Rsyslog on Raspberry Pi 4

We’re using these devices as a proxy servers (Zabbix Proxy).
I want to ship logs from Pi 4 to Graylog -Server using TLS/TCP.

I’ve posted here in the community for advice on log shippers to use and posted problems I had in the past with using Rsyslog before. I never was able to get rsyslog to work with TLS/TCP sending messages to Graylog server. I tried Nxlog on Pi4 and that was a no go, my Iowait time crashed my device after a couple days. Filebeat on Pi4 work for a few, then about week later my iowait time crashed my device it became unresponsive. Since Rsyslog was enabled my default I decided to use that as my main log shipper. Using inputs UDP or TCP with Rsyslog worked great for weeks, no problems but I want to see if I could encrypt the data with TLS/TCP. I have 10 Virtual Machines using certificates I made on Graylog for years, so I thought I use them with Rsyslog configuration. My goal is to use little as possible on this Pi4.

Graylog Environment.

Graylog 3.3.8+e223f85
MongoDB “version": “4.4.1”
Elasticsearch “6.8.12”
CentOS Linux release 7.8.2003 (Core), 8 CPU’s, 8 GB memory, 1TB HDD (Virtual Machine)

I created a file in “/etc/rsyslog.d/” called graylog.conf and added the following contents in the file. The restarted the rsyslog service.

Rsyslog Configuration.

$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down

#RsyslogGnuTLS
$DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/cert.pem
$DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/graylog2-certificate.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/graylog2-key.pem
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer  *.enseva-labs.net
@@IPADDRESS:51440;RSYSLOG_SyslogProtocol23Format

Received the following error after restarting rsyslog service.

Oct 23 17:40:12 pi rsyslogd: unexpected GnuTLS error -56 in nsd_gtls.c:228: The requested data were not available.  [v8.2008.0 try https://www.rsyslog.com/e/2078 ]
Oct 23 17:40:12 pi rsyslogd: Connect failed to INIT Session 0 [v8.2008.0 try https://www.rsyslog.com/e/2078 ]
Oct 23 17:40:12 pi rsyslogd: action 'action-0-builtin:omfwd' suspended (module 'builtin:omfwd'), retry 0. There should be messages before this one giving the reason for suspension. [v8.2008.0 try https://www.rsyslog.com/e/2007 ]

I was wondering is anyone was able to get this to work? Tried about two years ago and decided to move to Nxlog which has been proven to be very useful. I’ve been Googling for the past week. Any advice or hidden configuration I missed would be apperciated.
Thanks in advance.

How did you setup Syslog TCP Input for TLS encryption?

@shoothub
Thank you for the reply, and sorry I forgot to post this.

1 Like

These 2 parameters must be the certificate and key of the rsyslog host, not the graylog one.

And do you see any error in graylog’s server.log ?

@frantz
Oh that might be my problem right there. I thought i needed the graylog ones. The only errors I seen was the ones I stated from above. Ill give that a try and thank you.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.