Hi, "Supported values are either “*fingerprint*” or “*name”*."
https://www.rsyslog.com/doc/v8-stable/configuration/modules/imrelp.html#tls-authmode Flo On Thu, Nov 15, 2018 at 3:31 PM sophie.loewenthal--- via rsyslog < [email protected]> wrote: > Hi Carsten, > > I added this but got an error in the logs. > 2018-11-15T15:25:44.803514+01:00 3msl rsyslogd: imrelp: invalid auth mode > 'anon' [v8.39.0 try http://www.rsyslog.com/e/2291 ] > > I tried this config with : > tls.authMode="anon" > and then with, > tls.authMode=anon > > > # Input Modules > input(type="imrelp" port="10514" tls="on" > tls.caCert="/etc/pki/tls/private/ca-cert.pem" > tls.myCert="/etc/pki/tls/private/collector-cert.pem" > tls.myPrivKey="/etc/pki/tls/private/collector-key.pem" > tls.authMode="anon" > tls.permittedpeer=["*.local"] > ) > > I'm running rsyslogd 8.39.0 > > > Best wishes, > Sophie > > > > > -----Original Message----- > > From: [email protected] [mailto:[email protected]] > > Sent: Tuesday, November 13, 2018 5:08 PM > > To: [email protected] > > Cc: LOEWENTHAL Sophie > > Subject: RE: [rsyslog] TLS and rsyslog > > > > Hi Sophie, > > > > To get rid of the cert verification I used the following config parameter > > > > $InputTCPServerStreamDriverAuthMode anon # client is NOT > authenticated > > > > So in your case I would think it's the following: > > tls.authMode=anon > > > > for anonymous authentication. > > > > This was set on the server site. > > > > My whole config looked like this: > > > > :::::::::::::: > > /etc/rsyslog.d/tls.conf > > :::::::::::::: > > # syslog via tls configuration > > $ModLoad imtcp # TCP listener > > > > # make gtls driver the default > > $DefaultNetstreamDriver gtls > > > > # certificate files > > $DefaultNetstreamDriverCAFile /etc/rsyslog.d/certs/ca.pem > > $DefaultNetstreamDriverCertFile /etc/rsyslog.d/certs/cert.pem > > $DefaultNetstreamDriverKeyFile /etc/rsyslog.d/certs/key.pem > > > > #Ruleset > > $Ruleset TLS > > *.* /apps/log/tls.log > > action( > > name="rsyslog-debug-local" > > template="RSYSLOG_DebugFormat" > > type="omfile" > > file="/apps/log/rsyslog-debug-tls.log" > > ) > > $Ruleset RSYSLOG_DefaultRuleset > > > > $InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated > > $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode > > $InputTCPServerBindRuleset TLS > > $InputTCPServerRun 6514 # start up listener at port 6514 > > > > Regards > > > > carsten > > > > > > Carsten Lange | Security Specialist | CISSP | E: [email protected] > > > > -----Original Message----- > > From: rsyslog [mailto:[email protected]] On Behalf Of > > sophie.loewenthal--- via rsyslog > > Sent: Dienstag, 13. November 2018 16:27 > > To: rsyslog-users <[email protected]> > > Cc: [email protected] > > Subject: Re: [rsyslog] TLS and rsyslog > > > > Hi, > > > > New error message after removing the tls.permittedpeer=["*.local"] and > the > > tls.authmode I saw this, > > > > 2018-11-13T16:19:22.691302+01:00 6 rsyslogd: imrelp[10514]: error 'TLS > record > > write failed [gnutls error -10: The specified session has been > invalidated for > > some reason.]', object 'lstn 10514: conn to clt 10.1.1.8/a2.local ' - > input may > > not work as intended [v8.24.0 try http://www.rsyslog.com/e/2353 ] > > > > > > > > > -----Original Message----- > > > From: rsyslog [mailto:[email protected]] On Behalf Of > > > sophie.loewenthal--- via rsyslog > > > Sent: Tuesday, November 13, 2018 4:03 PM > > > To: rsyslog-users > > > Cc: LOEWENTHAL Sophie > > > Subject: Re: [rsyslog] TLS and rsyslog > > > > > > Thanks. I configured ca and certs for the clients and servers. I set > the dnsName > > > to a wildcard. e.g *.local. in the certificates. > > > > > > Both clients and servers started, and the server listens on the ports > with TLS. > > > > > > However TLS connections cannot be established. This is something to