2014-07-22 18:30 GMT+03:00 Robin Long <[email protected]>: > Hi All, > > I am trying to configure rsyslog between to servers with encryption. This > works when the authmode is 'anon' but not when set to 'x509/name', and I > cannot tell why - google is providing no help. > > My client config is: > > =========================== > #### MODULES #### > > $ModLoad imuxsock # provides support for local system logging (e.g. via > logger command) > $ModLoad imklog # provides kernel logging support (previously done by > rklogd) > #$ModLoad immark # provides --MARK-- message capability > > # Provides UDP syslog reception > #$ModLoad imudp > #$UDPServerRun 514 > > # Provides TCP syslog reception > $ModLoad imtcp > #$InputTCPServerRun 514 > > > #### GLOBAL DIRECTIVES #### > > # Use default timestamp format > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > # File syncing capability is disabled by default. This feature is usually > not required, > # not useful and an extreme performance hit > #$ActionFileEnableSync on > > # Include all config files in /etc/rsyslog.d/ > $IncludeConfig /etc/rsyslog.d/*.conf > > #### Encryption #### > > # make gtls driver the default > $DefaultNetstreamDriver gtls > > # certificate files > $DefaultNetstreamDriverCAFile /etc/grid-security/ > certificates/UKeScienceCA-2B.pem > $DefaultNetstreamDriverCertFile /etc/grid-security/hostcert.pem > $DefaultNetstreamDriverKeyFile /etc/grid-security/hostkey.pem > > #$ModLoad imtcp # load TCP listener > > $ActionSendStreamDriverMode 1 # require TLS for the connection > $ActionSendStreamDriverAuthMode x509/name > $ActionSendStreamDriverPermittedPeer central.log.server > > *.* @@(o)central.log.server:10514 # send (all) messages > > ###Rules#### > #Standard rules, no need to paste here > > ================== > > and the central log servers config is: > > =================== > > # rsyslog v5 configuration file > > # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html > # If you experience problems, see http://www.rsyslog.com/doc/ > troubleshoot.html > > #### MODULES #### > > $ModLoad imuxsock # provides support for local system logging (e.g. via > logger command) > $ModLoad imklog # provides kernel logging support (previously done by > rklogd) > #$ModLoad immark # provides --MARK-- message capability > > # Provides UDP syslog reception > #$ModLoad imudp > #$UDPServerRun 514 > > # Provides TCP syslog reception > #$ModLoad imtcp > #$InputTCPServerRun 514 > > > #### GLOBAL DIRECTIVES #### > > # Use default timestamp format > $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat > > # File syncing capability is disabled by default. This feature is usually > not required, > # not useful and an extreme performance hit > #$ActionFileEnableSync on > > # Include all config files in /etc/rsyslog.d/ > $IncludeConfig /etc/rsyslog.d/*.conf > > #### Encryption #### > > # make gtls driver the default > $DefaultNetstreamDriver gtls > > # certificate files > $DefaultNetstreamDriverCAFile /etc/grid-security/ > certificates/UKeScienceCA-2B.pem > $DefaultNetstreamDriverCertFile /etc/grid-security/hostcert.pem > $DefaultNetstreamDriverKeyFile /etc/grid-security/hostkey.pem > > $ModLoad imtcp # load TCP listener > $InputTCPServerRun 10514 # start up listener at port 10514 > > $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode > $InputTCPServerStreamDriverAuthMode x509/name # client is authenticated > $InputTCPServerStreamDriverPermittedPeer *.local.domain > > > #### RULES #### > #Standard rules, no need to paste here > > ============================ > > rsyslog starts fine on the central log server, but on the client I get the > following written to messages: > > ============================ > > rsyslogd-2040: can not read file '/etc/grid-security/hostcert.pem' [try > http://www.rsyslog.com/e/2040 ] > > ============================ > > Any suggestions or help? > > is the selinux context for files correct. try in permissive mode first (setenforce 0)
-- Eero
