Hi Jörgen, Yes, this is really weird. Can you come up with a complete reproduction that you'd paste in a GitHub issue?
Best regards, Radu -- Performance Monitoring * Log Analytics * Search Analytics Solr & Elasticsearch Support * http://sematext.com/ On Fri, Nov 6, 2015 at 1:43 PM, Jörgen Maas <[email protected]> wrote: > Hi Radu, > > First with only the new syntax: > > [root@logmanagement-client:/etc/rsyslog.d]# cat forward_syslog_tls.conf > # > # forward - syslog / tcp+tls > # > > > # testing shows that we need both the legacy and new style options > # when deleting options errors messages and even rsyslogd crashes occur > > #$ActionSendStreamDriver gtls > #$ActionSendStreamDriverMode 1 > #$ActionSendStreamDriverAuthMode x509/name > #$ActionSendStreamDriverPermittedPeers "logmanagement.xxx.yy" > > action( > type="omfwd" > target="192.168.124.100" > port="6514" > protocol="tcp" > template="RSYSLOG_SyslogProtocol23Format" > StreamDriver="gtls" > StreamDriverMode="1" > StreamDriverAuthMode="x509/name" > StreamDriverPermittedPeers="logmanagement.xx.yy" > ) > > # EOF > > [root@logmanagement-client:/etc/rsyslog.d]# rsyslogd -N3 > rsyslogd: version 7.4.7, config validation run (level 3), master config > /etc/rsyslog.conf > Segmentation fault > > [root@logmanagement-client:/etc/rsyslog.d]# systemctl restart rsyslog > Job for rsyslog.service failed. See 'systemctl status rsyslog.service' and > 'journalctl -xn' for details. > > [root@logmanagement-client:/etc/rsyslog.d]# tail /var/log/syslog |grep > rsyslogd > Nov 6 12:30:52 logmanagement-client kernel: traps: rsyslogd[2192] general > protection ip:7fdab462c4bd sp:7ffd52d30a50 error:0 in libc-2.17.so > [7fdab45b0000+1b6000] > Nov 6 12:31:11 logmanagement-client rsyslogd: [origin software="rsyslogd" > swVersion="7.4.7" x-pid="577" x-info="http://www.rsyslog.com";] exiting on > signal 15. > > > > Now with only the old syntax: > > [root@logmanagement-client:/etc/rsyslog.d]# cat forward_syslog_tls.conf > # > # forward - syslog / tcp+tls > # > > > # testing shows that we need both the legacy and new style options > # when deleting options errors messages and even rsyslogd crashes occur > > $ActionSendStreamDriver gtls > $ActionSendStreamDriverMode 1 > $ActionSendStreamDriverAuthMode x509/name > $ActionSendStreamDriverPermittedPeers "logmanagement.xxx.yy" > > action( > type="omfwd" > target="192.168.124.100" > port="6514" > protocol="tcp" > template="RSYSLOG_SyslogProtocol23Format" > #StreamDriver="gtls" > #StreamDriverMode="1" > #StreamDriverAuthMode="x509/name" > #StreamDriverPermittedPeers="logmanagement.xxx.yy" > ) > > # EOF > [ > root@logmanagement-client:/etc/rsyslog.d]# rsyslogd -N3 > rsyslogd: version 7.4.7, config validation run (level 3), master config > /etc/rsyslog.conf > rsyslogd: invalid or yet-unknown config file command > 'ActionSendStreamDriverPermittedPeers' - have you forgotten to load a > module? [try http://www.rsyslog.com/e/3003 ] > rsyslogd: End of config validation run. Bye. > > [root@logmanagement-client:/etc/rsyslog.d]# systemctl restart rsyslog > > [root@logmanagement-client:/etc/rsyslog.d]# tail /var/log/syslog |grep > rsyslogd > Nov 6 12:36:30 logmanagement-client rsyslogd: [origin software="rsyslogd" > swVersion="7.4.7" x-pid="2306" x-info="http://www.rsyslog.com";] start > Nov 6 12:36:30 logmanagement-client rsyslogd-3003: invalid or yet-unknown > config file command 'ActionSendStreamDriverPermittedPeers' - have you > forgotten to load a module? [try http://www.rsyslog.com/e/3003 ] > Nov 6 12:36:30 logmanagement-client rsyslogd-2088: error: peer name not > authorized - not permitted to talk to it. Names: CN: logmanagement.xxx.yy > [try http://www.rsyslog.com/e/2088 ] > Nov 6 12:36:30 logmanagement-client rsyslogd-2088: error: peer name not > authorized - not permitted to talk to it. Names: CN: > logmanagement.xxx.yy; [try http://www.rsyslog.com/e/2088 ] > > > With both old and new: > > [root@logmanagement-client:/etc/rsyslog.d]# cat