do > > > with a 'peer' which was specified in tls.permittedpeer= > > > > > > The error on the server is : > > > 2018-11-13T15:50:12.783315+01:00 6 rsyslogd: imrelp[10514]: > > > authentication error 'no permited name found', peer is '' [v8.24.0 try > > > http://www.rsyslog.com/e/2353 ] > > > > > > > > > I used this config: > > > Server: > > > input(type="imrelp" port="10514" tls="on" > > > tls.caCert="/etc/pki/tls/private/ca-cert.pem" > > > tls.myCert="/etc/pki/tls/private/collector-cert.pem" > > > tls.myPrivKey="/etc/pki/tls/private/collector-key.pem" > > > tls.authMode="name" > > > tls.permittedpeer=["*.local"] > > > ) > > > > > > Client: > > > action(type="omrelp" target="5" port="10514" tls="on" > > > tls.caCert="/etc/pki/tls/private/ca-cert.pem" > > > tls.myCert="/etc/pki/tls/private/sender-cert.pem" > > > tls.myPrivKey="/etc/pki/tls/private/sender-key.pem" > > > tls.authmode="name" > > > tls.permittedpeer=["*.local"] > > > ) > > > action(type="omrelp" target="6" port="10514" tls="on" > > > tls.caCert="/etc/pki/tls/private/ca-cert.pem" > > > tls.myCert="/etc/pki/tls/private/sender-cert.pem" > > > tls.myPrivKey="/etc/pki/tls/private/sender-key.pem" > > > tls.authmode="name" > > > tls.permittedpeer=["*.local"] > > > ) > > > > > > What should I added for the tls.permittedpeer? I don't think this is > > > correct. Or my certificates are wrong. > > > > > > > -----Original Message----- > > > > From: rsyslog [mailto:[email protected]] On Behalf > > > > Of John Chivian > > > > Sent: Tuesday, November 13, 2018 1:56 PM > > > > To: sophie.loewenthal--- via rsyslog > > > > Subject: Re: [rsyslog] TLS and rsyslog > > > > > > > > If both client and server are willing to accept and use a valid > > > > certificate, and do no other verification checks, then yes you can > > > > use the same cert on all client systems. > > > > > > > > Regards, > > > > > > > > On 11/13/18 3:22 AM, sophie.loewenthal--- via rsyslog wrote: > > > > > Light bulb moment: Can I use the same client cert on all of the > clients? > > > > > > > > > >> -----Original Message----- > > > > >> From: rsyslog [mailto:[email protected]] On > > > > >> Behalf Of > > > > >> sophie.loewenthal--- via rsyslog > > > > >> Sent: Tuesday, November 13, 2018 10:06 AM > > > > >> To: rsyslog-users > > > > >> Cc: LOEWENTHAL Sophie > > > > >> Subject: [rsyslog] TLS and rsyslog > > > > >> > > > > >> Hi, > > > > >> > > > > >> I've read lots of dox on setting up TLS for sending logs and > > > > >> every time I see > > > > one > > > > >> has to set up a CA and then have a certificate for every client. > > > > >> I'd have to > > > > create > > > > >> 1001 certificates and then a new client cert for every new > > > > >> server. This is impractical and the time is not available to > > > > >> perform the task. For > > > comparison, > > > > >> we don't require every user's browser to have a client cert to > > > > >> connect with > > > a > > > > >> webserver, like Paypal, and I use self-signed certs for some > > > > >> internal web > > > > servers. > > > > >> > > > > >> In my case the objective to to encrypt the syslog data sent over > > > > >> the > > > network, > > > > but > > > > >> not to identify the sending machine. > > > > >> Is there a way to have rsyslog use a self-signed certificate and > > > > >> trust all the clients that connect over TLS? > > > > >> > > > > >> Some examples that suggest using a self-signed CA + clients: > > > > >> https://access.redhat.com/solutions/519533 > > > > >> https://waqarafridi.wordpress.com/2015/11/16/configure-ssltls-bet > > > > >> ween- > > > > two- > > > > >> rsyslog-systems/ > > > > >> And the list goes on. > > > > >> > > > > >> Best wishes, > > > > >> Sophie > > > > >> > > > > >> Not working on Mondays/ Travailler sauf le lundi Team mailbox : > > > > >> [email protected] or direct > > > > >> [email