Hey guys, I have basically two question related to send logs using relp and encrypting them.
*Q1*. *RELP + TLS* I tried to install a server and configure a client to be able to talk to the server using relp and tls a while ago and I got stuck on an error. I re-tried again using latest rsyslog v8.9 but still can not have it working. I have been following the instructions pointed at http://www.rsyslog.com/using-tls-with-relp/. I am getting a weird error. On the client side, if I set the permissions for my certificates like this (rsyslog runs under syslog): -rw-r--r-- 1 root root 1540 Apr 17 08:11 ca.pem -rw-r--r-- 1 root root 1585 Apr 17 08:11 rsyslog-client-cert.pem -rw-r--r-- 1 root root 1674 Apr 17 08:11 rsyslog-client-key.pem rsyslog in debug mode gets crazy just outputting constantly the above lines: 2076.114715686:action 11 queue:Reg/w0: actionDoRetry: action 11 action->tryResume returned -2006 2076.114723627:action 11 queue:Reg/w0: actionDoRetry: action 11 enter loop, iRetries=0 2076.114731490:action 11 queue:Reg/w0: actionDoRetry: action 11 action->tryResume returned -2006 2076.114739394:action 11 queue:Reg/w0: actionDoRetry: action 11 enter loop, iRetries=0 2076.114747252:action 11 queue:Reg/w0: actionDoRetry: action 11 action->tryResume returned -2006 2076.114755167:action 11 queue:Reg/w0: actionDoRetry: action 11 enter loop, iRetries=0 and it starts creating files in the spooling area. However, if I change permissions for certificates to -rw-r----- 1 root root 1540 Apr 17 08:11 ca.pem -rw-r----- 1 root root 1585 Apr 17 08:11 rsyslog-client-cert.pem -rw-r----- 1 root root 1674 Apr 17 08:11 rsyslog-client-key.pem it stops this nonsense. However I assume rsyslog which is running as syslog won't be able to read them. This though, it is not happening in my server. This is my template: if bla bla bla.... action(type="omrelp" target="FQDN-my-rsyslog-server" port="XXX" template="hostID" tls="on" tls.caCert="/etc/rsyslog-certs/ca.pem" tls.myCert="/etc/rsyslog-certs/rsyslog-client-cert.pem" tls.myPrivKey="/etc/rsyslog-certs/rsyslog-client-key.pem" tls.authmode="name" tls.permittedPeer=["FQDN-my-rsyslog-server"] queue.filename="system_queue" queue.type="linkedlist" queue.spoolDirectory="/mnt/spool/rsyslog" queue.highwatermark="8000" queue.lowwatermark="6000" queue.maxdiskspace="1g" queue.timeoutenqueue="0" queue.saveonshutdown="on" queue.size="10000") When restricting permissions to avoid this error I get this certificate error on both sides. *CLIENT*: Apr 17 09:35:01 kores-8 rsyslogd-2353: omrelp[FQDN-my-rsyslog-server:XXX]: error 'Failed to set certificate trust file [gnutls error -64: Error while reading file.]', object 'conn to srvr FQDN-my-rsyslog-server:XXX' - action may not work as intended [v8.9.0 try http://www.rsyslog.com/e/2353 ] *SERVER*: Apr 17 09:14:28 rsyslog rsyslogd-2353: imrelp[20501]: error 'TLS handshake failed [gnutls error -9: A TLS packet with unexpected length was received.]', object 'lstn 20501: conn to clt 54.145.126.40/ec2-54-145-126-40.compute-1.amazonaws.com' - input may not work as intended [v8.9.0 try http://www.rsyslog.com/e/2353 ] Apr 17 09:14:28 rsyslog rsyslogd-2353: imrelp[20501]: error 'TLS record write failed [gnutls error -10: The specified session has been invalidated for some reason.]', object 'lstn 20501: conn to clt 54.145.126.40/ec2-54-145-126-40.compute-1.amazonaws.com' - input may not work as intended [v8.9.0 try http://www.rsyslog.com/e/2353 ] but this is probably because rsyslog can not read them. I also have another question related to this. Not very familar with TLS but all I read it seems to obligate me to have a unique certificate for each client talking to the rsyslog server and a unique certificate for each rsyslog server aggregating logs. Is there a way to use generic certificate for clients? Two things that make me thing I need a unique certificate are these: - dnsName when creating the certificate. It says we need to put the FQDN of the maching holding the certificate - the rsyslog directive: tls.permittedpeer=["ubuntu-client1″,"ubuntu-client2″,"ubuntu-client3″] which scares me if I have to add hundreds of clients on the rsyslog config file. *Q2. RELP + stunnel* We are currently using relp + stunnel but I noticed when replacing any of our rsyslog servers (currenlty running 8.4) clients on a different net that are using relp+stunnel stop sending messages without even touching them. We need to go to each client and restart stunnel and rsyslog to make client to forward messages again. All messages before restarting are lost. That is pretty bad considering the amount of clients fwd logs. Thanks a log, Xavi _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