forward_syslog_tls.conf > # > # forward - syslog / tcp+tls > # > > > # testing shows that we need both the legacy and new style options > # when deleting options errors messages and even rsyslogd crashes occur > > $ActionSendStreamDriver gtls > $ActionSendStreamDriverMode 1 > $ActionSendStreamDriverAuthMode x509/name > $ActionSendStreamDriverPermittedPeers "logmanagement.xxx.yy" > > action( > type="omfwd" > target="192.168.124.100" > port="6514" > protocol="tcp" > template="RSYSLOG_SyslogProtocol23Format" > StreamDriver="gtls" > StreamDriverMode="1" > StreamDriverAuthMode="x509/name" > StreamDriverPermittedPeers="logmanagement.xxx.yy" > ) > > # EOF > > [root@logmanagement-client:/etc/rsyslog.d]# rsyslogd -N3 > rsyslogd: version 7.4.7, config validation run (level 3), master config > /etc/rsyslog.conf > rsyslogd: invalid or yet-unknown config file command > 'ActionSendStreamDriverPermittedPeers' - have you forgotten to load a > module? [try http://www.rsyslog.com/e/3003 ] > rsyslogd: End of config validation run. Bye. > > [root@logmanagement-client:/etc/rsyslog.d]# systemctl restart rsyslog > > [root@logmanagement-client:/etc/rsyslog.d]# tail /var/log/syslog > Nov 6 12:39:04 logmanagement-client rsyslogd: [origin software="rsyslogd" > swVersion="7.4.7" x-pid="2328" x-info="http://www.rsyslog.com";] start > Nov 6 12:39:04 logmanagement-client rsyslogd-3003: invalid or yet-unknown > config file command 'ActionSendStreamDriverPermittedPeers' - have you > forgotten to load a module? [try http://www.rsyslog.com/e/3003 ] > > And this configuration actually does work. > > For sure i'm hitting some bugs here ;) > > Cheers, > Jörgen > > > On Fri, Nov 6, 2015 at 9:37 AM, Radu Gheorghe <[email protected]> > wrote: > >> Hello Jörgen, >> >> So if you "translate" the $Action... directives into RainerScript it >> doesn't work at all? And you also don't get any configuration errors? >> Then it would be a bug. >> >> Best regards, >> Radu >> -- >> Performance Monitoring * Log Analytics * Search Analytics >> Solr & Elasticsearch Support * http://sematext.com/ >> >> >> On Thu, Nov 5, 2015 at 2:22 PM, Jörgen Maas <[email protected]> wrote: >> > Hi, thanks Radu for your feedback! >> > >> > On the client and the server all rsyslog and gnutls versions are the >> same. >> > I did recreate the certs with openssl, instead of the certutil as >> described >> > in the docs. >> > I now have this working, it's just like yesterdays issue a case of using >> > new and old configuration *together* to make it work... >> > >> > But doing this seems to also cause some strange issues... i can imagine >> > that this isn't really a well tested configuration (mixing old and new). >> > Current config on the sender: >> > >> > $ActionSendStreamDriver gtls >> > $ActionSendStreamDriverMode 1 >> > $ActionSendStreamDriverAuthMode x509/name >> > $ActionSendStreamDriverPermittedPeers "logmanagement.xxx.yy" >> > >> > action( >> > type="omfwd" >> > target="192.168.124.100" >> > port="6514" >> > protocol="tcp" >> > template="RSYSLOG_SyslogProtocol23Format" >> > StreamDriver="gtls" >> > StreamDriverMode="1" >> > StreamDriverAuthMode="x509/name" >> > StreamDriverPermittedPeers="logmanagement.xxx.yy" >> > ) >> > >> > Without the legacy options (including >> > $ActionSendStreamDriverPermittedPeers) rsyslogd wont even start. >> > And with these options my log looks like this: >> > >> > Nov 5 10:59:49 logmanagement-client rsyslogd-3003: invalid or >> yet-unknown >> > config file command 'ActionSendStreamDriverPermittedPeers' - have you >> > forgotten to load a module? [try http://www.rsyslog.com/e/3003 ] >> > Nov 5 10:59:26 logmanagement-client systemd: Stopping System Logging >> > Service... >> > Nov 5 10:59:26 logmanagement-client systemd: rsyslog.service: main >> process >> > exited, code=killed, status=6/ABRT >> > Nov 5 10:59:26 logmanagement-client systemd: Unit rsyslog.service >> entered >> > failed state. >> > Nov 5 