Configure secure logging with rsyslog TLS to remote log server (CentOS/RHEL 7)


rsyslog, Security

In my last article I shared the steps to securely transfer files between two machines using HTTPS. Now I will share the steps to configure secure logging with rsyslog to remote log server using TLS certificates in CentOS/RHEL 7 Linux. This document describes a secure way to set up rsyslog (TLS certificates) to transfer logs to remote log server. A secure logging environment requires more than just encrypting the transmission channel. Below are some of the security benefits with secure remote logging using TLS

  • syslog messages are encrypted while travelling on the wire
  • the syslog sender authenticates to the syslog receiver; thus, the receiver knows who is talking to it
  • the syslog receiver authenticates to the syslog sender; thus, the sender can check if it indeed is sending to the expected receiver
  • the mutual authentication prevents man-in-the-middle attacks

Configure secure remote logging with rsyslog (TLS) on Linux

 

Why do I need secure logging to remote log server?

I had already written an article to perform logging on remote log server using rsyslog over TCP protocol, but even if you are using TCP for sending log messages to a remote server, there's no encryption or anything applied while the message is in transit, and that might not be acceptable. If your organisation needs a higher level of security, you need to set up secure logging to remote log server. Secured remote logging is going to use TLS.

IMPORTANT NOTE:
Time must be in synchronised between server and client for secure logging to remote log server. So make sure you are using a time syncing tool like chronyd or ntpd.

My Setup:

  • I will use two different nodes to demonstrate secure logging to remote log user using rsyslog with TLS certificates i.e. node2 and node3.
  • Both the nodes are installed with CentOS 7.4 Linux. In this article node2 will act as a client which will forward the rsyslog messages to node3 (remote log server).
  • So node2 will be our client and node3 will act as the remote log server.
NOTE:
I have disabled SELinux for this article, in case you plan to use SELinux then please make sure it is not blocking our secure remote logging.
[root@node2 ~]# systemctl status chronyd

[root@node2 ~]# date
Tue Apr 16 14:10:12 IST 2019
[root@node3 ~]# systemctl status chronyd

[root@node3 ~]# date
Tue Apr 16 14:10:06 IST 2019

 

Generate CA certificates

To create a self-signed certificate for secure forwardof syslog to remote log server, we will use certtool which is part of GnuTLS. So let us first install GnuTLS rpm using yum.

NOTE:
On RHEL system you must have an active subscription to RHN or you can configure a local offline repository using which "yum" package manager can install the provided rpm and it's dependencies.
[root@node2 ~]# yum -y install gnutls-utils
IMPORTANT NOTE:
TCP port 6514 needs to be accessible on the log server, and the client needs to be able to get out on that port as well.

 

Generate the private key

[root@node2 ~]# certtool --generate-privkey --outfile ca-key.pem
Generating a 2048 bit RSA private key...

Check the new key which we have just created

[root@node2 ~]# ls -l
total 44
-rw-------. 1 root root 1899 Feb 17 17:45 anaconda-ks.cfg
-rw-------  1 root root 5813 Apr 16 14:12 ca-key.pem
drwxr-xr-x. 2 root root 4096 Feb 25 21:02 Desktop
drwxr-xr-x. 2 root root 4096 Feb 25 21:02 Documents
drwxr-xr-x. 2 root root 4096 Feb 25 21:02 Downloads
-rw-r--r--. 1 root root    0 Feb 17 17:48 initial-setup-ks.cfg
drwxr-xr-x. 2 root root 4096 Feb 25 21:02 Videos

This key needs the appropriate permissions to make it readable for the root user only

[root@node2 ~]# chmod 400 ca-key.pem

Now create the (self-signed) CA certificate itself. This command queries you for a number of things. Use appropriate responses. When it comes to certificate validity, keep in mind that you need to recreate all certificates when this one expires. So it may be a good idea to use a long period, eg. 3650 days (roughly 10 years). You need to specify that the certificates belongs to an authority. The certificate is used to sign other certificates.

