Encrypt traffic from rsyslog


I managed to encrypt the data to a Windows client, but I can not manage with a Linux server.

In configuration file of rsyslog (/etc/rsyslog.conf), I add this 2 elements :

$DefaultNetstreamDriverCertFile /etc/ssl/certificats/cert.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/certificats/pkcs8-plain.pem

And on my graylog input, I’ve put this :

TLS cert file : /etc/graylog/server/certificats/cert.pem
TLS private key file :  /etc/graylog/server/certificats/pkcs8-plain.pem
Enable TLS

I can not receive logs anymore

Thanks in advance

What’s in the logs of all relevant components?

There is authentication information, health of the server.

Do you have an idea for the configuration ?

We won’t be able to help you if you don’t provide the requested information.

I don’t understand your old question for me it’s not clear. I give you an answer

Post the complete logs and the complete configuration of the relevant components (i. e. rsyslog and the Graylog input you’re using).

I’ve this on my graylog server :

2018-06-19T12:12:46.527+02:00 ERROR [NettyTransport] Error in Input [Syslog TCP/5b1fd7b009908a03a9386c0c] (channel [id: 0xa75fe695, /IP_addresse_client:36580 => /graylog_server_IP_address:5514])
org.jboss.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 3c38353e4a756e2031392031323a31323a3436207372632d63656e746f732d746573742d677261796c6f6720706f6c6b6974645b3632315d3a20556e726567697374657265642041757468656e7469636174696f6e204167656e7420666f7220756e69782d70726f636573733a373436363a3432323931373032202873797374656d20627573206e616d65203a312e333132362c206f626a6563742070617468202f6f72672f667265656465736b746f702f506f6c6963794b6974312f41757468656e7469636174696f6e4167656e742c206c6f63616c652066725f46522e5554462d38292028646973636f6e6e65637465642066726f6d20627573290a
at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:857) ~[graylog.jar:?]
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425) ~[graylog.jar:?]
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) ~[graylog.jar:?]
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) ~[graylog.jar:?]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) [graylog.jar:?]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) [graylog.jar:?]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) [graylog.jar:?]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) [graylog.jar:?]
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) [graylog.jar:?]
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) [graylog.jar:?]
at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176) [graylog.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_161]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_161]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]

On my configuration file in linux (rsyslog.conf) :

$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state

$DefaultNetstreamDriverCertFile /etc/ssl/certificats/cert.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/certificats/pkcs8-plain.pem

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
#*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g., port optional
#*.* @@remote-host:514
kern.* @@ip_address_graylog_server:5514
authpriv.* @@ip_address_graylog_server:5514
local7.* @@ip_address_graylog_server:5514
# ### end of the forwarding rule ###

You’re missing the configuration snippets in /etc/rsyslog.d/*.conf.

You can check with Wireshark or tcpdump whether rsyslog really sends log messages over TCP with TLS to Graylog.

before I check with wireshark, but I see that the frames are unencrypted.

In the configuration file (/etc/rsyslog.d/listen.conf). I have that :

$SystemLogSocketName /run/systemd/journal/syslog

on my client I have this :

1 0.000000000 IP_address_client → IP_address_graylog_server TCP 74 36592 > 5514 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=427970991 TSecr=0 WS=128
2 0.000383803 IP_address_graylog_server → IP_address_client TCP 74 5514 > 36592 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=107376632 TSecr=427970991 WS=4
3 0.000422647 IP_address_client → IP_address_graylog_server TCP 66 36592 > 5514 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=427970991 TSecr=107376632
4 0.000504084 IP_address_client → IP_address_graylog_server TCP 156 36592 > 5514 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=90 TSval=427970991 TSecr=107376632
5 0.000670962 IP_address_graylog_server → IP_address_client TCP 66 5514 > 36592 [ACK] Seq=1 Ack=91 Win=28960 Len=0 TSval=107376632 TSecr=427970991
6 0.007802258 IP_address_graylog_server → IP_address_client TCP 66 5514 > 36592 [FIN, ACK] Seq=1 Ack=91 Win=28960 Len=0 TSval=107376639 TSecr=427970991
7 0.007855835 IP_address_client → IP_address_graylog_server TCP 66 36592 > 5514 [ACK] Seq=91 Ack=2 Win=29312 Len=0 TSval=427970999 TSecr=107376639

Check out https://www.rsyslog.com/doc/v8-stable/tutorials/tls_cert_summary.html and https://www.rsyslog.com/doc/v8-stable/tutorials/tls.html for instructions how to enable TLS in rsyslog.

yes but it’s just for create a certificat. The certificat and the keys are already presents, because they are create for use graylog in https

No, it’s not. Read the documentation.

yes i see but I’ve already do that, and it’s for a client and server use rsyslog

At least your rsyslogd has to be configured accordingly. Graylog’s syslog input is just a syslog server…

I know but we don’t have the same options in server and client part

Please elaborate on that.

The two documents, it’s for configure an encrypted send of data beetween a rsyslog server and client. The differents options present in the server configuration files are not present in the graylog configuration.

While that’s a strange thing to say, you’re of course correct. Graylog is not rsyslog.

This being said, you could start with configuring the rsyslog client correctly. :roll_eyes: