Hi Carsten, I added this but got an error in the logs. 2018-11-15T15:25:44.803514+01:00 3msl rsyslogd: imrelp: invalid auth mode 'anon' [v8.39.0 try http://www.rsyslog.com/e/2291 ]
I tried this config with : tls.authMode="anon" and then with, tls.authMode=anon # Input Modules input(type="imrelp" port="10514" tls="on" tls.caCert="/etc/pki/tls/private/ca-cert.pem" tls.myCert="/etc/pki/tls/private/collector-cert.pem" tls.myPrivKey="/etc/pki/tls/private/collector-key.pem" tls.authMode="anon" tls.permittedpeer=["*.local"] ) I'm running rsyslogd 8.39.0 Best wishes, Sophie > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Tuesday, November 13, 2018 5:08 PM > To: [email protected] > Cc: LOEWENTHAL Sophie > Subject: RE: [rsyslog] TLS and rsyslog > > Hi Sophie, > > To get rid of the cert verification I used the following config parameter > > $InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated > > So in your case I would think it's the following: > tls.authMode=anon > > for anonymous authentication. > > This was set on the server site. > > My whole config looked like this: > > :::::::::::::: > /etc/rsyslog.d/tls.conf > :::::::::::::: > # syslog via tls configuration > $ModLoad imtcp # TCP listener > > # make gtls driver the default > $DefaultNetstreamDriver gtls > > # certificate files > $DefaultNetstreamDriverCAFile /etc/rsyslog.d/certs/ca.pem > $DefaultNetstreamDriverCertFile /etc/rsyslog.d/certs/cert.pem > $DefaultNetstreamDriverKeyFile /etc/rsyslog.d/certs/key.pem > > #Ruleset > $Ruleset TLS > *.* /apps/log/tls.log > action( > name="rsyslog-debug-local" > template="RSYSLOG_DebugFormat" > type="omfile" > file="/apps/log/rsyslog-debug-tls.log" > ) > $Ruleset RSYSLOG_DefaultRuleset > > $InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated > $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode > $InputTCPServerBindRuleset TLS > $InputTCPServerRun 6514 # start up listener at port 6514 > > Regards > > carsten > > > Carsten Lange | Security Specialist | CISSP | E: [email protected] > > -----Original Message----- > From: rsyslog [mailto:[email protected]] On Behalf Of > sophie.loewenthal--- via rsyslog > Sent: Dienstag, 13. November 2018 16:27 > To: rsyslog-users <[email protected]> > Cc: [email protected] > Subject: Re: [rsyslog] TLS and rsyslog > > Hi, > > New error message after removing the tls.permittedpeer=["*.local"] and the > tls.authmode I saw this, > > 2018-11-13T16:19:22.691302+01:00 6 rsyslogd: imrelp[10514]: error 'TLS record > write failed [gnutls error -10: The specified session has been invalidated for > some reason.]', object 'lstn 10514: conn to clt 10.1.1.8/a2.local ' - input > may > not work as intended [v8.24.0 try http://www.rsyslog.com/e/2353 ] > > > > > -----Original Message----- > > From: rsyslog [mailto:[email protected]] On Behalf Of > > sophie.loewenthal--- via rsyslog > > Sent: Tuesday, November 13, 2018 4:03 PM > > To: rsyslog-users > > Cc: LOEWENTHAL Sophie > > Subject: Re: [rsyslog] TLS and rsyslog > > > > Thanks. I configured ca and certs for the clients and servers. I set the > > dnsName > > to a wildcard. e.g *.local. in the certificates. > > > > Both clients and servers started, and the server listens on the ports with > > TLS. > > > > However TLS connections cannot be established. This is something to do > > with a 'peer' which was specified in tls.permittedpeer= > > > > The error on the server is : > > 2018-11-13T15:50:12.783315+01:00 6 rsyslogd: imrelp[10514]: > > authentication error 'no permited name found', peer is '' [v8.24.0 try > > http://www.rsyslog.com/e/2353 ] > > > > > > I used this config: > > Server: > > input(type="imrelp" port="10514" tls="on" > > tls.caCert="/etc/pki/tls/private/ca-cert.pem" > > tls.myCert="/etc/pki/tls/private/collector-cert.pem" > > tls.myPrivKey="/etc/pki/tls/private/collector-key.pem" > > tls.authMode="name" > > tls.permittedpeer=["*.local"] > > ) > > > > Client: > > action(type="omrelp" target="5" port="10514" tls="on" > > tls.caCert="/etc/pki/tls/private/ca-cert.pem" > > tls.myCert="/etc/pki/tls/private/sender-cert.pem" > > tls.myPrivKey="/etc/pki/tls/private/sender-key.pem" > > tls.authmode="name" > > tls.permittedpeer=["*.local"] > > ) > > action(type="omrelp" target="6" port="10514" tls="on" > > tls.caCert="/etc/pki/tls/private/ca-cert.pem" > > tls.myCert="/etc/pki/tls/private/sender-cert.pem" > > tls.myPrivKey="/etc/pki/tls/private/sender-key.pem" > > tls.authmode="name" > > tls.permittedpeer=["*.local"] > > ) > > > > What should I added for the tls.permittedpeer? I don't think this is > > correct. Or my certificates are wrong. > > > > > -----Original Message----- > > > From: rsyslog [mailto:[email protected]] On Behalf > > > Of John Chivian > > > Sent: Tuesday, November 13, 2018 1:56 PM > > > To: sophie.loewenthal--- via rsyslog > > > Subject: Re: [rsyslog] TLS and rsyslog > > > > > > If both client and server are willing to accept and use a valid > > > certificate, and do no other verification checks, then yes you can > > > use the same cert on all client systems. > > > > > > Regards, > > > > > > On 11/13/18 3:22 AM, sophie.loewenthal--- via rsyslog wrote: > > > > Light bulb moment: Can I use the same client cert on all of the > > > > clients? > > > > > > > >> -----Original Message----- > > > >> From: rsyslog [mailto:[email protected]] On > > > >> Behalf Of > > > >> sophie.loewenthal--- via rsyslog > > > >> Sent: Tuesday, November 13, 2018 10:06 AM > > > >> To: rsyslog-users > > > >> Cc: LOEWENTHAL Sophie > > > >> Subject: [rsyslog] TLS and rsyslog > > > >> > > > >> Hi, > > > >> > > > >> I've read lots of dox on setting up TLS for sending logs and > > > >> every time I see > > > one > > > >> has to set up a CA and then have a certificate for every client. > > > >> I'd have to > > > create > > > >> 1001 certificates and then a new client cert for every new > > > >> server. This is impractical and the time is not available to > > > >> perform the task. For > > comparison, > > > >> we don't require every user's browser to have a client cert to > > > >> connect with > > a > > > >> webserver, like Paypal, and I use self-signed certs for some > > > >> internal web > > > servers. > > > >> > > > >> In my case the objective to to encrypt the syslog data sent over > > > >> the > > network, > > > but > > > >> not to identify the sending machine. > > > >> Is there a way to have rsyslog use a self-signed certificate and > > > >> trust all the clients that connect over TLS? > > > >> > > > >> Some examples that suggest using a self-signed CA + clients: > > > >> https://access.redhat.com/solutions/519533 > > > >> https://waqarafridi.wordpress.com/2015/11/16/configure-ssltls-bet > > > >> ween- > > > two- > > > >> rsyslog-systems/ > > > >> And the list goes on. > > > >> > > > >> Best wishes, > > > >> Sophie > > > >> > > > >> Not working on Mondays/ Travailler sauf le lundi Team mailbox : > > > >> [email protected] or direct > > > >> [email protected] > > > >> > > > >> > > > >> > > > >> > > > >> This message and any attachments (the "message") is intended > > > >> solely for the intended addressees and is confidential. > > > >> If you receive this message in error,or are not the intended > > > >> recipient(s), please delete it and any copies from your systems > > > >> and immediately notify the sender. Any unauthorized view, use > > > >> that does not comply with its > > purpose, > > > >> dissemination or disclosure, either whole or partial, is > > > >> prohibited. Since the internet cannot guarantee the integrity of > > > >> this message which may not be reliable, > > > BNP > > > >> PARIBAS > > > >> (and its subsidiaries) shall not be liable for the message if > > > >> modified, changed > > > or > > > >> falsified. > > > >> Do not print this message unless it is necessary, consider the > > > >> environment. > > > >> > > > >> ----------------------------------------------------------------- > > > >> --------------------------- > > -- > > > ---- > > > >> -------------------------------- > > > >> > > > >> Ce message et toutes les pieces jointes (ci-apres le "message") > > > >> sont etablis a l'intention exclusive de ses destinataires et sont > confidentiels. > > > >> Si vous recevez ce message par erreur ou s'il ne vous est pas > > > >> destine, merci de le detruire ainsi que toute copie de votre > > > >> systeme et d'en avertir immediatement l'expediteur. Toute lecture > > > >> non autorisee, toute utilisation > > de > > > >> ce message qui n'est pas conforme a sa destination, toute > > > >> diffusion ou > > toute > > > >> publication, totale ou partielle, est interdite. L'Internet ne > > > >> permettant pas d'assurer l'integrite de ce message electronique > > > >> susceptible d'alteration, BNP Paribas (et ses filiales) > > > >> decline(nt) toute responsabilite au titre de ce message dans > > > >> l'hypothese ou il aurait ete modifie, deforme ou falsifie. > > > >> N'imprimez ce message que si necessaire, pensez a l'environnement. > > > >> > > > >> _______________________________________________ > > > >> rsyslog mailing list > > > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > > > >> http://www.rsyslog.com/professional-services/ > > > >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > >> myriad > > of > > > >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > > >> you > > > DON'T > > > >> LIKE THAT. > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com/professional-services/ > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > > myriad of > > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T > > > LIKE THAT. > > > > > > > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > > you > > DON'T > > > LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This > is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our > control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
