[SOLVED] Rsyslog - issues GTLS module not found and other

So, https is in and i can access the server, web works BUT, something is f*cked up still.

the inputs cannot start.
Rsyslog also has some issues.
I presume the error is not accurate as i installed the GTLS module:
sudo apt-get update -y
sudo apt-get install -y gnutls-bin

############
Rsyslog config
############


# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
~
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/ssl/certs/iptor/wildcard.......pem
$DefaultNetstreamDriverCertFile /etc/ssl/certs/iptor/wildcard.........pem
$DefaultNetstreamDriverKeyFile /etc/ssl/certs/iptor/pkcs8-encrypted.pem
$ModLoad imtcp # load TCP listener
$InputTCPServerRun 514
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer 10........39
$template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
local0.* -/var/log/NAM_audits.log;ForwardFormat

################
RSYSLOG ERROR
################


Oct 05 12:18:07  rsyslogd[2897]: warning: ~ action is deprecated, consider using the 'stop' statement instead [v8.2001.0 try https://www.rsyslog.com/e/2307 ]
Oct 05 12:18:07 rsyslogd[2897]: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' (fd 3) from systemd.  [v8.2001.0]
Oct 05 12:18:07 rsyslogd[2897]: could not load module 'lmnsd_gtls', errors: trying to load module /usr/lib/x86_64-linux-gnu/rsyslog/lmnsd_gtls.so: /usr/lib/x86_64-linux-gnu/rsyslog/lmnsd_gtls.so: cannot open shared object file: No such file or directory [v8.2001.0>
Oct 05 12:18:07  rsyslogd[2897]: tcpsrv could not create listener (inputname: 'imtcp') [v8.2001.0 try https://www.rsyslog.com/e/2066 ]
Oct 05 12:18:07  rsyslogd[2897]: activation of module imtcp failed [v8.2001.0 try https://www.rsyslog.com/e/2066 ]
Oct 05 12:18:07 rsyslogd[2897]: rsyslogd's groupid changed to 110
Oct 05 12:18:07  rsyslogd[2897]: rsyslogd's userid changed to 104
Oct 05 12:18:07 rsyslogd[2897]: [origin software="rsyslogd" swVersion="8.2001.0" x-pid="2897" x-info="https://www.rsyslog.com"] start

