RSyslog over TLS

Graylog Central (peer support)
4

Hi,

I have been trying to figure out how to contribute to the documentation, but this is how we do it on CentOS6.

On the Graylog Server, configure an input:

allow_override_date: true
bind_address: 0.0.0.0
expand_structured_data: false
force_rdns: false
max_message_size: 2097152
override_source:
port: 12450
recv_buffer_size: 1048576
store_full_message: false
tcp_keepalive: false

We bundled the root and intermediate, order in the file is important.

tls_cert_file: /etc/ssl/your_CA.pem
tls_client_auth: disabled
tls_client_auth_cert_file:
tls_enable: true
tls_key_file: /etc/ssl/private/your_private.key
tls_key_password: ********
use_null_delimiter: false

On the Graylog client:

Install packages:

yum install rsyslog-gnutls
yum install libsemanage-python
yum install policycoreutils-python

Create Spool Directory

mkdir /var/spool/rsyslog
chown root /var/spool/rsyslog

Add rsyslogd Configuration File

Create graylog.conf file in /etc/rsyslog.d directory

Add contents to graylog.conf

Setup disk assisted queues

$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down

#RsyslogGnuTLS
$DefaultNetstreamDriverCAFile /etc/ssl/your_CA.pem
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.your.company.lcl

. @@111.55.200.24:12450;RSYSLOG_SyslogProtocol23Format

Set permissions so root can read

chown root /var/rsyslog.d/10-graylogp.conf

Add your root CA to /etc/ssl

cp your_CA.pem /etc/ssl/your_CA.pem

Make sure root owns file

chown root /etc/ssl/your_CA.pem

If you have SELinux

View SELinux status

getenforce
Enforcing

View SELinux ports allowed for rsyslog

semanage port -l | grep syslog
syslogd_port_t tcp 6514, 601
syslogd_port_t udp 514, 6514, 601

Add SELinux port
semanage port -a -t syslogd_port_t -p tcp 12450

View SELinux ports allowed for rsyslog and verify your port was added.

semanage port -l | grep syslog
syslogd_port_t tcp 12450, 6514, 601
syslogd_port_t udp 514, 6514, 601

Authorize directories

semanage fcontext -a -t syslog_conf_t "/var/spool/rsyslog/"
semanage fcontext -a -t syslog_conf_t "/etc/rsyslog.d/"
semanage fcontext -a -t syslog_conf_t "/etc/ssl/"
restorecon -R -v /var/spool/rsyslog
restorecon -R -v /etc/rsyslog.d
restorecon -R -v /etc/ssl

Restart rsyslog
service rsyslog restart

Test:

logger TestWithSELinux

Warning!!!

We had a nightmare with our Microsoft certificate authority. You have to make sure that the root CA is added to the Java keystore on the Graylog server, and I also added it to the server’s root CA’s.

To import the root certificate, we decided to “pollute” the default Java keystore for Graylog.

  1. Make sure the public certificate is in pem format and Linux file (no Windows characters)
  2. The default trust store of an installed Java runtime environment can be found at $JAVA_HOME/jre/lib/security/cacerts or /etc/ssl/certs/java/cacerts (due to all the symbolic links).
  3. Import:
  4. keytool -importcert -keystore /etc/ssl/certs/cacerts -storepass changeit -alias YourCompany -file your_CA.pem
  5. View the YourCompany root certificate:
    keytool -list -v -keystore /etc/ssl/certs/java/cacerts | grep your.company.com
4 Likes