通過 TLS 的 Rsyslog
到目前為止,我一直試圖讓 rsyslog 通過 TLS 傳輸,但沒有成功。
我的配置似乎有問題,但我無法確定它。
這是我的伺服器配置文件:
# rsyslog v5 configuration file # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html #### MODULES #### $ModLoad imuxsock # provides support for local system logging (e.g. via logger command) $ModLoad imklog # provides kernel logging support (previously done by rklogd) $ModLoad immark # provides --MARK-- message capability $ModLoad imgssapi # provides GSSAPI syslog reception # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 10514 $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode $InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated # make gtls driver the default $DefaultNetstreamDriver gtls # certificate files $DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca-cert.pem $DefaultNetstreamDriverCertFile /etc/pki/tls/private/rslserver-cert.pem $DefaultNetstreamDriverKeyFile /etc/pki/tls/private/rslserver-key.pem # specify senders you permit to access $AllowedSender TCP, 127.0.0.1, 10.111.1.0/24, *.evoltek.test.com #add: define logfiles ## /var/log/secure $template Auth_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.secure" ## /var/log/messages $template Msg_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.messages" ## /var/log/maillog $template Mail_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.maillog" ## /var/log/cron $template Cron_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.cron" ## /var/log/spooler $template Spool_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.spooler" ## /var/log/boot.log $template Boot_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.boot.log" ## emergency messages "*.emerg" $template Emerg_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.emerg" #### GLOBAL DIRECTIVES #### # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # Include all config files in /etc/rsyslog.d/ $IncludeConfig /etc/rsyslog.d/*.conf #### RULES #### # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none -?Msg_log # The authpriv file has restricted access. authpriv.* -?Auth_log # Log all the mail messages in one place. mail.* -?Mail_log # Log cron stuff cron.* -?Cron_log # Everybody gets emergency messages *.emerg -?Emerg_log # Save news errors of level crit and higher in a special file. uucp,news.crit -?Spool_log # Save boot messages also to boot.log local7.* -?Boot_log
這是我的客戶端配置文件:
# rsyslog v5 configuration file # certificate files $DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca-cert.pem $DefaultNetstreamDriverCertFile /etc/pki/tls/private/rslclient-cert.pem $DefaultNetstreamDriverKeyFile /etc/pki/tls/private/rslclient-key.pem $ModLoad imuxsock.so $ModLoad imklog.so $ModLoad imtcp $DefaultNetstreamDriver gtls $ActionSendStreamDriverAuthMode anon $ActionSendStreamDriverMode 1 # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* -/var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* /var/log/boot.log *.* @@10.111.1.151:10514
我已經按照本指南創建了證書:http: //kb.kristianreese.com/index.php ?View=entry&EntryID=148
我的測試環境沒有 FQDN,因此我將 DN 欄位和 FQDN 欄位留空,並填寫了 IP 欄位。
帶有 Centos 6.9 的 Rsyslog 5.8 對我有用
這是一個影片教程: https ://youtu.be/eb9GlhD8XnY
在 CA(證書頒發機構)上創建證書
sudo mkidr /etc/ssl/rsyslog/ cd /etc/ssl/rsyslog/
安裝 gnutls-utils
sudo yum install -y gnutls-utils
生成 CA 私鑰(保護此密鑰!)
