Hi Eero,
I set selinux to permissive as you suggested and the error went away.
However, the logs on the remote server now look like this:
Jul 22 16:54:54 client.server
#026#003#002#000V#001#000#000R#003#002SΊz<82>#002<CE><E7>-#021<A5>L<B6>j<A7>@<BB>#024X<E3><DB>|<FP
<B6>P<96><F4>N<A3>W#000#000$#0003#000E#0009#000<88>#000#026#0002#000D#0008#000<87>#000#023#000f#000/#000A#0005#000<84>
and when I restart rsyslog on the client I get:
[[email protected] ~]# service rsyslog restart
Shutting down system logger:
Message from [email protected] at Jul 22 16:59:51 ...
kernel:imklog 5.8.10, log source = /proc/kmsg started.
Message from [email protected] at Jul 22 16:59:51 ...
rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="8674"
x-info="http://www.rsyslog.com";] start
[ OK ]
Starting system logger: [ OK ]
which seems quite odd.
Robin.
On 22/07/14 16:36, Eero Volotinen wrote:
2014-07-22 18:30 GMT+03:00 Robin Long <[email protected]
<mailto:[email protected]>>:
Hi All,
I am trying to configure rsyslog between to servers with
encryption. This works when the authmode is 'anon' but not when
set to 'x509/name', and I cannot tell why - google is providing no
help.
My client config is:
===========================
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging
(e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously
done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is
usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### Encryption ####
# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile
/etc/grid-security/certificates/UKeScienceCA-2B.pem
$DefaultNetstreamDriverCertFile /etc/grid-security/hostcert.pem
$DefaultNetstreamDriverKeyFile /etc/grid-security/hostkey.pem
#$ModLoad imtcp # load TCP listener
$ActionSendStreamDriverMode 1 # require TLS for the connection
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer central.log.server
*.* @@(o)central.log.server:10514 # send (all) messages
###Rules####
#Standard rules, no need to paste here
==================
and the central log servers config is:
===================
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see
http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging
(e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously
done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is
usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### Encryption ####
# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile
/etc/grid-security/certificates/UKeScienceCA-2B.pem
$DefaultNetstreamDriverCertFile /etc/grid-security/hostcert.pem
$DefaultNetstreamDriverKeyFile /etc/grid-security/hostkey.pem
$ModLoad imtcp # load TCP listener
$InputTCPServerRun 10514 # start up listener at port 10514
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode x509/name # client is
authenticated
$InputTCPServerStreamDriverPermittedPeer *.local.domain
#### RULES ####
#Standard rules, no need to paste here
============================
rsyslog starts fine on the central log server, but on the client I
get the following written to messages:
============================
rsyslogd-2040: can not read file '/etc/grid-security/hostcert.pem'
[try http://www.rsyslog.com/e/2040 ]
============================
Any suggestions or help?
is the selinux context for files correct. try in permissive mode first
(setenforce 0)
--
Eero