10:59:26 logmanagement-client systemd: Starting System Logging >> > Service... >> > yikes -> Nov 5 10:59:26 logmanagement-client kernel: traps: >> rsyslogd[4698] >> > general protection ip:7fd55a8584bd sp:7ffe547d5f90 error:0 in >> libc-2.17.so >> > [7fd55a7dc000+1b6000] >> > >> > When i comment out the StreamDriverPermittedPeers, i get: >> > >> > Nov 5 11:02:58 logmanagement-client rsyslogd-2088: error: peer name not >> > authorized - not permitted to talk to it. Names: CN: >> > logmanagement.xxx.yy; [try http://www.rsyslog.com/e/2088 ] >> > >> > So with this "hybrid" config i can transfer logs over the tls channel. >> But >> > unfortunately the system is not really stable, i have seen some segfaults >> > and the general protection errors in the above log make me a bit wary >> using >> > this in a production setting. Any suggestions/hints on this specific >> error >> > and/or the segfaults? >> > >> > Thanks again! >> > >> > Regards, >> > Jörgen >> > >> > On Thu, Nov 5, 2015 at 8:07 AM, Radu Gheorghe < >> [email protected]> >> > wrote: >> > >> >> Hello, >> >> >> >> We had this problem at one point when having different versions of >> >> rsyslog (and/or gnutls) acting as client and server. Another time when >> >> I encountered this was when I didn't set up certificates properly. >> >> >> >> I hope this helps. >> >> >> >> Best regards, >> >> Radu >> >> -- >> >> Performance Monitoring * Log Analytics * Search Analytics >> >> Solr & Elasticsearch Support * http://sematext.com/ >> >> >> >> >> >> On Thu, Nov 5, 2015 at 7:27 AM, Jörgen Maas <[email protected]> >> wrote: >> >> > Hi all, >> >> > >> >> > With yesterdays help i've succeeded in setting up a TLS listener. I >> also >> >> > setup a forwarder as desribed in: >> >> > >> >> >> http://blog.sematext.com/2014/03/25/encrypting-logs-on-their-way-to-elasticsearch-part-2-tls-syslog/ >> >> > >> >> > On the server side i see this in my logs: >> >> > Nov 5 06:10:50 logmanagement rsyslogd-2083: gnutls returned error on >> >> > handshake: An unexpected TLS packet was received. >> >> > >> >> > I captured the network sessions and the messages are sent with plain >> tcp >> >> > (readable), so that explains the server side log entry. >> >> > >> >> > This is my client side config: >> >> > >> >> > action( >> >> > type="omfwd" >> >> > target="192.168.124.100" >> >> > port="6514" >> >> > protocol="tcp" >> >> > template="RSYSLOG_SyslogProtocol23Format" >> >> > StreamDriver="gtls" >> >> > StreamDriverMode="1" >> >> > StreamDriverAuthMode="x509/name" >> >> > StreamDriverPermittedPeers="logmanagement.xxx.yyy" >> >> > ) >> >> > >> >> > The "gtls" default settings are set in the global() section, as >> discussed >> >> > yesterday. >> >> > >> >> > Software version: >> >> > rsyslog-7.4.7-7.el7_1.1.x86_64 >> >> > >> >> > >> >> > What am I missing here? >> >> > >> >> > Thanks! >> >> > >> >> > >> >> > Regards, >> >> > Jörgen >> >> > _______________________________________________ >> >> > rsyslog mailing list >> >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> >> > http://www.rsyslog.com/professional-services/ >> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards >> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >> myriad >> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> >> DON'T LIKE THAT. >> >> _______________________________________________ >> >> rsyslog mailing list >> >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> >> http://www.rsyslog.com/professional-services/ >> >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> >> DON'T LIKE THAT. >> > _______________________________________________ >> > rsyslog mailing list >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > http://www.rsyslog.com/professional-services/ >> > What's up with rsyslog? Follow https://twitter.com/rgerhards >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> > > > > -- > Grtz, > Jörgen Maas > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
