Rsyslog

From Lolly's Wiki
Jump to navigationJump to search


Logging via TLS

Server

/etc/rsyslog.d/syslog-server.conf

#
## Set the certificates to use
#
global(
  DefaultNetstreamDriver="gtls"
  DefaultNetstreamDriverCAFile="/etc/ssl/certs/CA.pem"
  DefaultNetstreamDriverCertFile="/etc/rsyslog.d/syslog.server.de-cert.pem"
  DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/syslog.server.de-key.pem"
)

#
## load input module TCP and force TLS
#
module(
  load="imtcp"
  StreamDriver.Name="gtls"
  StreamDriver.Mode="1"
  StreamDriver.Authmode="anon"
)

#
## Dynamic file template for logging into <host>/facility>.log
#
template (name="DynFile" type="string" string="/var/log/remote/%FROMHOST%/%SYSLOGFACILITY-TEXT%.log")

#
## Ruleset to log with the dynamic file name "DynFile" from above
#
ruleset(name="fromremote") {
  action(type="omfile" dynafile="DynFile")
  stop
}

#
## start up TCP listener at port 6514 and bind ruleset "fromremote" from above
#
input(
  type="imtcp"
  port="6514"
  ruleset="fromremote"
)

Client

/etc/rsyslog.d/syslog-client.conf

#
## Set CA certificate to use
#
global(
  DefaultNetstreamDriverCAFile="/etc/ssl/certs/CA.pem"
)

#
## Set up the action for logging to remote syslog server with TLS
#
ruleset(name="remotesyslog") {
  action(
    name="syslogserver"
    type="omfwd"
    protocol="tcp"
    target="syslog.server.de"
    port="6514"
    StreamDriver="gtls"
    StreamDriverMode="1"
    StreamDriverAuthMode="anon"
    StreamDriverAuthMode="x509/name"
    StreamDriverPermittedPeers="syslog.server.de"
    gnutlsPriorityString="
      Protocol=TLSv1.2
      Curves=P-384
      ClientSignatureAlgorithms=RSA+SHA384:ECDSA+SHA384
      SignatureAlgorithms=RSA+SHA384:ECDSA+SHA384
      CipherString=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384
    "
 )
}

/etc/rsyslog.d/firewall.frule

#
# firewall messages into separate file and stop their further processing
#
if ($syslogfacility-text == 'kern') and \
   ($msg contains 'IN=' and $msg contains 'OUT=') \
then {
  -/var/log/firewall
  call remotesyslog
  stop
}

/etc/rsyslog.d/auth.frule

if ( $syslogtag == 'login:' ) or \
   ( ( $programname == 'sshd' ) and \
     ( \
       ( $msg contains 'Accepted publickey for' ) or \
       ( $msg contains 'Received disconnect' ) or \
       ( $msg contains 'Disconnected from user' ) \
     ) \
   ) \
then {
  -/var/log/auth.log
  call remotesyslog
  stop
}