[root@node2 ~]# certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Common name: node2.example.com
UID:
Organizational unit name:
Organization name:
Locality name:
State or province name:
Country name (2 chars):
Enter the subject's domain component (DC):
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (default: 6680410231240074733):


Activation/Expiration time.
The certificate will expire in (days): 3650


Extensions.
Does the certificate belong to an authority? (y/N): y
Path length constraint (decimal, -1 for no constraint): -1
Is this a TLS web client certificate? (y/N): n
Will the certificate be used for IPsec IKE operations? (y/N): n
Is this a TLS web server certificate? (y/N): n
Enter a dnsName of the subject of the certificate: node2.example.com
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Will the certificate be used to sign OCSP requests? (y/N): n
Will the certificate be used to sign code? (y/N): n
Will the certificate be used for time stamping? (y/N): n
Will the certificate be used to sign other certificates? (y/N): y
Will the certificate be used to sign CRLs? (y/N): y
Enter the URI of the CRL distribution point:
X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 5cb595b602f325ed
        Validity:
                Not Before: Tue Apr 16 08:43:36 UTC 2019
                Not After: Fri Apr 13 08:43:44 UTC 2029
        Subject: CN=node2.example.com
        Subject Public Key Algorithm: RSA
        Algorithm Security Level: Medium (2048 bits)
                Modulus (bits 2048):
                        00:b7:d6:0b:dd:52:72:77:87:d6:16:8d:c6:93:69:6b
                        23:19:65:3e:28:cf:63:72:39:11:98:d9:6c:51:fe:da
                        2f:f3:2c:52:24:37:79:b2:36:ce:cd:8e:a2:45:51:96
                        a0:03:ef:7f:9b:f5:7f:f4:67:2e:08:25:fb:0b:69:41
                        f8:7c:15:b7:44:3d:65:a0:c8:97:51:f2:5c:fb:4f:fb
                        db:5a:c0:db:d9:78:35:c4:01:dc:68:d4:d2:9f:9b:29
                        47:4c:6e:44:d2:f4:b8:b4:f7:0a:dd:1c:45:d3:32:c8
                        cf:86:50:c3:49:4d:0f:24:61:e4:a6:10:c5:6a:f2:58
                        84:f4:94:e3:9d:65:33:c2:36:60:30:f0:f7:7a:55:9a
                        68:d4:0b:62:59:4f:9b:a0:60:e2:78:b9:1e:90:a5:95
                        9a:e9:45:c0:ba:6f:4c:09:72:d8:b0:fb:3b:77:c7:a8
                        ee:75:6e:f8:96:24:8c:14:06:57:85:73:eb:d2:e9:d9
                        a2:9e:d6:17:c0:6c:ac:ba:2a:47:49:9d:df:35:4a:75
                        be:4c:68:4e:36:43:04:a7:7c:a2:47:5d:62:24:1b:00
                        a9:10:63:90:3e:b1:8a:5c:01:e5:ac:21:7b:5e:19:ab
                        4e:04:5c:82:00:7e:27:d6:31:66:db:c7:1f:53:32:9b
                        59
                Exponent (bits 24):
                        01:00:01
        Extensions:
                Basic Constraints (critical):
                        Certificate Authority (CA): TRUE
                        Path Length Constraint: 0
                Subject Alternative Name (not critical):
                        DNSname: node2.example.com
                Key Usage (critical):
                        Certificate signing.
                        CRL signing.
                Subject Key Identifier (not critical):
                        951acec5fda12e4b438d10bb48a5ddcdea33a1f8
Other Information:
        Public Key ID:
                951acec5fda12e4b438d10bb48a5ddcdea33a1f8
        Public key's random art:
                +--[ RSA 2048]----+
                |        o        |
                |       + = =     |
                |      o = * + .  |
                |     . + B + o . |
                |      . S = o .  |
                |       . + o     |
                |      . . B .    |
                |       . . *     |
                |        E .      |
                +-----------------+

Is the above information ok? (y/N): y


Signing certificate...

Validate the newly created key.

[root@node2 ~]# ls -l
total 48
-rw-------. 1 root root 1899 Feb 17 17:45 anaconda-ks.cfg
-r--------  1 root root 5813 Apr 16 14:12 ca-key.pem
-rw-r--r--  1 root root 1143 Apr 16 14:16 ca.pem
drwxr-xr-x. 2 root root 4096 Feb 25 21:02 Desktop
drwxr-xr-x. 2 root root 4096 Feb 25 21:02 Documents
drwxr-xr-x. 2 root root 4096 Feb 25 21:02 Downloads
-rw-r--r--. 1 root root    0 Feb 17 17:48 initial-setup-ks.cfg
drwxr-xr-x. 2 root root 4096 Feb 25 21:02 Videos
WARNING:
Nobody except the CA itself needs to have it. If some third party obtains it, you security is broken!
NOTE:
ca-key.pem is a private key of certificate authority and ca.pem is a public key that we are going to distribute to the other nodes. You can also revoke the certificate using openssl.

