Configure syslog-ng with TLS
This article is just the compilation of my notes regarding the deployment of a simple log concentrator over TLS.
rsyslog
vs syslog-ng
Those are the two main solutions found out there. rsyslog
is installed by default on Debian and many derivatives, so I
gave it a go first.
My specifications required the use of a TLS connection between the syslog clients and the server. Nothing fancy, but it
quickly became a pain to set up with rsyslog
, since:
rsyslog
version.rsyslog
from 2016 even more painful.StreamDriver.Mode
takes at least two clicks from the page where you learn its
existence and a too deep knowledge of the internals of rsyslog
: the different network drivers, and which is the one
you want for a TLS connection, gtls
, ptcp
, openssl
...This is only my experience of single day trying to setup a TLS connection between two machines. I expect rsyslog
didn't became popular and the default on Debian by accident, so it must have some advantages I didn't see, but after a
while playing with it, I was more hurt than pleased, and finally gave up. Feel free to show me what kind of moron I am :-)
Oh, and fortunately, Proxmox stopped depending on it a while ago, so there's was no problem testing something else in my situation.
syslog-ng
configuration exampleAs you may have guessed, the syslog-ng
experience was quite different. It took me about 20 minutes setting up a first
proof of concept connection with syslog-ng
, and I had all my servers connected in one afternoon, with a clean and
readable configuration. The documentation isn't perfect, but works okay, and the error messages I got when there were
problems were helpful too. This
page is particularly
salutary and easy to find.
Here is a full server configuration:
options {
create_dirs(yes);
keep-hostname(yes);
};
source s_network {
network (
transport("tls")
ip(0.0.0.0)
port(514)
tls (
ca-dir("/etc/ssl/certs")
cert-file("/etc/ssl/certs/server.example.net.crt")
key-file("/etc/ssl/private/server.example.net.key")
peer-verify("required-trusted")
trusted-dn("*CN=*example.net, *")
)
);
};
##################################################
destination d_host-generic { file("/storage/logs/$HOST/$YEAR/$MONTH/$HOST-$YEAR-$MONTH-$DAY.log"); };
destination d_host-auth { file("/storage/logs/$HOST/$YEAR/$MONTH/auth-$HOST-$YEAR-$MONTH-$DAY.log"); };
# You can put many more here depending on your needs
##################################################
log { source(s_network); filter(f_auth); destination(d_host-auth); };
log { source(s_network); destination(d_host-generic); };
# Same as above, add what you need here
And here is the corresponding client configuration:
destination d_network {
network(
"server.example.net"
port(514)
transport("tls")
tls(ca-dir("/etc/ssl/certs")
cert_file("/etc/ssl/certs/client.example.net.crt.pem")
key_file("/etc/ssl/private/client.example.net.key.pem")
)
);
};
log {
source(s_src);
destination(d_network);
};
Don't forget to open the TCP 514 port in the firewall, and you're good to go!
Out of date tutorial, it still uses the old syntax: https://rsyslog.readthedocs.io/en/latest/tutorials/tls.html
Here is the rework commit, still unreleased as of today: https://github.com/rsyslog/rsyslog-doc/commit/07bd11c483e0f20068c5f4fd4dc00a698f88a3e6