Mailing List Archive

server with TLS and non-TLS incoming TCP connections
Hello,
I was wondering how to setup a rsyslog server to accept both TLS and non-TLS connection over TCP.
On the client side it is possible as all the relevant options are placed in the omfwd action itself. However, on the server side the options a located in the module, not in the input. So all the related inputs "inherit" the TLS setting from the module.
It there a way to split it?

The usecase:
I have system producing logs. Some of the systems are not capable of TLS.
I want to collect logs from all the clients so I need to open one port for incoming TLS connections and one for non-TLS at the same time.

I can imagine running separate rsyslog instance for TLS connections forwarding the traffing locally to instance with non-TLS or vice versa. But that's not really efficient solution.

Thanks,
Dalibor

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: server with TLS and non-TLS incoming TCP connections [ In reply to ]
You need:

a) activate both modules for plain TCP and TLS
b) have rules which will be bind on the specific module and the port that will be used. In that way rsyslog will listen on both ports.

It is the same case like having UDP and TCP. TLS will be different module with the special driver for encryption enabled (gtls or ossl).

Regards,
Alexandros

-----Original Message-----
From: rsyslog <rsyslog-bounces@lists.adiscon.com> On Behalf Of Dalibor Posp??il via rsyslog
Sent: Friday, July 31, 2020 11:36 AM
To: rsyslog@lists.adiscon.com
Cc: Dalibor Posp??il <dapospis@redhat.com>
Subject: [rsyslog] server with TLS and non-TLS incoming TCP connections

Hello,
I was wondering how to setup a rsyslog server to accept both TLS and non-TLS connection over TCP.
On the client side it is possible as all the relevant options are placed in the omfwd action itself. However, on the server side the options a located in the module, not in the input. So all the related inputs "inherit" the TLS setting from the module.
It there a way to split it?

The usecase:
I have system producing logs. Some of the systems are not capable of TLS.
I want to collect logs from all the clients so I need to open one port for incoming TLS connections and one for non-TLS at the same time.

I can imagine running separate rsyslog instance for TLS connections forwarding the traffing locally to instance with non-TLS or vice versa. But that's not really efficient solution.

Thanks,
Dalibor

_______________________________________________
rsyslog mailing list
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&amp;data=02%7C01%7Calexandros.naoum%40nn.cz%7C1cac9eeb6e9d4167b8fd08d835352a3e%7Cfed95e698d7343feaffba7d85ede36fb%7C1%7C0%7C637317849760749626&amp;sdata=gkVY2%2BmdyJ6TSa%2FUyUWRlwM1yWA9xpNI8gfI8GEVhYQ%3D&amp;reserved=0
https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F&amp;data=02%7C01%7Calexandros.naoum%40nn.cz%7C1cac9eeb6e9d4167b8fd08d835352a3e%7Cfed95e698d7343feaffba7d85ede36fb%7C1%7C0%7C637317849760749626&amp;sdata=6sUJf1HsYkvGBSAoaPz7CQYOF9QG3T5KylTKOFtRDfE%3D&amp;reserved=0
What's up with rsyslog? Follow https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Frgerhards&amp;data=02%7C01%7Calexandros.naoum%40nn.cz%7C1cac9eeb6e9d4167b8fd08d835352a3e%7Cfed95e698d7343feaffba7d85ede36fb%7C1%7C0%7C637317849760749626&amp;sdata=LjqBmgdT8eafWlroRj3HaVdH3rFXOtqfp7XXN0xrWCg%3D&amp;reserved=0
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
This message (including any attachments) may contain confidential information. It is intended for use by the recipient only. Any dissemination, copying or distribution to third parties without the express consent of the sender is strictly prohibited. If you have received this message in error, please delete it immediately and notify the sender. Thank you for your collaboration.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: server with TLS and non-TLS incoming TCP connections [ In reply to ]
I'm not sure how to activate both module at the same time while they are of the same type. The only difference is NetStream driver.
Can you provide a configuration snippet to illustrate it?
I would like basically something like this:
module( # instance 1
    load="imtcp"
    StreamDriver.AuthMode="x509/name"
    StreamDriver.Mode="1"
    StreamDriver.Name="gtls"
)
input( # instance 1
    type="imtcp"
    Port="6514"
)
module( # instance 2
    load="imtcp"
)
input( # instance 2
    type="imtcp"
    Port="514"
)

Obviously, one would say the configuration should look like:

module(
    load="imtcp"
)
input(
    type="imtcp"
    Port="6514"
    StreamDriver.AuthMode="x509/name"
    StreamDriver.Mode="1"
    StreamDriver.Name="gtls"
)
input(
    type="imtcp"
    Port="514"
)

which would be equal to omfwd but this is not possible, AFAIK.