 

Generate machine certificate

In this step, we generate certificates for each of the machines. Please note that both clients and servers need certificates. The certificate identifies each machine to the remote peer.
Here --outfile reflects the name of the server that's going to use the private key i.e. node3-key.pem for us. This way it is easier to identify the key and the mapped node name.

[root@node2 ~]# certtool --generate-privkey --outfile node3-key.pem --bits 2048
** Note: Please use the --sec-param instead of --bits
Generating a 2048 bit RSA private key...

The remote log server still is node3, and the signing requests is what it needs to get the certificate signed. So just the fact of having private key is not enough. It must be signed by a certificate authority. Here we are raising a request using certtool to load node3-key.pem private key and sign this private key into outfile i.e. node3-request.pem.

Now this will again prompt you with a bunch of questions, answer them appropriately based on your environment.

[root@node2 ~]# certtool --generate-request --load-privkey node3-key.pem --outfile node3-request.pem
Generating a PKCS #10 certificate request...
Common name: node3.example.com
Organizational unit name:
Organization name:
Locality name:
State or province name:
Country name (2 chars):
Enter the subject's domain component (DC):
UID:
Enter a dnsName of the subject of the certificate: node3.example.com
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Enter a challenge password:
Does the certificate belong to an authority? (y/N):
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): n
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): n
Will the certificate be used to sign code? (y/N): n
Will the certificate be used for time stamping? (y/N): n
Will the certificate be used for IPsec IKE operations? (y/N): n
Will the certificate be used to sign OCSP requests? (y/N): n
Is this a TLS web client certificate? (y/N): n
Is this a TLS web server certificate? (y/N): n

Now validate the node3-request.pem which we have created.

[root@node2 ~]# ls -l
total 60
-rw-------. 1 root root 1899 Feb 17 17:45 anaconda-ks.cfg
-r--------  1 root root 5813 Apr 16 14:12 ca-key.pem
-rw-r--r--  1 root root 1143 Apr 16 14:16 ca.pem
drwxr-xr-x. 2 root root 4096 Feb 25 21:02 Desktop
drwxr-xr-x. 2 root root 4096 Feb 25 21:02 Documents
drwxr-xr-x. 2 root root 4096 Feb 25 21:02 Downloads
-rw-r--r--. 1 root root    0 Feb 17 17:48 initial-setup-ks.cfg
-rw-------  1 root root 5826 Apr 16 14:18 node3-key.pem
-rw-------  1 root root 2513 Apr 16 14:20 node3-request.pem
drwxr-xr-x. 2 root root 4096 Feb 25 21:02 Videos

And after doing all this, the procedure of creating the key material for the RSA's log server, as well as client, is going to be complete. In here, the private key of the certificate authority is used to sign the certificates that is going to be used by node3, and that is what is going to make sure that node3 is going to be trusted by everyone involved.

[root@node2 ~]# certtool --generate-certificate --load-request node3-request.pem --outfile node3-cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
Generating a signed certificate...
Enter the certificate's serial number in decimal (default: 6680412331704980564):


