rsyslog, syslog-ng から rsyslog, syslog-ng へTLSで転送

# syslog-ng (as a syslog forwarder on FreeBSD)
source src {
        internal();

        unix-dgram("/var/run/log"                flags(assume-utf8,syslog-protocol));
        unix-dgram("/var/run/logpriv" perm(0600) flags(assume-utf8,syslog-protocol));
        unix-dgram("/var/named/var/run/log"      flags(assume-utf8,syslog-protocol));
        #syslog(transport("udp") flags(assume-utf8));
        network(transport("udp") flags(assume-utf8));

        # FreeBSD < 12
        #unix-dgram("/var/run/log"                flags(assume-utf8));
        #unix-dgram("/var/run/logpriv" perm(0600) flags(assume-utf8));
        #unix-dgram("/var/named/var/run/log"      flags(assume-utf8));
        #network(transport("udp") flags(assume-utf8));

        file("/dev/klog" flags(assume-utf8,kernel));
}
destination loghost {
        # -> syslog-ng RFC5424
        syslog("syslog.test" port(5424) transport("tls")
                tls(
                        peer-verify(required-trusted)
                        # See: https://www.google.com/search?q=%22Configuring+TLS+on+the+syslog-ng+clients%22
                        ca-dir('/etc/ssl/certs/CA/')
                )
        );
        # -> rsyslog RFC3164
        #network("syslog.test" port(3164) transport(tls)
        #        tls(
        #                peer-verify(required-trusted)
        #                # See: https://www.google.com/search?q=%22Configuring+TLS+on+the+syslog-ng+clients%22
        #                ca-dir   ('/etc/ssl/certs/CA/')
        #        )
        #);
};

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

# syslog-ng (as a syslog forwarder on FreeBSD)

source src {

internal();

unix-dgram("/var/run/log" flags(assume-utf8,syslog-protocol));

unix-dgram("/var/run/logpriv" perm(0600) flags(assume-utf8,syslog-protocol));

unix-dgram("/var/named/var/run/log" flags(assume-utf8,syslog-protocol));

#syslog(transport("udp") flags(assume-utf8));

network(transport("udp") flags(assume-utf8));

# FreeBSD < 12

#unix-dgram("/var/run/log" flags(assume-utf8));

#unix-dgram("/var/run/logpriv" perm(0600) flags(assume-utf8));

#unix-dgram("/var/named/var/run/log" flags(assume-utf8));

#network(transport("udp") flags(assume-utf8));

file("/dev/klog" flags(assume-utf8,kernel));

}

destination loghost {

# -> syslog-ng RFC5424

syslog("syslog.test" port(5424) transport("tls")

tls(

peer-verify(required-trusted)

# See: https://www.google.com/search?q=%22Configuring+TLS+on+the+syslog-ng+clients%22

ca-dir('/etc/ssl/certs/CA/')

)

);

# -> rsyslog RFC3164

#network("syslog.test" port(3164) transport(tls)

# tls(

# peer-verify(required-trusted)

# # See: https://www.google.com/search?q=%22Configuring+TLS+on+the+syslog-ng+clients%22

# ca-dir ('/etc/ssl/certs/CA/')

# )

#);

};

# rsyslog (as a syslog forwarder on Ubuntu GNU/Linux 18)

module(load="imuxsock")
module(load="imudp")
input(type="imudp" port="514")
module(load="imklog" permitnonkernelfacility="on")

global(
  DefaultNetstreamDriverCAFile="/etc/ssl/certs/ca-certificates.crt"
)
action(
  type="omfwd"
  # -> syslog-ng RFC5424
  target="syslog.test" port="5424" protocol="tcp" TCP_Framing="octet-counted" template="RSYSLOG_SyslogProtocol23Format"
  ## -> syslog-ng RFC3164
  #target="syslog.test" port="3164" protocol="tcp" # RSYSLOG_TraditionalForwardFormat
  ## -> rsyslog
  #target="syslog.test" port="3164" protocol="tcp" template="RSYSLOG_ForwardFormat"
  StreamDriver="gtls"
  StreamDriverMode="1"
  StreamDriverAuthMode="x509/name"
  StreamDriverPermittedPeers="*.test" # FIXME: usage of wildcard cert.
)

