This article is just the compilation of my notes regarding the deployment of a simple log concentrator over TLS.

rsyslog vs syslog-ng

Those are the two main solutions found out there. rsyslog is installed by default on Debian and many derivatives, so I gave it a go first.

My specifications required the use of a TLS connection between the syslog clients and the server. Nothing fancy, but it quickly became a pain to set up with rsyslog, since:

  • They updated their configuration syntax, but kept both in the very same file, while leads to many “questions” issues and unneeded difficulties to understand what is a valid file for which rsyslog version.
  • Here is the out of date12 but greatly indexed and easy to find documentation: https://rsyslog.readthedocs.io
    It also has the advantage of being Sphinx-based, thus really familiar and easy to browse, which makes the fact that it covers a version of rsyslog from 2016 even more painful.
  • Here is the up to date but very unusable doc: https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html
    It’s actually more like a full API reference, with no real configuration example that would cover simple use-cases.
    Discovering every single option is thus easy, but it’s very hard to understand how they work together, as well as which value a given key can take.
    e.g: finding the possible options for StreamDriver.Mode takes at least two clicks from the page where you learn its existence and a too deep knowledge of the internals of rsyslog: the different network drivers, and which is the one you want for a TLS connection, gtls, ptcp, openssl
  • In overall, “documentation is hard to use and badly structured”.

This is only my experience of single day trying to setup a TLS connection between two machines. I expect rsyslog didn’t became popular and the default on Debian by accident, so it must have some advantages I didn’t see, but after a while playing with it, I was more hurt than pleased, and finally gave up. Feel free to show me what kind of moron I am :-)

Oh, and fortunately, Proxmox stopped depending on it a while ago, so there’s was no problem testing something else in my situation.

syslog-ng configuration example

As you may have guessed, the syslog-ng experience was quite different. It took me about 20 minutes setting up a first proof of concept connection with syslog-ng, and I had all my servers connected in one afternoon, with a clean and readable configuration. The documentation isn’t perfect, but works okay, and the error messages I got when there were problems were helpful too. This page is particularly salutary and easy to find.

Here is a full server configuration:

options {
    create_dirs(yes);
    keep-hostname(yes);
};

source s_network {
    network (
            transport("tls")
            ip(0.0.0.0)
            port(514)
            tls (
                ca-dir("/etc/ssl/certs")
                cert-file("/etc/ssl/certs/server.example.net.crt")
                key-file("/etc/ssl/private/server.example.net.key")
                peer-verify("required-trusted")
                trusted-dn("*CN=*example.net, *")
                )
        );
};


##################################################
destination d_host-generic { file("/storage/logs/$HOST/$YEAR/$MONTH/$HOST-$YEAR-$MONTH-$DAY.log"); };
destination d_host-auth { file("/storage/logs/$HOST/$YEAR/$MONTH/auth-$HOST-$YEAR-$MONTH-$DAY.log"); };
# You can put many more here depending on your needs

##################################################
log { source(s_network); filter(f_auth); destination(d_host-auth); };
log { source(s_network); destination(d_host-generic); };
# Same as above, add what you need here

And here is the corresponding client configuration:

destination d_network {
    network(
            "server.example.net"
            port(514)
            transport("tls")
            tls(ca-dir("/etc/ssl/certs")
                cert_file("/etc/ssl/certs/client.example.net.crt.pem")
                key_file("/etc/ssl/private/client.example.net.key.pem")
               )
           );
};
log {
    source(s_src);
    destination(d_network);
};

Don’t forget to open the TCP 514 port in the firewall, and you’re good to go!


  1. Out of date tutorial, it still uses the old syntax: https://rsyslog.readthedocs.io/en/latest/tutorials/tls.html ↩︎

  2. Here is the rework commit, still unreleased as of today: https://github.com/rsyslog/rsyslog-doc/commit/07bd11c483e0f20068c5f4fd4dc00a698f88a3e6 ↩︎