Rsyslog: Difference between revisions
From Lolly's Wiki
Jump to navigationJump to search
(→Client) |
(→Server) |
||
Line 45: | Line 45: | ||
port="6514" | port="6514" | ||
ruleset="fromremote" | ruleset="fromremote" | ||
gnutlsPriorityString=" | |||
MinProtocol=TLSv1.2 | |||
MaxProtocol=TLSv1.3 | |||
CipherString=ECDHE-RSA-AES128-GCM-SHA256 | |||
Ciphersuites=TLS_AES_128_GCM_SHA256 | |||
SignatureAlgorithms=ECDSA+SHA512:RSA-PSS+SHA512 | |||
ClientSignatureAlgorithms=ECDSA+SHA512:RSA-PSS+SHA512 | |||
Groups=P-521 | |||
RecordPadding=512 | |||
Options=ServerPreference,Compression,DHSingle,ECDHSingle,AntiReplay,-AllowNoDHEKEX,EncryptThenMac,EncryptThenMac,-UnsafeLegacyRenegotiation,NoRenegotiation,-MiddleboxCompat | |||
" | |||
) | ) | ||
</SyntaxHighlight> | </SyntaxHighlight> |
Revision as of 14:57, 23 March 2023
Logging via TLS
Server
/etc/rsyslog.d/syslog-server.conf
#
## Set the certificates to use
#
global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/etc/ssl/certs/CA.pem"
DefaultNetstreamDriverCertFile="/etc/rsyslog.d/syslog.server.de-cert.pem"
DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/syslog.server.de-key.pem"
)
#
## load input module TCP and force TLS
#
module(
load="imtcp"
StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.Authmode="anon"
)
#
## Dynamic file template for logging into <host>/facility>.log
#
template (name="DynFile" type="string" string="/var/log/remote/%FROMHOST%/%SYSLOGFACILITY-TEXT%.log")
#
## Ruleset to log with the dynamic file name "DynFile" from above
#
ruleset(name="fromremote") {
action(type="omfile" dynafile="DynFile")
stop
}
#
## start up TCP listener at port 6514 and bind ruleset "fromremote" from above
#
input(
type="imtcp"
port="6514"
ruleset="fromremote"
gnutlsPriorityString="
MinProtocol=TLSv1.2
MaxProtocol=TLSv1.3
CipherString=ECDHE-RSA-AES128-GCM-SHA256
Ciphersuites=TLS_AES_128_GCM_SHA256
SignatureAlgorithms=ECDSA+SHA512:RSA-PSS+SHA512
ClientSignatureAlgorithms=ECDSA+SHA512:RSA-PSS+SHA512
Groups=P-521
RecordPadding=512
Options=ServerPreference,Compression,DHSingle,ECDHSingle,AntiReplay,-AllowNoDHEKEX,EncryptThenMac,EncryptThenMac,-UnsafeLegacyRenegotiation,NoRenegotiation,-MiddleboxCompat
"
)
Client
/etc/rsyslog.d/syslog-client.conf
#
## Set CA certificate to use
#
global(
DefaultNetstreamDriverCAFile="/etc/ssl/certs/CA.pem"
)
#
## Set up the action for logging to remote syslog server with TLS
#
ruleset(name="remotesyslog") {
action(
name="syslogserver"
type="omfwd"
protocol="tcp"
target="syslog.server.de"
port="6514"
StreamDriver="gtls"
StreamDriverMode="1"
StreamDriverAuthMode="anon"
StreamDriverAuthMode="x509/name"
StreamDriverPermittedPeers="syslog.server.de"
gnutlsPriorityString="
Protocol=TLSv1.2
Curves=P-384
ClientSignatureAlgorithms=RSA+SHA384:ECDSA+SHA384
SignatureAlgorithms=RSA+SHA384:ECDSA+SHA384
CipherString=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384
"
)
}
/etc/rsyslog.d/firewall.frule
#
# firewall messages into separate file and stop their further processing
#
if ($syslogfacility-text == 'kern') and \
($msg contains 'IN=' and $msg contains 'OUT=') \
then {
-/var/log/firewall
call remotesyslog
stop
}
/etc/rsyslog.d/auth.frule
if ( $syslogtag == 'login:' ) or \
( ( $programname == 'sshd' ) and \
( \
( $msg contains 'Accepted publickey for' ) or \
( $msg contains 'Received disconnect' ) or \
( $msg contains 'Disconnected from user' ) \
) \
) \
then {
-/var/log/auth.log
call remotesyslog
stop
}