Rsyslog

From Lolly's Wiki
Jump to navigationJump to search


Logging via TLS

Server

/etc/rsyslog.d/syslog-server.conf 

#
## Set the certificates to use
#
global(
  DefaultNetstreamDriver="gtls"
  DefaultNetstreamDriverCAFile="/etc/ssl/certs/CA.pem"
  DefaultNetstreamDriverCertFile="/etc/rsyslog.d/syslog.server.de-cert.pem"
  DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/syslog.server.de-key.pem"
)

#
## load input module TCP and force TLS
#
module(
  load="imtcp"
  StreamDriver.Name="gtls"
  StreamDriver.Mode="1"
  StreamDriver.Authmode="anon"
)

#
## Dynamic file template for logging into <host>/facility>.log
#
template (name="DynFile" type="string" string="/var/log/remote/%FROMHOST%/%SYSLOGFACILITY-TEXT%.log")

#
## Ruleset to log with the dynamic file name "DynFile" from above
#
ruleset(name="fromremote") {
  action(type="omfile" dynafile="DynFile")
  stop
}

#
## start up TCP listener at port 6514 and bind ruleset "fromremote" from above
#
input(
  type="imtcp"
  port="6514"
  ruleset="fromremote"
  gnutlsPriorityString="%SERVER_PRECEDENCE:%LATEST_RECORD_VERSION:PFS:-VERS-TLS-ALL:+VERS-TLS1.2:-VERS-DTLS-ALL:-KX-ALL:-CIPHER-ALL:-MAC-ALL:-CURVE-ALL:-SIGN-ALL:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-DSS:+DHE-RSA:+AES-256-CBC:+AES-128-CBC:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+SHA256:+SHA384:+AEAD:+CURVE-SECP256R1:+CURVE-SECP384R1:+SIGN-RSA-SHA256"
)

Client

/etc/rsyslog.d/syslog-client.conf 

#
## Set CA certificate to use
#
global(
  DefaultNetstreamDriverCAFile="/etc/ssl/certs/CA.pem"
)

#
## Set up the action for logging to remote syslog server with TLS
#
ruleset(name="remotesyslog") {
  action(
    name="syslogserver"
    type="omfwd"
    protocol="tcp"
    target="syslog.server.de"
    port="6514"
    StreamDriver="gtls"
    StreamDriverMode="1"
    StreamDriverAuthMode="anon"
    gnutlsPriorityString="%SERVER_PRECEDENCE:%LATEST_RECORD_VERSION:PFS:-VERS-TLS-ALL:+VERS-TLS1.2:-VERS-DTLS-ALL:-KX-ALL:-CIPHER-ALL:-MAC-ALL:-CURVE-ALL:-SIGN-ALL:+ECDHE-RSA:+ECDHE-ECDSA:+DHE-DSS:+DHE-RSA:+AES-256-CBC:+AES-128-CBC:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+SHA256:+SHA384:+AEAD:+CURVE-SECP256R1:+CURVE-SECP384R1:+SIGN-RSA-SHA256"
  )
}

/etc/rsyslog.d/firewall.frule 

#
# firewall messages into separate file and stop their further processing
#
if ($syslogfacility-text == 'kern') and \
   ($msg contains 'IN=' and $msg contains 'OUT=') \
then {
  -/var/log/firewall
  call remotesyslog
  stop
}

/etc/rsyslog.d/auth.frule 

if ( $syslogtag == 'login:' ) or \
   ( ( $programname == 'sshd' ) and \
     ( \
       ( $msg contains 'Accepted publickey for' ) or \
       ( $msg contains 'Received disconnect' ) or \
       ( $msg contains 'Disconnected from user' ) \
     ) \
   ) \
then {
  -/var/log/auth.log
  call remotesyslog
  stop
}
Retrieved from "https://lars.timmann.de/wiki/index.php?title=Rsyslog&oldid=2727"