# BSD compatibility
#security.*
:syslogfacility,isequal,"13" action(type="omfile"
        File="/var/log/security"
         dirGroup="adm"  dirCreateMode="0750"
        fileGroup="adm" FileCreateMode="0640")

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

# rsyslog (as a syslog forwarder on Ubuntu GNU/Linux 18)

module(load="imuxsock")

module(load="imudp")

input(type="imudp" port="514")

module(load="imklog" permitnonkernelfacility="on")

global(

DefaultNetstreamDriverCAFile="/etc/ssl/certs/ca-certificates.crt"

)

action(

type="omfwd"

# -> syslog-ng RFC5424

target="syslog.test" port="5424" protocol="tcp" TCP_Framing="octet-counted" template="RSYSLOG_SyslogProtocol23Format"

## -> syslog-ng RFC3164

#target="syslog.test" port="3164" protocol="tcp" # RSYSLOG_TraditionalForwardFormat

## -> rsyslog

#target="syslog.test" port="3164" protocol="tcp" template="RSYSLOG_ForwardFormat"

StreamDriver="gtls"

StreamDriverMode="1"

StreamDriverAuthMode="x509/name"

StreamDriverPermittedPeers="*.test" # FIXME: usage of wildcard cert.

)

# BSD compatibility

#security.*

:syslogfacility,isequal,"13" action(type="omfile"

File="/var/log/security"

dirGroup="adm" dirCreateMode="0750"

fileGroup="adm" FileCreateMode="0640")

# syslog-ng (as a syslog collector on FreeBSD)
source src {
        internal();

        unix-dgram("/var/run/log"                flags(assume-utf8,syslog-protocol));
        unix-dgram("/var/run/logpriv" perm(0600) flags(assume-utf8,syslog-protocol));
        unix-dgram("/var/named/var/run/log"      flags(assume-utf8,syslog-protocol));
        #syslog(transport("udp") flags(assume-utf8));
        network(transport("udp") flags(assume-utf8));

        # FreeBSD < 12
        #unix-dgram("/var/run/log"                flags(assume-utf8));
        #unix-dgram("/var/run/logpriv" perm(0600) flags(assume-utf8));
        #unix-dgram("/var/named/var/run/log"      flags(assume-utf8));
        #network(transport("udp") flags(assume-utf8));

        file("/dev/klog" flags(assume-utf8,kernel));

        # RFC5424 / TLS
        syslog(flags(assume-utf8) port(5424) transport(tls)
                tls(
                        peer-verify(optional-untrusted)
                        # See: https://www.google.com/search?q=%22Configuring+TLS+on+the+syslog-ng+clients%22
                        ca-dir   ('/etc/ssl/certs/CA/')
                        crl-dir  ('/etc/ssl/certs/CA/')
                        key-file ('/usr/local/etc/letsencrypt/live/syslog.test/privkey.pem')
                        #cert-file('/usr/local/etc/letsencrypt/live/syslog.test/fullchain.pem')
                        cert-file('/var/letsencrypt/live/syslog.test/fullchain_param.pem')
                )
        );

        # RFC3164 / TLS
        network(flags(assume-utf8) port(3164) transport(tls)
                tls(
                        peer-verify(optional-untrusted)
                        # See: https://www.google.com/search?q=%22Configuring+TLS+on+the+syslog-ng+clients%22
                        ca-dir   ('/etc/ssl/certs/CA/')
                        crl-dir  ('/etc/ssl/certs/CA/')
                        key-file ('/usr/local/etc/letsencrypt/live/syslog.test/privkey.pem')
                        #cert-file('/usr/local/etc/letsencrypt/live/syslog.test/fullchain.pem')
                        cert-file('/var/letsencrypt/live/syslog.test/fullchain_param.pem')
                )
        );
};

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

# syslog-ng (as a syslog collector on FreeBSD)

source src {

internal();

unix-dgram("/var/run/log" flags(assume-utf8,syslog-protocol));

unix-dgram("/var/run/logpriv" perm(0600) flags(assume-utf8,syslog-protocol));

unix-dgram("/var/named/var/run/log" flags(assume-utf8,syslog-protocol));

