Rsyslog

From Lolly's Wiki
Revision as of 16:03, 23 March 2023 by Lollypop (talk | contribs)
Jump to navigationJump to search


Logging via TLS

Server

/etc/rsyslog.d/syslog-server.conf 

#
## Set the certificates to use
#
global(
  DefaultNetstreamDriver="gtls"
  DefaultNetstreamDriverCAFile="/etc/ssl/certs/CA.pem"
  DefaultNetstreamDriverCertFile="/etc/rsyslog.d/syslog.server.de-cert.pem"
  DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/syslog.server.de-key.pem"
)

#
## load input module TCP and force TLS
#
module(
  load="imtcp"
  StreamDriver.Name="gtls"
  StreamDriver.Mode="1"
  StreamDriver.Authmode="anon"
)

#
## Dynamic file template for logging into <host>/facility>.log
#
template (name="DynFile" type="string" string="/var/log/remote/%FROMHOST%/%SYSLOGFACILITY-TEXT%.log")

#
## Ruleset to log with the dynamic file name "DynFile" from above
#
ruleset(name="fromremote") {
  action(type="omfile" dynafile="DynFile")
  stop
}

#
## start up TCP listener at port 6514 and bind ruleset "fromremote" from above
#
input(
  type="imtcp"
  port="6514"
  ruleset="fromremote"
  gnutlsPriorityString="
    #Protocol=TLSv1.2
    MinProtocol=TLSv1.2
    MaxProtocol=TLSv1.3
    CipherString=ECDHE-RSA-AES128-GCM-SHA256
    Ciphersuites=TLS_AES_128_GCM_SHA256
    SignatureAlgorithms=ECDSA+SHA512:RSA-PSS+SHA512
    ClientSignatureAlgorithms=ECDSA+SHA512:RSA-PSS+SHA512
    Groups=P-521
    RecordPadding=512
    Options=ServerPreference,Compression,DHSingle,ECDHSingle,AntiReplay,-AllowNoDHEKEX,EncryptThenMac,EncryptThenMac,-UnsafeLegacyRenegotiation,NoRenegotiation,-MiddleboxCompat
  "
)

Client

/etc/rsyslog.d/syslog-client.conf 

#
## Set CA certificate to use
#
global(
  DefaultNetstreamDriverCAFile="/etc/ssl/certs/CA.pem"
)

#
## Set up the action for logging to remote syslog server with TLS
#
ruleset(name="remotesyslog") {
  action(
    name="syslogserver"
    type="omfwd"
    protocol="tcp"
    target="syslog.server.de"
    port="6514"
    StreamDriver="gtls"
    StreamDriverMode="1"
    StreamDriverAuthMode="anon"
    StreamDriverAuthMode="x509/name"
    StreamDriverPermittedPeers="syslog.server.de"
    gnutlsPriorityString="
      #Protocol=TLSv1.2
      MinProtocol=TLSv1.2
      MaxProtocol=TLSv1.3
      SignatureAlgorithms=ECDSA+SHA512:RSA-PSS+SHA512
      ClientSignatureAlgorithms=ECDSA+SHA512:RSA-PSS+SHA512
      Groups=P-521
      RecordPadding=512
      Options=ServerPreference,Compression,DHSingle,ECDHSingle,AntiReplay,-AllowNoDHEKEX,EncryptThenMac,EncryptThenMac,-UnsafeLegacyRenegotiation,NoRenegotiation,-MiddleboxCompat
    "
 )
}

/etc/rsyslog.d/firewall.frule 

#
# firewall messages into separate file and stop their further processing
#
if ($syslogfacility-text == 'kern') and \
   ($msg contains 'IN=' and $msg contains 'OUT=') \
then {
  -/var/log/firewall
  call remotesyslog
  stop
}

/etc/rsyslog.d/auth.frule 

if ( $syslogtag == 'login:' ) or \
   ( ( $programname == 'sshd' ) and \
     ( \
       ( $msg contains 'Accepted publickey for' ) or \
       ( $msg contains 'Received disconnect' ) or \
       ( $msg contains 'Disconnected from user' ) \
     ) \
   ) \
then {
  -/var/log/auth.log
  call remotesyslog
  stop
}
Retrieved from "https://lars.timmann.de/wiki/index.php?title=Rsyslog&oldid=2725"