Activation/Expiration time.
The certificate will expire in (days): 1000


Extensions.
Do you want to honour the extensions from the request? (y/N):
Does the certificate belong to an authority? (y/N):
Is this a TLS web client certificate? (y/N): y
Will the certificate be used for IPsec IKE operations? (y/N):
Is this a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: node3.example.com
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): n
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): n
Will the certificate be used to sign OCSP requests? (y/N): n
Will the certificate be used to sign code? (y/N): n
Will the certificate be used for time stamping? (y/N): n
X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 5cb5979f106a1454
        Validity:
                Not Before: Tue Apr 16 08:51:48 UTC 2019
                Not After: Mon Jan 10 08:51:53 UTC 2022
        Subject: CN=node3.example.com,DC=node3.example.com
        Subject Public Key Algorithm: RSA
        Algorithm Security Level: Medium (2048 bits)
                Modulus (bits 2048):
                        00:a4:1d:87:b0:dd:6c:53:85:a7:3e:0d:93:18:d8:fc
                        9d:a4:c3:71:4d:c1:00:74:04:9f:42:e0:83:00:5a:f0
                        4d:9e:20:77:d3:6b:4e:1a:e5:fe:95:06:80:5d:48:33
                        30:0e:d9:15:72:5e:9c:c8:c2:f4:60:59:cb:f2:cc:2d
                        58:45:64:f3:33:1d:62:c5:bd:71:a9:13:fe:89:ba:cc
                        c6:35:8a:22:6e:b4:f5:71:58:79:48:e5:1d:d0:c9:42
                        7d:fc:36:d5:fd:3f:0e:3c:b7:97:f0:e2:ca:7f:84:4f
                        6d:64:42:8b:42:c2:ed:7c:97:eb:37:d8:5a:01:da:39
                        b6:a5:82:b0:a0:cf:af:54:20:fb:6d:4b:a6:b8:83:2a
                        6c:36:2a:32:cd:fc:a6:c8:54:d3:53:29:ad:f6:0b:df
                        bd:a5:44:fa:d4:46:a9:90:53:24:5f:68:fa:cb:94:9d
                        d6:69:16:d6:14:41:9d:65:9b:9d:17:f9:37:4e:c1:3b
                        17:d9:67:8a:de:ad:44:cd:00:cc:13:40:99:a5:e3:a4
                        e2:4c:af:04:1a:4c:cd:b4:75:dd:78:b8:80:d9:43:d5
                        54:1f:3e:f0:8a:17:63:a7:f3:1a:67:ca:a2:06:dc:e7
                        80:52:d1:ea:48:dc:81:45:63:18:cb:76:a1:b1:88:58
                        d9
                Exponent (bits 24):
                        01:00:01
        Extensions:
                Basic Constraints (critical):
                        Certificate Authority (CA): FALSE
                Key Purpose (not critical):
                        TLS WWW Client.
                        TLS WWW Server.
                Subject Alternative Name (not critical):
                        DNSname: node3.example.com
                Subject Key Identifier (not critical):
                        b6c708ceaebf5e2509d57f8fe5cf9ae84d5d7b27
                Authority Key Identifier (not critical):
                        951acec5fda12e4b438d10bb48a5ddcdea33a1f8
Other Information:
        Public Key ID:
                b6c708ceaebf5e2509d57f8fe5cf9ae84d5d7b27
        Public key's random art:
                +--[ RSA 2048]----+
                |        ..       |
                |       .  .      |
                |      .    .     |
                |       . .  . . .|
                |      . S .  . =.|
                |     o o *    ..=|
                |      o + o   Eo=|
                |     . . .   + o=|
                |    .+=.   .o +. |
                +-----------------+

Is the above information ok? (y/N): y


Signing certificate...

So now we have a signed certificates

[root@node2 ~]# ls -l
total 64
-rw-------. 1 root root 1899 Feb 17 17:45 anaconda-ks.cfg
-r--------  1 root root 5813 Apr 16 14:12 ca-key.pem
-rw-r--r--  1 root root 1143 Apr 16 14:16 ca.pem
drwxr-xr-x. 2 root root 4096 Feb 25 21:02 Desktop
drwxr-xr-x. 2 root root 4096 Feb 25 21:02 Documents
drwxr-xr-x. 2 root root 4096 Feb 25 21:02 Downloads
-rw-r--r--. 1 root root    0 Feb 17 17:48 initial-setup-ks.cfg
drwxr-xr-x. 2 root root 4096 Feb 25 21:02 Music
-rw-r--r--  1 root root 1249 Apr 16 14:22 node3-cert.pem
-rw-------  1 root root 5826 Apr 16 14:18 node3-key.pem
-rw-------  1 root root 2513 Apr 16 14:20 node3-request.pem

So next now we can delete node3-request.pem as it is not required any more

[root@node2 ~]# rm -f node3-request.pem

 

Distributing TLS certificates to enable secure remote logging

Next now we must copy these keys (certificates) to our remote node. So before we copy the keys we will create a directory on the server node to store these keys

