RHEL6: Configuring Encrypted Remote Logging Via Rsyslog

/ Christopher Paquin

Picresized_1350512420_mummyRsyslog has the ability to forward/recieve encrypted logs using certificates. I am going to go over a very quick and dirty install and configuration. Since I am again sitting in Starbucks and do not have access to my homelab and its abundant resources, I am once again going to use Amazon EC2 instances of RHEL 6.5 for testing. The two instances that I will use we will call Server1 and Server2. Our goal here is not to build out an entire environment, but rather we are just looking to get this working on its most basic level.

Lets start with the log reciever server as we need to install a couple of packages. The first provides the certtool utility and the second provides the tls library for rsyslog.

[root@ip-172-31-21-28 ~]# yum -y install gnutls-utils.x86_64 rsyslog-gnutls

Also note that we are going to be looking at some documentation on the remote hosts to make this install and config a bit easier. You are probably going to want to install lynx so you can view the html documentation files. On my server1 instance, the rsyslog docs are in the following directory – /usr/share/doc/rsyslog-5.8.10.

This is the file that you want to take a look at. Below I am using lynx to view it.

lynx tls_cert_server.html

Now lets head on over to the sending server and install our packages again.

[root@ip-172-31-21-28 ~]# yum -y install gnutls-utils.x86_64 rsyslog-gnutls

Grab these bits from the file and modify to match your system. Then drop it in a file in /etc/rsyslog.d on your rsyslog receiving server.  I am calling my logging.conf

$ModLoad imuxsock # local messages
$ModLoad imtcp # TCP listener

# make gtls driver the default
$DefaultNetstreamDriver gtls

# certificate files
$DefaultNetstreamDriverCAFile /rsyslog/protected/ca.pem
$DefaultNetstreamDriverCertFile /rsyslog/protected/machine-cert.pem
$DefaultNetstreamDriverKeyFile /rsyslog/protected/machine-key.pem

$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer *.example.net
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerRun 6514 # start up listener at port 10514

Now, from the same file as you used above, grab the following giggly-bits and stick them out on the rsyslog sending server. Modify the file to match your needs and drop in /etc/rsyslog.d. To keep things simple I am going to call this file logging.conf as well

# certificate files – just CA for a client
$DefaultNetstreamDriverCAFile /path/to/contrib/gnutls/ca.pem
# set up the action
$DefaultNetstreamDriver gtls # use gtls netstream driver
$ActionSendStreamDriverMode 1 # require TLS for the connection
$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
*.* @@(o)server.example.net:10514 # send (all) messages

 

Now, lets review where we are. Our config files are in place on our sending server and our recieving server. Plus we have installed all required packages. Now lets get on to the keys. This is the confusing part, so I will go through my process one step at a time. Once again you can use the built in documentation to help you get this part right.

Jump on the recieving server and check out the file below via lynx

lynx tls_cert_ca.html

Jump into your newly created keys directory.

[root@ip-172-31-21-28 ~]# cd /etc/rsyslog-keys/

And run the command below to generate the private key for your CA (Certficate Authority)

[root@ip-172-31-21-28 rsyslog-keys]# certtool –generate-privkey –outfile ca-key.pem                                        
Generating a 2048 bit RSA private key…

Now we are going to generate a self signed cert from our private key.

[root@ip-172-31-21-28 rsyslog-keys]# certtool –generate-self-signed –load-privkey ca-key.pem –outfile ca.pem

You will be asked a bunch of questions but there are only two important ones that are shown below, make sure you answer yes to both of them.

Does the certificate belong to an authority? (y/N): y
Will the certificate be used to sign other certificates? (y/N): y

Now take this key (ca.pem) and copy it onto the sending server in /etc/rsyslog-keys, or wherever you set your config files to look for them.

Now lets go back to the recieving server so we can genreate a private key.

[root@ip-172-31-21-28 rsyslog-keys]# certtool –generate-privkey –outfile key.pem –bits 2048
Generating a 2048 bit RSA private key…

Now lets generate a request key.

[root@ip-172-31-21-28 rsyslog-keys]# certtool –generate-request –load-privkey key.pem –outfile request.pem

And how lets sign the certificate request and generate a certificate.

certtool –generate-certificate –load-request request.pem –outfile cert.pem –load-ca-certificate ca.pem –load-ca-privkey ca-key.pem

This one also requires you to answer a bunch of questions. These are the two that have "yes" for the answer.

Is this a TLS web client certificate? (y/N): y
Is this also a TLS web server certificate? (y/N): y

Now at this point you should be able to start rsyslog on each server. Using the logger command on your sending server, you should be able to send a message to your local syslog and see it forward to the sender.

 

 

Related articles

RHEL6 – Configuring Apache with TLS/SSL Encryption
RHEL6- Getting Up Close and Personal With Rsyslog
Install and Configure Rsyslog Server in CentOS 6.4 / RHEL 6.4