错误。研究可能的解决方案，以便 SELinux 能够继续执行。

sudo setenforce 0