Hey guys,

I have basically two question related to send logs using relp and
encrypting them.

*Q1*. *RELP + TLS*

I tried to install a server and configure a client to be able to talk to
the server using relp and tls a while ago and I got stuck on an error. I
re-tried again using latest rsyslog v8.9 but still can not have it working.

I have been following the instructions pointed at
http://www.rsyslog.com/using-tls-with-relp/. I am getting a weird error. On
the client side, if I set the permissions for my certificates like this
(rsyslog runs under syslog):
-rw-r--r-- 1 root root 1540 Apr 17 08:11 ca.pem
-rw-r--r-- 1 root root 1585 Apr 17 08:11 rsyslog-client-cert.pem
-rw-r--r-- 1 root root 1674 Apr 17 08:11 rsyslog-client-key.pem

rsyslog in debug mode gets crazy just outputting constantly the above lines:

2076.114715686:action 11 queue:Reg/w0: actionDoRetry: action 11
action->tryResume returned -2006
2076.114723627:action 11 queue:Reg/w0: actionDoRetry: action 11 enter loop,
iRetries=0
2076.114731490:action 11 queue:Reg/w0: actionDoRetry: action 11
action->tryResume returned -2006
2076.114739394:action 11 queue:Reg/w0: actionDoRetry: action 11 enter loop,
iRetries=0
2076.114747252:action 11 queue:Reg/w0: actionDoRetry: action 11
action->tryResume returned -2006
2076.114755167:action 11 queue:Reg/w0: actionDoRetry: action 11 enter loop,
iRetries=0

and it starts creating files in the spooling area. However, if I change
permissions for certificates to

-rw-r----- 1 root root 1540 Apr 17 08:11 ca.pem
-rw-r----- 1 root root 1585 Apr 17 08:11 rsyslog-client-cert.pem
-rw-r----- 1 root root 1674 Apr 17 08:11 rsyslog-client-key.pem

it stops this nonsense. However I assume rsyslog which is running as syslog
won't be able to read them. This though, it is not happening in my server.
This is my template:

if bla bla bla....
action(type="omrelp" target="FQDN-my-rsyslog-server" port="XXX"
template="hostID" tls="on"
      tls.caCert="/etc/rsyslog-certs/ca.pem"
      tls.myCert="/etc/rsyslog-certs/rsyslog-client-cert.pem"
      tls.myPrivKey="/etc/rsyslog-certs/rsyslog-client-key.pem"
      tls.authmode="name"
      tls.permittedPeer=["FQDN-my-rsyslog-server"]
      queue.filename="system_queue"
      queue.type="linkedlist"
      queue.spoolDirectory="/mnt/spool/rsyslog"
      queue.highwatermark="8000"
      queue.lowwatermark="6000"
      queue.maxdiskspace="1g"
      queue.timeoutenqueue="0"
      queue.saveonshutdown="on"
      queue.size="10000")


When restricting permissions to avoid this error I get this certificate
error on both sides.
*CLIENT*:
Apr 17 09:35:01 kores-8 rsyslogd-2353: omrelp[FQDN-my-rsyslog-server:XXX]:
error 'Failed to set certificate trust file [gnutls error -64: Error while
reading file.]', object  'conn to srvr FQDN-my-rsyslog-server:XXX' - action
may not work as intended [v8.9.0 try http://www.rsyslog.com/e/2353 ]

*SERVER*:
Apr 17 09:14:28 rsyslog rsyslogd-2353: imrelp[20501]: error 'TLS handshake
failed [gnutls error -9: A TLS packet with unexpected length was
received.]', object  'lstn 20501: conn to clt
54.145.126.40/ec2-54-145-126-40.compute-1.amazonaws.com' - input may not
work as intended [v8.9.0 try http://www.rsyslog.com/e/2353 ]
Apr 17 09:14:28 rsyslog rsyslogd-2353: imrelp[20501]: error 'TLS record
write failed [gnutls error -10: The specified session has been invalidated
for some reason.]', object  'lstn 20501: conn to clt
54.145.126.40/ec2-54-145-126-40.compute-1.amazonaws.com' - input may not
work as intended [v8.9.0 try http://www.rsyslog.com/e/2353 ]

but this is probably because rsyslog can not read them.

I also have another question related to this. Not very familar with TLS but
all I read it seems to obligate me to have a unique certificate for each
client talking to the rsyslog server and a unique certificate for each
rsyslog server aggregating logs. Is there a way to use generic certificate
for clients? Two things that make me thing I need a unique certificate are
these:

   - dnsName when creating the certificate. It says we need to put the FQDN
   of the maching holding the certificate


   - the rsyslog directive:
   tls.permittedpeer=["ubuntu-client1″,"ubuntu-client2″,"ubuntu-client3″]
   which scares me if I have to add hundreds of clients on the rsyslog
   config file.


*Q2. RELP + stunnel*

We are currently using relp + stunnel but I noticed when replacing any of
our rsyslog servers (currenlty running 8.4) clients on a different net that
are using relp+stunnel stop sending messages without even touching them. We
need to go to each client and restart stunnel and rsyslog to make client to
forward messages again. All messages before restarting are lost. That is
pretty bad considering the amount of clients fwd logs.

Thanks a log,

Xavi
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to