I had tried adding the specific tls.* options for the certs to the relp
config, but it seemed like it insisted on using the ca.pem set up for
the default netstream driver. I did just implement two rsyslog
processes, which is good for now, so this question is a little but
academic - kind of a "You should be able to do this and it bothers me
that I couldn't get it working" 8-)
Florian Riedl <mailto:[email protected]>
October 26, 2018 at 6:40 AM
For imtcp you must set the certificates through the $DefaultNetstremDriver
options as you have set them in file 1.
In imrelp you can then set the different certificates in the module
parameters. See:
https://www.rsyslog.com/doc/v8-stable/configuration/modules/imrelp.html?highlight=TLS
If I remember correctly, this stems from the requirement to have different
sets of certificates for both modules, which was not required before
imrelp
got TLS support. But, the way it is set in imrelp did not find its way
into
imtcp, because this is a) quite some effort to rewrite the code, b) there
is no hard requirement to do that because it works, c) nobody said "I want
it this way and I am willing to sponsor the changes" and d) nobody said
"here I made the changes so it works like this and that, please review and
add my pullrequest".
I hope this helps.
Florian
Am Fr., 26. Okt. 2018 um 10:15 Uhr schrieb Peter Viskup via rsyslog <
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
Peter Viskup <mailto:[email protected]>
October 26, 2018 at 1:15 AM
Show the final config you are trying to run.
It could be related to $DefaultNetstreamDriver* options which should
be mentioned only once.
https://www.rsyslog.com/doc/v8-stable/rainerscript/global.html?highlight=defaultnetstreamdriver
In case it is needed, you can copy systemd rsyslog.service file and
create new for second instance (both running different certs).
http://rsyslog-users.1305293.n2.nabble.com/Mix-of-GTLS-and-PTCP-listeners-running-same-instance-td7591434.html#a7591445
Peter
On Thu, Oct 25, 2018 at 11:22 PM Rory Toma via rsyslog
Rory Toma <mailto:[email protected]>
October 25, 2018 at 2:21 PM
I have two separate files that work just fine. I have not been able to
successfully combine them. No matter what I try, I keep getting tls
errors, because one or the other is using wrong certs. Can anyone help
here?
file1:
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /opt/rsyslog/certs/ca.pem
$DefaultNetstreamDriverCertFile /opt/rsyslog/certs/cert.pem
$DefaultNetstreamDriverKeyFile /opt/rsyslog/certs/key.pem
$MaxOpenFiles 100000
module(load="imtcp" MaxSessions="65534" StreamDriver.Mode="1"
StreamDriver.AuthMode="anon") # load TCP listener
$WorkDirectory /export/rsyslog
$ActionQueueType LinkedList
$ActionQueueFileName srvrfwd
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
ruleset(name="remote"){
*.* @@10.66.13.148:8514
}
$InputTCPServerBindRuleset remote
$InputTCPServerRun 110
file2:
$DefaultNetstreamDriver gtls
$DefaultNetStreamDriverCAFile /opt/rsyslog/certs/relp/ca.pem
$DefaultNetStreamDriverCertFile /opt/rsyslog/certs/relp/cert.pem
$DefaultNetStreamDriverKeyFile /opt/rsyslog/certs/relp/key.pem
$WorkDirectory /export/rsyslog
$ActionQueueType LinkedList
$ActionQueueFileName srvrfws
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
module(load="imrelp" ruleset="relp")
input(type="imrelp" port="114" tls="on" tls.compression="on"
tls.authmode="fingerprint" )
ruleset(name="relp") {
*.* @@10.66.13.148:8514
}
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