#syslog(transport("udp") flags(assume-utf8));

network(transport("udp") flags(assume-utf8));

# FreeBSD < 12

#unix-dgram("/var/run/log" flags(assume-utf8));

#unix-dgram("/var/run/logpriv" perm(0600) flags(assume-utf8));

#unix-dgram("/var/named/var/run/log" flags(assume-utf8));

#network(transport("udp") flags(assume-utf8));

file("/dev/klog" flags(assume-utf8,kernel));

# RFC5424 / TLS

syslog(flags(assume-utf8) port(5424) transport(tls)

tls(

peer-verify(optional-untrusted)

# See: https://www.google.com/search?q=%22Configuring+TLS+on+the+syslog-ng+clients%22

ca-dir ('/etc/ssl/certs/CA/')

crl-dir ('/etc/ssl/certs/CA/')

key-file ('/usr/local/etc/letsencrypt/live/syslog.test/privkey.pem')

#cert-file('/usr/local/etc/letsencrypt/live/syslog.test/fullchain.pem')

cert-file('/var/letsencrypt/live/syslog.test/fullchain_param.pem')

)

);

# RFC3164 / TLS

network(flags(assume-utf8) port(3164) transport(tls)

tls(

peer-verify(optional-untrusted)

# See: https://www.google.com/search?q=%22Configuring+TLS+on+the+syslog-ng+clients%22

ca-dir ('/etc/ssl/certs/CA/')

crl-dir ('/etc/ssl/certs/CA/')

key-file ('/usr/local/etc/letsencrypt/live/syslog.test/privkey.pem')

#cert-file('/usr/local/etc/letsencrypt/live/syslog.test/fullchain.pem')

cert-file('/var/letsencrypt/live/syslog.test/fullchain_param.pem')

)

);

};

# rsyslog (as a syslog collector on Ubuntu GNU/Linux 18)
#   since rsyslog 8.32 does not support sending intermediate certs...
#     https://github.com/rsyslog/rsyslog/pull/2763
#   we use socat at this time.
global(
  DefaultNetstreamDriverCAFile="/etc/ssl/certs/ca-certificates.crt"
  # does not send intermediate certs... -> socat
  #DefaultNetstreamDriverKeyFile="/usr/local/etc/letsencrypt/live/syslog.test/privkey.pem"
  #DefaultNetstreamDriverCertFile="/usr/local/etc/letsencrypt/live/syslog.test/fullchain.pem"
  #DefaultNetstreamDriverCertFile="/var/letsencrypt/live/syslog.test/fullchain_param.pem"
)
module(load="imtcp"
  NotifyOnConnectionClose="on"
  # does not send intermediate certs... -> socat
  #StreamDriver.Name="gtls"
  #StreamDriver.Mode="1" # run driver in TLS-only mode
  #StreamDriver.AuthMode="anon"
)
input(type="imtcp" address="127.0.0.1" port="514")

# BSD compatibility
#security.*
:syslogfacility,isequal,"13" action(type="omfile"
        File="/var/log/security"
         dirGroup="adm"  dirCreateMode="0750"
        fileGroup="adm" FileCreateMode="0640")

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

# rsyslog (as a syslog collector on Ubuntu GNU/Linux 18)

# since rsyslog 8.32 does not support sending intermediate certs...

# https://github.com/rsyslog/rsyslog/pull/2763

# we use socat at this time.

global(

DefaultNetstreamDriverCAFile="/etc/ssl/certs/ca-certificates.crt"

# does not send intermediate certs... -> socat

#DefaultNetstreamDriverKeyFile="/usr/local/etc/letsencrypt/live/syslog.test/privkey.pem"

#DefaultNetstreamDriverCertFile="/usr/local/etc/letsencrypt/live/syslog.test/fullchain.pem"

#DefaultNetstreamDriverCertFile="/var/letsencrypt/live/syslog.test/fullchain_param.pem"

)

module(load="imtcp"

NotifyOnConnectionClose="on"

# does not send intermediate certs... -> socat

#StreamDriver.Name="gtls"

#StreamDriver.Mode="1" # run driver in TLS-only mode

#StreamDriver.AuthMode="anon"

)

input(type="imtcp" address="127.0.0.1" port="514")

