Rsyslog: Difference between revisions
From Lolly's Wiki
Jump to navigationJump to search
No edit summary |
(→Server) |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 45: | Line 45: | ||
port="6514" | port="6514" | ||
ruleset="fromremote" | ruleset="fromremote" | ||
gnutlsPriorityString="%SERVER_PRECEDENCE:%LATEST_RECORD_VERSION:PFS:-VERS-TLS-ALL:+VERS-TLS1.2:-VERS-DTLS-ALL:-KX-ALL:-CIPHER-ALL:-MAC-ALL:-CURVE-ALL:-SIGN-ALL:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-DSS:+DHE-RSA:+AES-256-CBC:+AES-128-CBC:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+SHA256:+SHA384:+AEAD:+CURVE-SECP256R1:+CURVE-SECP384R1:+SIGN-RSA-SHA256" | |||
) | ) | ||
</SyntaxHighlight> | </SyntaxHighlight> | ||
| Line 71: | Line 72: | ||
StreamDriverMode="1" | StreamDriverMode="1" | ||
StreamDriverAuthMode="anon" | StreamDriverAuthMode="anon" | ||
gnutlsPriorityString="%SERVER_PRECEDENCE:%LATEST_RECORD_VERSION:PFS:-VERS-TLS-ALL:+VERS-TLS1.2:-VERS-DTLS-ALL:-KX-ALL:-CIPHER-ALL:-MAC-ALL:-CURVE-ALL:-SIGN-ALL:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-DSS:+DHE-RSA:+AES-256-CBC:+AES-128-CBC:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+SHA256:+SHA384:+AEAD:+CURVE-SECP256R1:+CURVE-SECP384R1:+SIGN-RSA-SHA256" | |||
) | |||
} | } | ||
</SyntaxHighlight> | </SyntaxHighlight> | ||
Latest revision as of 15:28, 23 March 2023
Logging via TLS
Server
/etc/rsyslog.d/syslog-server.conf
#
## Set the certificates to use
#
global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/etc/ssl/certs/CA.pem"
DefaultNetstreamDriverCertFile="/etc/rsyslog.d/syslog.server.de-cert.pem"
DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/syslog.server.de-key.pem"
)
#
## load input module TCP and force TLS
#
module(
load="imtcp"
StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.Authmode="anon"
)
#
## Dynamic file template for logging into <host>/facility>.log
#
template (name="DynFile" type="string" string="/var/log/remote/%FROMHOST%/%SYSLOGFACILITY-TEXT%.log")
#
## Ruleset to log with the dynamic file name "DynFile" from above
#
ruleset(name="fromremote") {
action(type="omfile" dynafile="DynFile")
stop
}
#
## start up TCP listener at port 6514 and bind ruleset "fromremote" from above
#
input(
type="imtcp"
port="6514"
ruleset="fromremote"
gnutlsPriorityString="%SERVER_PRECEDENCE:%LATEST_RECORD_VERSION:PFS:-VERS-TLS-ALL:+VERS-TLS1.2:-VERS-DTLS-ALL:-KX-ALL:-CIPHER-ALL:-MAC-ALL:-CURVE-ALL:-SIGN-ALL:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-DSS:+DHE-RSA:+AES-256-CBC:+AES-128-CBC:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+SHA256:+SHA384:+AEAD:+CURVE-SECP256R1:+CURVE-SECP384R1:+SIGN-RSA-SHA256"
)Client
/etc/rsyslog.d/syslog-client.conf
#
## Set CA certificate to use
#
global(
DefaultNetstreamDriverCAFile="/etc/ssl/certs/CA.pem"
)
#
## Set up the action for logging to remote syslog server with TLS
#
ruleset(name="remotesyslog") {
action(
name="syslogserver"
type="omfwd"
protocol="tcp"
target="syslog.server.de"
port="6514"
StreamDriver="gtls"
StreamDriverMode="1"
StreamDriverAuthMode="anon"
gnutlsPriorityString="%SERVER_PRECEDENCE:%LATEST_RECORD_VERSION:PFS:-VERS-TLS-ALL:+VERS-TLS1.2:-VERS-DTLS-ALL:-KX-ALL:-CIPHER-ALL:-MAC-ALL:-CURVE-ALL:-SIGN-ALL:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-DSS:+DHE-RSA:+AES-256-CBC:+AES-128-CBC:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+SHA256:+SHA384:+AEAD:+CURVE-SECP256R1:+CURVE-SECP384R1:+SIGN-RSA-SHA256"
)
}/etc/rsyslog.d/firewall.frule
#
# firewall messages into separate file and stop their further processing
#
if ($syslogfacility-text == 'kern') and \
($msg contains 'IN=' and $msg contains 'OUT=') \
then {
-/var/log/firewall
call remotesyslog
stop
}/etc/rsyslog.d/auth.frule
if ( $syslogtag == 'login:' ) or \
( ( $programname == 'sshd' ) and \
( \
( $msg contains 'Accepted publickey for' ) or \
( $msg contains 'Received disconnect' ) or \
( $msg contains 'Disconnected from user' ) \
) \
) \
then {
-/var/log/auth.log
call remotesyslog
stop
}