#########
tail to server.log
#########


2022-10-05T12:23:49.668Z ERROR [EventProcessorExecutionJob] Event processor <aggregation-v1/6331812e3b6ca966a645265a> failed to execute: Couldn't create events for: EventDefinitionDto{id=6331812e3b6ca966a645265a, title=windows administrators, description=, priority=2, alert=false, config=AggregationEventProcessorConfig{type=aggregation-v1, query=Administrators, queryParameters=[], streams=[], groupBy=[], series=[], conditions=Optional[AggregationConditions{expression=Optional.empty}], searchWithinMs=3600000, executeEveryMs=60000}, fieldSpec={}, keySpec=[], notificationSettings=EventNotificationSettings{gracePeriodMs=0, backlogSize=0}, notifications=[], storage=[Config{type=persist-to-streams-v1, streams=[000000000000000000000002]}]} (retry in 5000 ms)
org.graylog.events.processor.EventProcessorException: Couldn't create events for: EventDefinitionDto{id=6331812e3b6ca966a645265a, title=windows administrators, description=, priority=2, alert=false, config=AggregationEventProcessorConfig{type=aggregation-v1, query=Administrators, queryParameters=[], streams=[], groupBy=[], series=[], conditions=Optional[AggregationConditions{expression=Optional.empty}], searchWithinMs=3600000, executeEveryMs=60000}, fieldSpec={}, keySpec=[], notificationSettings=EventNotificationSettings{gracePeriodMs=0, backlogSize=0}, notifications=[], storage=[Config{type=persist-to-streams-v1, streams=[000000000000000000000002]}]}
        at org.graylog.events.processor.EventProcessorEngine.execute(EventProcessorEngine.java:106) ~[graylog.jar:?]
        at org.graylog.events.processor.EventProcessorExecutionJob.execute(EventProcessorExecutionJob.java:115) ~[graylog.jar:?]
        at org.graylog.scheduler.JobExecutionEngine.executeJob(JobExecutionEngine.java:166) ~[graylog.jar:?]
        at org.graylog.scheduler.JobExecutionEngine.lambda$handleTrigger$2(JobExecutionEngine.java:144) ~[graylog.jar:?]
        at com.codahale.metrics.Timer.time(Timer.java:151) ~[graylog.jar:?]
        at org.graylog.scheduler.JobExecutionEngine.handleTrigger(JobExecutionEngine.java:144) ~[graylog.jar:?]
        at org.graylog.scheduler.JobExecutionEngine.lambda$execute$0(JobExecutionEngine.java:119) ~[graylog.jar:?]
        at org.graylog.scheduler.worker.JobWorkerPool.lambda$execute$0(JobWorkerPool.java:110) ~[graylog.jar:?]
        at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:180) [graylog.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_342]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_342]
        at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
        at java.lang.Thread.run(Thread.java:750) [?:1.8.0_342]
Caused by: org.graylog.shaded.elasticsearch7.org.elasticsearch.ElasticsearchException: Unable to perform scroll search
        at org.graylog.storage.elasticsearch7.ElasticsearchClient.exceptionFrom(ElasticsearchClient.java:140) ~[?:?]
        at org.graylog.storage.elasticsearch7.ElasticsearchClient.execute(ElasticsearchClient.java:100) ~[?:?]
        at org.graylog.storage.elasticsearch7.ElasticsearchClient.singleSearch(ElasticsearchClient.java:66) ~[?:?]
        at org.graylog.storage.elasticsearch7.Scroll.scroll(Scroll.java:51) ~[?:?]
        at org.graylog.storage.elasticsearch7.MoreSearchAdapterES7.scrollEvents(MoreSearchAdapterES7.java:139) ~[?:?]
        at org.graylog.events.search.MoreSearch.scrollQuery(MoreSearch.java:147) ~[graylog.jar:?]
        at org.graylog.events.processor.aggregation.AggregationEventProcessor.filterSearch(AggregationEventProcessor.java:230) ~[graylog.jar:?]
        at org.graylog.events.processor.aggregation.AggregationEventProcessor.createEvents(AggregationEventProcessor.java:125) ~[graylog.jar:?]
        at org.graylog.events.processor.EventProcessorEngine.execute(EventProcessorEngine.java:92) ~[graylog.jar:?]
        ... 12 more
Caused by: java.io.IOException: Unrecognized SSL message, plaintext connection?
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.client.RestClient.extractAndWrapCause(RestClient.java:854) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.client.RestClient.performRequest(RestClient.java:259) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.client.RestClient.performRequest(RestClient.java:246) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.client.RestHighLevelClient.internalPerformRequest(RestHighLevelClient.java:1613) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.client.RestHighLevelClient.performRequest(RestHighLevelClient.java:1583) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.client.RestHighLevelClient.performRequestAndParseEntity(RestHighLevelClient.java:1553) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.client.RestHighLevelClient.search(RestHighLevelClient.java:1069) ~[?:?]
        at org.graylog.storage.elasticsearch7.ElasticsearchClient.lambda$singleSearch$1(ElasticsearchClient.java:66) ~[?:?]
        at org.graylog.storage.elasticsearch7.ElasticsearchClient.execute(ElasticsearchClient.java:98) ~[?:?]
        at org.graylog.storage.elasticsearch7.ElasticsearchClient.singleSearch(ElasticsearchClient.java:66) ~[?:?]
        at org.graylog.storage.elasticsearch7.Scroll.scroll(Scroll.java:51) ~[?:?]
        at org.graylog.storage.elasticsearch7.MoreSearchAdapterES7.scrollEvents(MoreSearchAdapterES7.java:139) ~[?:?]
        at org.graylog.events.search.MoreSearch.scrollQuery(MoreSearch.java:147) ~[graylog.jar:?]
        at org.graylog.events.processor.aggregation.AggregationEventProcessor.filterSearch(AggregationEventProcessor.java:230) ~[graylog.jar:?]
        at org.graylog.events.processor.aggregation.AggregationEventProcessor.createEvents(AggregationEventProcessor.java:125) ~[graylog.jar:?]
        at org.graylog.events.processor.EventProcessorEngine.execute(EventProcessorEngine.java:92) ~[graylog.jar:?]
        ... 12 more
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
        at sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:146) ~[?:1.8.0_342]
        at sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:64) ~[?:1.8.0_342]
        at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:488) ~[?:1.8.0_342]
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:411) ~[?:1.8.0_342]
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:390) ~[?:1.8.0_342]
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:626) ~[?:1.8.0_342]
        at org.graylog.shaded.elasticsearch7.org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:275) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:321) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:523) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591) ~[?:?]
        ... 1 more
2022-10-05T12:23:50.662Z WARN  [ProxiedResource] Unable to call https://10.204.68.39:9000/api/system/metrics/multiple on node <59f5d6b1-5a23-4e5e-9c3f-28c5f4eefee6>: Hostname 10.204.68.39 not verified:
    certificate: sha256/7Cy9uHhnCqXW5cBQ0gdfY/BB4VkGdV6QOoYSjwY8DqU=
    DN: CN=*.int.iptor.cloud
    subjectAltNames: [*.int.iptor.cloud, int.iptor.cloud]
2022-10-05T12:23:51.064Z ERROR [Messages] Caught exception during bulk indexing: ElasticsearchException{message=ElasticsearchException[An error occurred: ]; nested: IOException[Unrecognized SSL message, plaintext connection?]; nested: SSLException[Unrecognized SSL message, plaintext connection?];, errorDetails=[]}, retrying (attempt #43).
 2022-10-05T12:23:51.683Z WARN  [ProxiedResource] Unable to call https://10.204.68.39:9000/api/system/inputstates on node <59f5d6b1-5a23-4e5e-9c3f-28c5f4eefee6>: Hostname 10.204.68.39 not verified:
    certificate: sha256/7Cy9uHhnCqXW5cBQ0gdfY/BB4VkGdV6QOoYSjwY8DqU=
    DN: CN=*.int.iptor.cloud
    subjectAltNames: [*.int.iptor.cloud, int.iptor.cloud]

SOLVED:

image

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.