sudo certtool --generate-privkey --outfile CA-key.pem sudo chmod 400 CA-key.pem
生成 CA 公鑰
sudo certtool --generate-self-signed --load-privkey CA-key.pem --outfile CA.pem Common name: CA.EXAMPLE.COM The certificate will expire in (days): 3650 Does the certificate belong to an authority? (Y/N): y Will the certificate be used to sign other certificates? (Y/N): y Will the certificate be used to sign CRLs? (y/N): y
在 CA(證書頒發機構)上創建 SERVERS 私鑰
sudo certtool --generate-privkey --outfile SERVER-key.pem --bits 2048
為 SERVER 創建證書請求
sudo certtool --generate-request --load-privkey SERVER-key.pem --outfile SERVER-request.pem Common name: SERVER.EXAMPLE.COM
簽署 SERVER 密鑰並允許密鑰對被其他伺服器信任
sudo certtool --generate-certificate --load-request SERVER-request.pem --outfile SERVER-cert.pem --load-ca-certificate CA.pem --load-ca-privkey CA-key.pem The certificate will expire in (days): 1000 Is this a TLS web client certificate? (Y/N): y Is this also a TLS web server certificate? (y/N): y Enter a dnsName of the subject of the certificate: SERVER.EXAMPLE.COM
在 CA(證書頒發機構)上創建 CLIENT 私鑰
sudo certtool --generate-privkey --outfile CLIENT-key.pem --bits 2048
為 CLIENT 創建證書請求
sudo certtool --generate-request --load-privkey CLIENT-key.pem --outfile CLIENT-request.pem Common name: CLIENT.EXAMPLE.ORG
簽署 CLIENT 密鑰並允許密鑰對被其他伺服器信任
sudo certtool --generate-certificate --load-request CLIENT-request.pem --outfile CLIENT-cert.pem --load-ca-certificate CA.pem --load-ca-privkey CA-key.pem The certificate will expire in (days): 1000 Is this a TLS web client certificate? (Y/N): y Is this also a TLS web server certificate? (y/N): y Enter a dnsName of the subject of the certificate: CLIENT.EXAMPLE.ORG
刪除請求鍵
sudo rm *-request.pem
Scp SERVER private/key 和 CA.pem 到 SERVER.EXAMPLE.COM 使用 scp 或 USB 加密複製證書
sudo -u root scp -i ~/.ssh/id_rsa CA.pem SERVER-* root@172.16.9.30:/etc/ssl/rsyslog/
Scp CLIENT private/key 和 CA.pem 到 CLIENT.EXAMPLE.COM
sudo -u root scp -i ~/.ssh/id_rsa CA.pem CLIENT-* root@172.16.9.40:/etc/ssl/rsyslog/
在 SERVER 和 CLIENT 上安裝 gtls 驅動程序
sudo yum install rsyslog-gnutls -y
配置伺服器
sudo vi /etc/rsyslog.d/rsyslog-tls.conf # Add # Listen for TCP $ModLoad imtcp # Set gtls driver $DefaultNetstreamDriver gtls # Certs $DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/CA.pem $DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/SERVER-cert.pem $DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/SERVER-key.pem # Auth mode $InputTCPServerStreamDriverAuthMode x509/name # Only allow EXAMPLE.COM domain $InputTCPServerStreamDriverPermittedPeer *.EXAMPLE.COM # Only use TLS $InputTCPServerStreamDriverMode 1 # Listen on port 6514 # If you want to use other port configure selinux $InputTCPServerRun 6514
在防火牆上打開埠 6514
sudo vi /etc/sysconfig/iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 6514 -j ACCEPT sudo /etc/init.d/iptables reload
重新啟動 rsyslog 守護程序
sudo /etc/init.d/rsyslog restart
配置客戶端
sudo vi /etc/rsyslog.d/rsyslog-tls.conf # Add # Set gtls driver $DefaultNetstreamDriver gtls # Certs $DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/CA.pem $DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/CLIENT-cert.pem $DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/CLIENT-key.pem # Auth mode $ActionSendStreamDriverAuthMode x509/name # Only send log to SERVER.EXAMPLE.COM host $ActionSendStreamDriverPermittedPeer SERVER.EXAMPLE.COM # Only use TLS $ActionSendStreamDriverMode 1 # Forward everithing to SERVER.EXAMPLE.COM # If you use hostnames instead of IP configure DNS or /etc/hosts *.* @@SERVER.EXAMPLE.COM:6514
重新啟動 rsyslog 守護程序
sudo /etc/init.d/rsyslog restart
要在 SERVER 上進行測試,請執行 tcpdump 並從客戶端發送日誌
sudo yum install tcpdump -y sudo tcpdump -i eth0 tcp port 6514 -X -s 0 -nn
在 CentOS/RedHat 中,您還可以在 SElinux 中啟用 SSL rsyslog 埠。類似的東西
semanage port -a -t syslogd_port_t -p tcp 10514
應該可以解決問題。您可以使用以下命令檢查您目前的系統日誌埠
sudo semanage port -l| grep syslog
您也可以嘗試在調試模式下執行 rsyslog,看看發生了什麼:停止 rsyslog 守護程序,然後
export RSYSLOG_DEBUGLOG="/path/to/debuglog"
export RSYSLOG_DEBUG="Debug"
現在啟動 rsyslog:
rsyslogd -dn
要檢查使用的語法是否有效,請使用:
rsyslogd -N 1