[root@node3 ~]# mkdir /etc/rsyslog-keys
[root@node3 ~]# cd /etc/rsyslog-keys

Next copy the keys from node2 to node3

[root@node2 ~]# scp node3-*.pem node3:/etc/rsyslog-keys/
The authenticity of host 'node3 ()' can't be established.
ECDSA key fingerprint is SHA256:3RCFjBhKJLtOb78Jv+Yx2IPbwRT5P1hOGw9d08RlGzs.
ECDSA key fingerprint is MD5:b8:f9:09:06:91:48:de:a1:83:29:56:d5:94:3d:a6:d3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'node3' (ECDSA) to the list of known hosts.
root@node3's password:
node3-cert.pem                                                                            100% 1249   729.7KB/s   00:00
node3-key.pem                                                                             100% 5826     2.9MB/s   00:00
[root@node2 ~]# scp ca.pem node3:/etc/rsyslog-keys/
root@node3's password:
ca.pem 			                                                                  100% 1249   729.7KB/s   00:00

 

Server configuration to forward syslog securely

Now we need to do some configuration changes on our remote log server (node3) to receive messages from our client (node2) over TCP using TLS certificates.

Create a new file /etc/rsyslog.d/logserver.conf. The name of the file is not important and you can give any name, just make sure the extension of the file is .conf. Dump the below content in this file.

# make gtls driver the default
$DefaultNetstreamDriver gtls

# certificate files
$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog-keys/node3-cert.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/node3-key.pem

$ModLoad imtcp  # TCP listener
$InputTCPServerStreamDriverMode 1  # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode anon
$InputTCPServerRun 6514  # start up listener at port 10514

Next install the below rpm (if not installed already), to install /usr/lib64/rsyslog/lmnsd_gtls.so module. Since we are using GTLS driver so this module must be installed on both client and server node.

[root@node3 ~]# yum -y install rsyslog-gnutls

Next restart the rsyslog service

[root@node3 rsyslog.d]# systemctl restart rsyslog

Check the service status

[root@node3 rsyslog.d]# systemctl status rsyslog
● rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2019-04-16 15:21:41 IST; 2s ago
     Docs: man:rsyslogd(8)
           http://www.rsyslog.com/doc/
 Main PID: 7822 (rsyslogd)
    Tasks: 8
   CGroup: /system.slice/rsyslog.service
           └─7822 /usr/sbin/rsyslogd -n

Apr 16 15:21:41 node3 systemd[1]: Starting System Logging Service...
Apr 16 15:21:41 node3 rsyslogd[7822]:  [origin software="rsyslogd" swVersion="8.24.0-34.el7" x-pid="7822" x-info="http://ww...] start
Apr 16 15:21:41 node3 systemd[1]: Started System Logging Service.
Hint: Some lines were ellipsized, use -l to show in full.

So our configuration on the server side is completed, let us go to the client (node2) side to complete our secure remote logging.

 

Client configuration to receive log messages securely

Now let us configure our client (node2) to transfer the logs securely to our remote log server (node3).

The first step would be to create a directory to store our key

[root@node2 ~]# mkdir /etc/rsyslog-keys

Next copy ca.pem to this directory

[root@node2 ~]# cp ca.pem /etc/rsyslog-keys/

Next create a new file inside /etc/rsyslog.d

[root@node2 ~]# vim /etc/rsyslog.d/log-client.conf
# certificate files
$DefaultNetStreamDriverCAFile /etc/rsyslog-keys/ca.pem

# make gtls driver the default
$DefaultNetStreamDriver gtls
$ActionSendStreamDriverMode 1	# run driver in TLS-only mode
$ActionSendStreamDriverAuthMode anon

*.*     @@(o)node3.example.com:6514		# forward everything to remote server

This will forward every syslog message to your remote log server node3

Next install rsyslog-gnutls since we want to load gtls module for the secure remote logging to work.