protected] > > > > >> > > > > >> > > > > >> > > > > >> > > > > >> This message and any attachments (the "message") is intended > > > > >> solely for the intended addressees and is confidential. > > > > >> If you receive this message in error,or are not the intended > > > > >> recipient(s), please delete it and any copies from your systems > > > > >> and immediately notify the sender. Any unauthorized view, use > > > > >> that does not comply with its > > > purpose, > > > > >> dissemination or disclosure, either whole or partial, is > > > > >> prohibited. Since the internet cannot guarantee the integrity of > > > > >> this message which may not be reliable, > > > > BNP > > > > >> PARIBAS > > > > >> (and its subsidiaries) shall not be liable for the message if > > > > >> modified, changed > > > > or > > > > >> falsified. > > > > >> Do not print this message unless it is necessary, consider the > environment. > > > > >> > > > > >> ----------------------------------------------------------------- > > > > >> --------------------------- > > > -- > > > > ---- > > > > >> -------------------------------- > > > > >> > > > > >> Ce message et toutes les pieces jointes (ci-apres le "message") > > > > >> sont etablis a l'intention exclusive de ses destinataires et sont > > confidentiels. > > > > >> Si vous recevez ce message par erreur ou s'il ne vous est pas > > > > >> destine, merci de le detruire ainsi que toute copie de votre > > > > >> systeme et d'en avertir immediatement l'expediteur. Toute lecture > > > > >> non autorisee, toute utilisation > > > de > > > > >> ce message qui n'est pas conforme a sa destination, toute > > > > >> diffusion ou > > > toute > > > > >> publication, totale ou partielle, est interdite. L'Internet ne > > > > >> permettant pas d'assurer l'integrite de ce message electronique > > > > >> susceptible d'alteration, BNP Paribas (et ses filiales) > > > > >> decline(nt) toute responsabilite au titre de ce message dans > > > > >> l'hypothese ou il aurait ete modifie, deforme ou falsifie. > > > > >> N'imprimez ce message que si necessaire, pensez a l'environnement. > > > > >> > > > > >> _______________________________________________ > > > > >> rsyslog mailing list > > > > >> http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > >> http://www.rsyslog.com/professional-services/ > > > > >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > > >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > > >> myriad > > > of > > > > >> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > > > >> you > > > > DON'T > > > > >> LIKE THAT. > > > > > _______________________________________________ > > > > > rsyslog mailing list > > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > > http://www.rsyslog.com/professional-services/ > > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > > > > > myriad of > > > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > DON'T > > > > LIKE THAT. > > > > > > > > > > > > _______________________________________________ > > > > rsyslog mailing list > > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > > http://www.rsyslog.com/professional-services/ > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > > > > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if > > > > you > > > DON'T > > > > LIKE THAT. > > > _______________________________________________ > > > rsyslog mailing list > > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > > http://www.rsyslog.com/professional-services/ > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > > > DON'T LIKE THAT. > > _______________________________________________ > > rsyslog mailing list > > http://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: > This > > is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond > our > > control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
