Hi,

replying myself the first question.

*Q1*. *RELP + TLS*

Made it working. Something misconfigured on my side once fixed I got rid of
the TLS errors. I can not explain the weird error I saw enqueuing
everything in my client in debug mode but it worked on new fresh server.

I also read from doc ""a machine certificate could also be created for
multiple machines at once". Not recommended but sometimes the only way to
go.

Regards,
Xavi

On 17 April 2015 at 11:52, Xavier Fustero <[email protected]> wrote:

> Hey guys,
>
> I have basically two question related to send logs using relp and
> encrypting them.
>
> *Q1*. *RELP + TLS*
>
> I tried to install a server and configure a client to be able to talk to
> the server using relp and tls a while ago and I got stuck on an error. I
> re-tried again using latest rsyslog v8.9 but still can not have it working.
>
> I have been following the instructions pointed at
> http://www.rsyslog.com/using-tls-with-relp/. I am getting a weird error.
> On the client side, if I set the permissions for my certificates like this
> (rsyslog runs under syslog):
> -rw-r--r-- 1 root root 1540 Apr 17 08:11 ca.pem
> -rw-r--r-- 1 root root 1585 Apr 17 08:11 rsyslog-client-cert.pem
> -rw-r--r-- 1 root root 1674 Apr 17 08:11 rsyslog-client-key.pem
>
> rsyslog in debug mode gets crazy just outputting constantly the above
> lines:
>
> 2076.114715686:action 11 queue:Reg/w0: actionDoRetry: action 11
> action->tryResume returned -2006
> 2076.114723627:action 11 queue:Reg/w0: actionDoRetry: action 11 enter
> loop, iRetries=0
> 2076.114731490:action 11 queue:Reg/w0: actionDoRetry: action 11
> action->tryResume returned -2006
> 2076.114739394:action 11 queue:Reg/w0: actionDoRetry: action 11 enter
> loop, iRetries=0
> 2076.114747252:action 11 queue:Reg/w0: actionDoRetry: action 11
> action->tryResume returned -2006
> 2076.114755167:action 11 queue:Reg/w0: actionDoRetry: action 11 enter
> loop, iRetries=0
>
> and it starts creating files in the spooling area. However, if I change
> permissions for certificates to
>
> -rw-r----- 1 root root 1540 Apr 17 08:11 ca.pem
> -rw-r----- 1 root root 1585 Apr 17 08:11 rsyslog-client-cert.pem
> -rw-r----- 1 root root 1674 Apr 17 08:11 rsyslog-client-key.pem
>
> it stops this nonsense. However I assume rsyslog which is running as
> syslog won't be able to read them. This though, it is not happening in my
> server. This is my template:
>
> if bla bla bla....
> action(type="omrelp" target="FQDN-my-rsyslog-server" port="XXX"
> template="hostID" tls="on"
>       tls.caCert="/etc/rsyslog-certs/ca.pem"
>       tls.myCert="/etc/rsyslog-certs/rsyslog-client-cert.pem"
>       tls.myPrivKey="/etc/rsyslog-certs/rsyslog-client-key.pem"
>       tls.authmode="name"
>       tls.permittedPeer=["FQDN-my-rsyslog-server"]
>       queue.filename="system_queue"
>       queue.type="linkedlist"
>       queue.spoolDirectory="/mnt/spool/rsyslog"
>       queue.highwatermark="8000"
>       queue.lowwatermark="6000"
>       queue.maxdiskspace="1g"
>       queue.timeoutenqueue="0"
>       queue.saveonshutdown="on"
>       queue.size="10000")
>
>
> When restricting permissions to avoid this error I get this certificate
> error on both sides.
> *CLIENT*:
> Apr 17 09:35:01 kores-8 rsyslogd-2353: omrelp[FQDN-my-rsyslog-server:XXX]:
> error 'Failed to set certificate trust file [gnutls error -64: Error while
> reading file.]', object  'conn to srvr FQDN-my-rsyslog-server:XXX' - action
> may not work as intended [v8.9.0 try http://www.rsyslog.com/e/2353 ]
>
> *SERVER*:
> Apr 17 09:14:28 rsyslog rsyslogd-2353: imrelp[20501]: error 'TLS handshake
> failed [gnutls error -9: A TLS packet with unexpected length was
> received.]', object  'lstn 20501: conn to clt
> 54.145.126.40/ec2-54-145-126-40.compute-1.amazonaws.com' - input may not
> work as intended [v8.9.0 try http://www.rsyslog.com/e/2353 ]
> Apr 17 09:14:28 rsyslog rsyslogd-2353: imrelp[20501]: error 'TLS record
> write failed [gnutls error -10: The specified session has been invalidated
> for some reason.]', object  'lstn 20501: conn to clt
> 54.145.126.40/ec2-54-145-126-40.compute-1.amazonaws.com' - input may not
> work as intended [v8.9.0 try http://www.rsyslog.com/e/2353 ]
>
> but this is probably because rsyslog can not read them.
>
> I also have another question related to this. Not very familar with TLS
> but all I read it seems to obligate me to have a unique certificate for
> each client talking to the rsyslog server and a unique certificate for each
> rsyslog server aggregating logs. Is there a way to use generic certificate
> for clients? Two things that make me thing I need a unique certificate are
> these:
>
>    - dnsName when creating the certificate. It says we need to put the
>    FQDN of the maching holding the certificate
>
>
>    - the rsyslog directive:
>    tls.permittedpeer=["ubuntu-client1″,"ubuntu-client2″,"ubuntu-client3″]
>    which scares me if I have to add hundreds of clients on the rsyslog
>    config file.
>
>
> *Q2. RELP + stunnel*
>
> We are currently using relp + stunnel but I noticed when replacing any of
> our rsyslog servers (currenlty running 8.4) clients on a different net that
> are using relp+stunnel stop sending messages without even touching them. We
> need to go to each client and restart stunnel and rsyslog to make client to
> forward messages again. All messages before restarting are lost. That is
> pretty bad considering the amount of clients fwd logs.
>
> Thanks a log,
>
> Xavi
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to