[root@node2 ~]# yum -y install rsyslog-gnutls

We are all done, now restart the rsyslog service and check the status

[root@node2 ~]# systemctl restart rsyslog

[root@node2 ~]# systemctl status rsyslog
● rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2019-04-16 15:32:10 IST; 4s ago
     Docs: man:rsyslogd(8)
           http://www.rsyslog.com/doc/
 Main PID: 7784 (rsyslogd)
    Tasks: 3
   CGroup: /system.slice/rsyslog.service
           └─7784 /usr/sbin/rsyslogd -n

Apr 16 15:32:10 node2.example.com systemd[1]: Stopped System Logging Service.
Apr 16 15:32:10 node2.example.com systemd[1]: Starting System Logging Service...
Apr 16 15:32:10 node2.example.com rsyslogd[7784]:  [origin software="rsyslogd" swVersion="8.24.0-34.el7" x-pid="7784...start
Apr 16 15:32:10 node2.example.com systemd[1]: Started System Logging Service.
Hint: Some lines were ellipsized, use -l to show in full.

So we are all done with the configuration.

 

Verify the remote logging

Now we will try to send a dummy message from our server to our client and verify our configuration

[root@node2 ~]# logger "MESSAGE FROM NODE2"

Check the syslog on the server

[root@node3 ~]# less /var/log/messages
Apr 16 17:14:28 node2 root: MESSAGE FROM NODE2

And we have received the message as expected so all seems to work properly.

 

Applying log filter with rsyslog

Now here we are getting all the messages from node2 inside /var/log/messages of our remote log server node3 so logs are getting mixed up, let us filter the logs out and all the logs from node2 would be stored in a different log file.

To achieve this we will create a new file with the filter configuration on our remote log server node3

[root@node3 ~]# cd /etc/rsyslog.d/

[root@node3 rsyslog.d]# cat remotefilter.conf
:fromhost, isequal, "node2.example.com"         /var/log/node2/messages
:fromhost, isequal, "node2.example.com"         ~

Here the syntax itself is quite explanatory, the second line might look little confusing. Here the second line is going to make sure that nothing else will be done with messages that are coming from the server.

Next restart the rsyslog service

[root@node3 rsyslog.d]# systemctl restart rsyslog
[root@node3 rsyslog.d]# systemctl status rsyslog
● rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2019-04-16 17:22:14 IST; 11min ago
     Docs: man:rsyslogd(8)
           http://www.rsyslog.com/doc/
 Main PID: 9436 (rsyslogd)
    Tasks: 8
   CGroup: /system.slice/rsyslog.service
           └─9436 /usr/sbin/rsyslogd -n

Apr 16 17:22:14 node3.example.com systemd[1]: Stopped System Logging Service.
Apr 16 17:22:14 node3.example.com systemd[1]: Starting System Logging Service...
Apr 16 17:22:14 node3.example.com rsyslogd[9436]:  [origin software="rsyslogd" swVersion="8.24.0-34.el7" x-pid="9436" x-info="http://www.rsyslog.com"] start
Apr 16 17:22:14 node3.example.com rsyslogd[9436]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.24.0-34.el7 try http://www.rsyslog.com/e/2307 ]
Apr 16 17:22:14 node3.example.com systemd[1]: Started System Logging Service.

Now let us print a message on node2 and let's see if it is received on node3

[root@node2 ~]# logger "MESSAGE FROM NODE2 AGAIN"

And looks like the message is well received in our new location as expected.

[root@node3 rsyslog.d]# cat /var/log/node2/messages
Apr 16 17:22:05 node2 root: MESSAGE FROM NODE2 AGAIN

 

Lastly I hope the steps from the article to configure secure remote logging with rsyslog (TLS certificates) to remote log server on CentOS/RHEL 7 Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

8 thoughts on “Configure secure logging with rsyslog TLS to remote log server (CentOS/RHEL 7)”

  1. How to check the tls handshake regarding this set up After succesfull transfer of syslog messages from client to server? Will it happen?

    Reply
  2. Thanks that worked great.

    If I add more clients to node3, the ca.pem & ca-key.pem I uploaded to node3 from node2 will get overwritten. Can I use ca/ca-key I created on node2 for all my other clients?

    Reply
  3. Do you have any details on how to configure syslog with IPV6. I tried following same steps for cert generation but no luck.

    Thanks in advance.

    Reply
  4. “$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem” Do we need to define the public key of the client which is sending the logs to our syslog server

    Reply
    • Yes, this key file with path must be defined on the client nodes in the rsyslog.conf or additional *.conf file inside /etc/rsyslog.d

      Reply

Leave a Comment