Hi, thanks Radu for your feedback!
On the client and the server all rsyslog and gnutls versions are the same.
I did recreate the certs with openssl, instead of the certutil as described
in the docs.
I now have this working, it's just like yesterdays issue a case of using
new and old configuration *together* to make it work...
But doing this seems to also cause some strange issues... i can imagine
that this isn't really a well tested configuration (mixing old and new).
Current config on the sender:
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeers "logmanagement.xxx.yy"
action(
type="omfwd"
target="192.168.124.100"
port="6514"
protocol="tcp"
template="RSYSLOG_SyslogProtocol23Format"
StreamDriver="gtls"
StreamDriverMode="1"
StreamDriverAuthMode="x509/name"
StreamDriverPermittedPeers="logmanagement.xxx.yy"
)
Without the legacy options (including
$ActionSendStreamDriverPermittedPeers) rsyslogd wont even start.
And with these options my log looks like this:
Nov 5 10:59:49 logmanagement-client rsyslogd-3003: invalid or yet-unknown
config file command 'ActionSendStreamDriverPermittedPeers' - have you
forgotten to load a module? [try http://www.rsyslog.com/e/3003 ]
Nov 5 10:59:26 logmanagement-client systemd: Stopping System Logging
Service...
Nov 5 10:59:26 logmanagement-client systemd: rsyslog.service: main process
exited, code=killed, status=6/ABRT
Nov 5 10:59:26 logmanagement-client systemd: Unit rsyslog.service entered
failed state.
Nov 5 10:59:26 logmanagement-client systemd: Starting System Logging
Service...
yikes -> Nov 5 10:59:26 logmanagement-client kernel: traps: rsyslogd[4698]
general protection ip:7fd55a8584bd sp:7ffe547d5f90 error:0 in libc-2.17.so
[7fd55a7dc000+1b6000]
When i comment out the StreamDriverPermittedPeers, i get:
Nov 5 11:02:58 logmanagement-client rsyslogd-2088: error: peer name not
authorized - not permitted to talk to it. Names: CN:
logmanagement.xxx.yy; [try http://www.rsyslog.com/e/2088 ]
So with this "hybrid" config i can transfer logs over the tls channel. But
unfortunately the system is not really stable, i have seen some segfaults
and the general protection errors in the above log make me a bit wary using
this in a production setting. Any suggestions/hints on this specific error
and/or the segfaults?
Thanks again!
Regards,
Jörgen
On Thu, Nov 5, 2015 at 8:07 AM, Radu Gheorghe <[email protected]>
wrote:
> Hello,
>
> We had this problem at one point when having different versions of
> rsyslog (and/or gnutls) acting as client and server. Another time when
> I encountered this was when I didn't set up certificates properly.
>
> I hope this helps.
>
> Best regards,
> Radu
> --
> Performance Monitoring * Log Analytics * Search Analytics
> Solr & Elasticsearch Support * http://sematext.com/
>
>
> On Thu, Nov 5, 2015 at 7:27 AM, Jörgen Maas <[email protected]> wrote:
> > Hi all,
> >
> > With yesterdays help i've succeeded in setting up a TLS listener. I also
> > setup a forwarder as desribed in:
> >
> http://blog.sematext.com/2014/03/25/encrypting-logs-on-their-way-to-elasticsearch-part-2-tls-syslog/
> >
> > On the server side i see this in my logs:
> > Nov 5 06:10:50 logmanagement rsyslogd-2083: gnutls returned error on
> > handshake: An unexpected TLS packet was received.
> >
> > I captured the network sessions and the messages are sent with plain tcp
> > (readable), so that explains the server side log entry.
> >
> > This is my client side config:
> >
> > action(
> > type="omfwd"
> > target="192.168.124.100"
> > port="6514"
> > protocol="tcp"
> > template="RSYSLOG_SyslogProtocol23Format"
> > StreamDriver="gtls"
> > StreamDriverMode="1"
> > StreamDriverAuthMode="x509/name"
> > StreamDriverPermittedPeers="logmanagement.xxx.yyy"
> > )
> >
> > The "gtls" default settings are set in the global() section, as discussed
> > yesterday.
> >
> > Software version:
> > rsyslog-7.4.7-7.el7_1.1.x86_64
> >
> >
> > What am I missing here?
> >
> > Thanks!
> >
> >
> > Regards,
> > Jörgen
> > _______________________________________________
> > rsyslog mailing list
> > http://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