# BSD compatibility

#security.*

:syslogfacility,isequal,"13" action(type="omfile"

File="/var/log/security"

dirGroup="adm" dirCreateMode="0750"

fileGroup="adm" FileCreateMode="0640")

#!/bin/sh

umask 077
PATH='/bin:/usr/bin:/sbin:/usr/sbin'

BN=$(/usr/bin/basename "$0" .sh)
PIDFILE="/var/run/$BN.pid"

case "$1" in
start)
  daemonize -c /tmp -p "$PIDFILE" /usr/bin/socat -d -ly OPENSSL-LISTEN:8514,pf=ip4,reuseaddr,fork,verify=0,cafile=/etc/ssl/certs/ca-certificates.crt,key=/usr/local/etc/letsencrypt/live/oh.akkan.be/privkey.pem,certificate=/var/db/ssl/letsencrypt/live/oh.akkan.be/fullchain_param.pem TCP4:[127.0.0.1]:514
  ;;

stop)
  pkill -F "$PIDFILE"
  ;;

restart)
  "$0" stop
  "$0" start
  ;;

*)
  ps -fp $(pgrep -F "$PIDFILE")
  ;;
esac

# end of file

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

#!/bin/sh

umask 077

PATH='/bin:/usr/bin:/sbin:/usr/sbin'

BN=$(/usr/bin/basename "$0" .sh)

PIDFILE="/var/run/$BN.pid"

case "$1" in

start)

daemonize -c /tmp -p "$PIDFILE" /usr/bin/socat -d -ly OPENSSL-LISTEN:8514,pf=ip4,reuseaddr,fork,verify=0,cafile=/etc/ssl/certs/ca-certificates.crt,key=/usr/local/etc/letsencrypt/live/oh.akkan.be/privkey.pem,certificate=/var/db/ssl/letsencrypt/live/oh.akkan.be/fullchain_param.pem TCP4:[127.0.0.1]:514

;;

stop)

pkill -F "$PIDFILE"

;;

restart)

"$0" stop

"$0" start

;;

*)

ps -fp $(pgrep -F "$PIDFILE")

;;

esac

# end of file

[Unit]
After=syslog.target network.target

[Service]
Type=forking
PIDFile=/var/run/socat-rsyslog.pid
ExecStart=/usr/local/etc/socat/socat-rsyslog.sh start
ExecStop=/usr/local/etc/socat/socat-rsyslog.sh stop

[Install]
WantedBy = multi-user.target

1

2

3

4

5

6

7

8

9

10

11

[Unit]

After=syslog.target network.target

[Service]

Type=forking

PIDFile=/var/run/socat-rsyslog.pid

ExecStart=/usr/local/etc/socat/socat-rsyslog.sh start

ExecStop=/usr/local/etc/socat/socat-rsyslog.sh stop

[Install]

WantedBy = multi-user.target

input(type="imtcp" address="127.0.0.1" port="514")
# name not to forward this specific input
input(type="imtcp" address="127.0.0.1" port="55514" name="nofwd")

# forward other than above
:inputname,!isequal,"nofwd" action(type="omfwd"
...

1

2

3

4

5

6

7

input(type="imtcp" address="127.0.0.1" port="514")

# name not to forward this specific input

input(type="imtcp" address="127.0.0.1" port="55514" name="nofwd")

# forward other than above

:inputname,!isequal,"nofwd" action(type="omfwd"

...

# rsyslog on Ubuntu GNU/Linux 18. dumping into PostgreSQL. schema's and this file are automagicaly created by the installation script.
module (load="ompgsql")
*.* action(type="ompgsql" server="localhost" db="Syslog" uid="rsyslog" pwd="...")

1

2

3

# rsyslog on Ubuntu GNU/Linux 18. dumping into PostgreSQL. schema's and this file are automagicaly created by the installation script.

module (load="ompgsql")

*.* action(type="ompgsql" server="localhost" db="Syslog" uid="rsyslog" pwd="...")

rsyslog, syslog-ng から rsyslog, syslog-ng へTLSで転送 separate BSD security.* facility and auth.* facility on rsyslog, RFC5424 frames, etc...

コメントする

コメントする コメントをキャンセル

コメントする