Hello Jörgen, So if you "translate" the $Action... directives into RainerScript it doesn't work at all? And you also don't get any configuration errors? Then it would be a bug.
Best regards, Radu -- Performance Monitoring * Log Analytics * Search Analytics Solr & Elasticsearch Support * http://sematext.com/ On Thu, Nov 5, 2015 at 2:22 PM, Jörgen Maas <[email protected]> wrote: > Hi, thanks Radu for your feedback! > > On the client and the server all rsyslog and gnutls versions are the same. > I did recreate the certs with openssl, instead of the certutil as described > in the docs. > I now have this working, it's just like yesterdays issue a case of using > new and old configuration *together* to make it work... > > But doing this seems to also cause some strange issues... i can imagine > that this isn't really a well tested configuration (mixing old and new). > Current config on the sender: > > $ActionSendStreamDriver gtls > $ActionSendStreamDriverMode 1 > $ActionSendStreamDriverAuthMode x509/name > $ActionSendStreamDriverPermittedPeers "logmanagement.xxx.yy" > > action( > type="omfwd" > target="192.168.124.100" > port="6514" > protocol="tcp" > template="RSYSLOG_SyslogProtocol23Format" > StreamDriver="gtls" > StreamDriverMode="1" > StreamDriverAuthMode="x509/name" > StreamDriverPermittedPeers="logmanagement.xxx.yy" > ) > > Without the legacy options (including > $ActionSendStreamDriverPermittedPeers) rsyslogd wont even start. > And with these options my log looks like this: > > Nov 5 10:59:49 logmanagement-client rsyslogd-3003: invalid or yet-unknown > config file command 'ActionSendStreamDriverPermittedPeers' - have you > forgotten to load a module? [try http://www.rsyslog.com/e/3003 ] > Nov 5 10:59:26 logmanagement-client systemd: Stopping System Logging > Service... > Nov 5 10:59:26 logmanagement-client systemd: rsyslog.service: main process > exited, code=killed, status=6/ABRT > Nov 5 10:59:26 logmanagement-client systemd: Unit rsyslog.service entered > failed state. > Nov 5 10:59:26 logmanagement-client systemd: Starting System Logging > Service... > yikes -> Nov 5 10:59:26 logmanagement-client kernel: traps: rsyslogd[4698] > general protection ip:7fd55a8584bd sp:7ffe547d5f90 error:0 in libc-2.17.so > [7fd55a7dc000+1b6000] > > When i comment out the StreamDriverPermittedPeers, i get: > > Nov 5 11:02:58 logmanagement-client rsyslogd-2088: error: peer name not > authorized - not permitted to talk to it. Names: CN: > logmanagement.xxx.yy; [try http://www.rsyslog.com/e/2088 ] > > So with this "hybrid" config i can transfer logs over the tls channel. But > unfortunately the system is not really stable, i have seen some segfaults > and the general protection errors in the above log make me a bit wary using > this in a production setting. Any suggestions/hints on this specific error > and/or the segfaults? > > Thanks again! > > Regards, > Jörgen > > On Thu, Nov 5, 2015 at 8:07 AM, Radu Gheorghe <[email protected]> > wrote: > >> Hello, >> >> We had this problem at one point when having different versions of >> rsyslog (and/or gnutls) acting as client and server. Another time when >> I encountered this was when I didn't set up certificates properly. >> >> I hope this helps. >> >> Best regards, >> Radu >> -- >> Performance Monitoring * Log Analytics * Search Analytics >> Solr & Elasticsearch Support * http://sematext.com/ >> >> >> On Thu, Nov 5, 2015 at 7:27 AM, Jörgen Maas <[email protected]> wrote: >> > Hi all, >> > >> > With yesterdays help i've succeeded in setting up a TLS listener. I also >> > setup a forwarder as desribed in: >> > >> http://blog.sematext.com/2014/03/25/encrypting-logs-on-their-way-to-elasticsearch-part-2-tls-syslog/ >> > >> > On the server side i see this in my logs: >> > Nov 5 06:10:50 logmanagement rsyslogd-2083: gnutls returned error on >> > handshake: An unexpected TLS packet was received. >> > >> > I captured the network sessions and the messages are sent with plain tcp >> > (readable), so that explains the server side log entry. >> > >> > This is my client side config: >> > >> > action( >> > type="omfwd" >> > target="192.168.124.100" >> > port="6514" >> > protocol="tcp" >> > template="RSYSLOG_SyslogProtocol23Format" >> > StreamDriver="gtls" >> > StreamDriverMode="1" >> > StreamDriverAuthMode="x509/name" >> > StreamDriverPermittedPeers="logmanagement.xxx.yyy" >> > ) >> > >> > The "gtls" default settings are set in the global() section, as discussed >> > yesterday. >> > >> > Software version: >> > rsyslog-7.4.7-7.el7_1.1.x86_64 >> > >> > >> > What am I missing here? >> > >> > Thanks! >> > >> > >> > Regards, >> > Jörgen >> > _______________________________________________ >> > rsyslog mailing list >> > http://lists.adiscon.net/mailman/listinfo/rsyslog >> > http://www.rsyslog.com/professional-services/ >> > What's up with rsyslog? Follow https://twitter.com/rgerhards >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. >> _______________________________________________ >> rsyslog mailing list >> http://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
