Skip to content

SSL#

In this tuto, we will configure the server to receive all clients logs.

graph LR; A(client); B("server - 192.168.1.10"); %% Links A-->B; %% color style A fill:#FFC573 style B fill:#81B4E6

Manage SSL#

Install certtool#

Ubuntu#

1
apt install gnutls-bin rsyslog-gnutls

CA#

  • create ssl dir: 

    1
2
    mkdir ssl
cd ssl

  • create server key: 

    1
    certtool --generate-privkey --outfile ./ca-key.pem

  • create template file template.txt for ssl generation:

    • replace __O__, __OU__, __ST__, __COUNTRY__ with your values 
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
      # X.509 Certificate options
#
# DN options

# The organization of the subject.
organization = "__O__"

# The organizational unit of the subject.
unit = "__OU__"

# The state of the certificate owner.
state = "__ST__"

# The country of the subject. Two letter code.
country = __COUNTRY__

# The common name of the certificate owner.
cn = "CA"

# The serial number of the certificate. Should be incremented each time a new certificate is generated.
#serial =

# In how many days, counting from today, this certificate will expire.
expiration_days = 3650

# Whether this is a CA certificate or not
ca

# Whether this key will be used to sign other certificates.
cert_signing_key

# Whether this key will be used to sign CRLs.
crl_signing_key

  • Genreate CA: 

    1
2
3
4
    certtool --generate-self-signed \
    --load-privkey ./ca-key.pem \
    --outfile      ./ca.pem \
    --template     ./template.txt

Host#

We will create a certificate for host client-01, replace this value for each host.

  • create host key: 

    1
    certtool --generate-privkey --outfile "./client-01.key" --sec-param high

  • create template file ./client-01-template.txt for ssl generation:

    • replace __O__, __OU__, __ST__, __COUNTRY__ with your values
    • replace __HOST__ with the server fqdn 
       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
      # X.509 Certificate options
#
# DN options

# The organization of the subject.
organization = "__O__"

# The organizational unit of the subject.
unit = "__OU__"

# The state of the certificate owner.
state = "__ST__"

# The country of the subject. Two letter code.
country = __COUNTRY__

# The common name of the certificate owner.
cn = "__HOST__"

# A user id of the certificate owner.
#uid = "scertowner"

# The serial number of the certificate. Should be incremented each time a new certificate is generated.
#serial = 007

# In how many days, counting from today, this certificate will expire.
expiration_days = 3650

# X.509 v3 extensions

# DNS name(s) of the server
#dns_name = "server.example.com"
#dns_name = "server_alias.example.com"

# (Optional) Server IP address
#ip_address = "192.168.1.1"

# Whether this certificate will be used for a TLS server and client
tls_www_server
tls_www_client

# Whether this certificate will be used to encrypt data (needed
# in TLS RSA ciphersuites). Note that it is preferred to use different
# keys for encryption and signing.
#encryption_key

  • Genreate request: 

    1
2
3
4
    certtool --generate-request \
    --load-privkey ./client-01.key \
    --outfile      ./client-01.req \
    --template     ./client-01-template.txt

  • Generate Certificate: 

    1
2
3
4
5
6
    certtool --generate-certificate \
    --load-request        ./client-01.req \
    --outfile             ./client-01.cert  \
    --load-ca-certificate ./ca.pem \
    --load-ca-privkey     ./ca-key.pem \
    --template            ./client-01-template.txt

Server Configuration#

  • Copy CA and server host certificate into /etc/rsyslog.d directory: 

    1
2
3
    cp ca.pem      /etc/rsyslog.d/ca.pem
cp server.cert /etc/rsyslog.d/cert.pem
cp server.key  /etc/rsyslog.d/key.pem

  • chown pem files: 

    1
    chown syslog:syslog /etc/rsyslog.d/*.pem

  • 10-server.conf 

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
    $DefaultNetstreamDriver         gtls
$DefaultNetstreamDriverCAFile   /etc/rsyslog.d/ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/cert.pem
$DefaultNetstreamDriverKeyFile  /etc/rsyslog.d/key.pem

$ModLoad imtcp

$InputTCPServerStreamDriverMode     1    # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode anon
$InputTCPServerRun                  514

Client Configuration#

  • Copy CA and server host certificate into /etc/rsyslog.d directory: 

    1
2
3
    cp ca.pem         /etc/rsyslog.d/ca.pem
cp client-01.cert /etc/rsyslog.d/cert.pem
cp client-01.key  /etc/rsyslog.d/key.pem

  • chown pem files: 

    1
    chown syslog:syslog /etc/rsyslog.d/*.pem

  • 30-remote.conf 

     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
    $ActionQueueType           LinkedList # use asynchronous processing
$ActionQueueFileName       srvrfwd1   # set file name, also enables disk mode
$ActionResumeRetryCount    -1         # infinite retries on insert failure
$ActionQueueSaveOnShutdown on         # save in-memory data if rsyslog shuts down
$ActionQueueMaxDiskSpace   1G         # Don't use more than this much space for the queue

$DefaultNetstreamDriverCAFile   /etc/rsyslog.d/ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/cert.pem
$DefaultNetstreamDriverKeyFile  /etc/rsyslog.d/key.pem

$DefaultNetstreamDriver         gtls
$ActionSendStreamDriverMode     1
$ActionSendStreamDriverAuthMode anon

*.* @@192.168.1.10:514

Test config#

1
rsyslogd -N 1 -f /etc/rsyslog.conf

Restart service#

1
service rsyslog restart