Dalibor

On 31. 07. 20 14:10, Naoum, A. (Alexandros) wrote:
> You need:
>
> a) activate both modules for plain TCP and TLS
> b) have rules which will be bind on the specific module and the port that will be used. In that way rsyslog will listen on both ports.
>
> It is the same case like having UDP and TCP. TLS will be different module with the special driver for encryption enabled (gtls or ossl).
>
> Regards,
> Alexandros
>
> -----Original Message-----
> From: rsyslog <rsyslog-bounces@lists.adiscon.com> On Behalf Of Dalibor Pospíšil via rsyslog
> Sent: Friday, July 31, 2020 11:36 AM
> To: rsyslog@lists.adiscon.com
> Cc: Dalibor Pospíšil <dapospis@redhat.com>
> Subject: [rsyslog] server with TLS and non-TLS incoming TCP connections
>
> Hello,
> I was wondering how to setup a rsyslog server to accept both TLS and non-TLS connection over TCP.
> On the client side it is possible as all the relevant options are placed in the omfwd action itself. However, on the server side the options a located in the module, not in the input. So all the related inputs "inherit" the TLS setting from the module.
> It there a way to split it?
>
> The usecase:
> I have system producing logs. Some of the systems are not capable of TLS.
> I want to collect logs from all the clients so I need to open one port for incoming TLS connections and one for non-TLS at the same time.
>
> I can imagine running separate rsyslog instance for TLS connections forwarding the traffing locally to instance with non-TLS or vice versa. But that's not really efficient solution.
>
> Thanks,
> Dalibor
>
> _______________________________________________
> rsyslog mailing list
> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&amp;data=02%7C01%7Calexandros.naoum%40nn.cz%7C1cac9eeb6e9d4167b8fd08d835352a3e%7Cfed95e698d7343feaffba7d85ede36fb%7C1%7C0%7C637317849760749626&amp;sdata=gkVY2%2BmdyJ6TSa%2FUyUWRlwM1yWA9xpNI8gfI8GEVhYQ%3D&amp;reserved=0
> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F&amp;data=02%7C01%7Calexandros.naoum%40nn.cz%7C1cac9eeb6e9d4167b8fd08d835352a3e%7Cfed95e698d7343feaffba7d85ede36fb%7C1%7C0%7C637317849760749626&amp;sdata=6sUJf1HsYkvGBSAoaPz7CQYOF9QG3T5KylTKOFtRDfE%3D&amp;reserved=0
> What's up with rsyslog? Follow https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Frgerhards&amp;data=02%7C01%7Calexandros.naoum%40nn.cz%7C1cac9eeb6e9d4167b8fd08d835352a3e%7Cfed95e698d7343feaffba7d85ede36fb%7C1%7C0%7C637317849760749626&amp;sdata=LjqBmgdT8eafWlroRj3HaVdH3rFXOtqfp7XXN0xrWCg%3D&amp;reserved=0
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> This message (including any attachments) may contain confidential information. It is intended for use by the recipient only. Any dissemination, copying or distribution to third parties without the express consent of the sender is strictly prohibited. If you have received this message in error, please delete it immediately and notify the sender. Thank you for your collaboration.
>

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: server with TLS and non-TLS incoming TCP connections [ In reply to ]
There's always the (not very pretty) walkaround of setting up a plain
TCP input and "wrapping" it in stunnel-provided encryption listening on
another port.

Mariusz Kruk
Ekspert ds. Bezpiecze?stwa IT
COMP S.A.
Pion Cyberbezpiecze?stwa i Zarz?dzania Ryzykiem
e-mail: mariusz.kruk@comp.com.pl
e-mail: mariusz.kruk@safecomp.com
tel: +48 608 623 299

On 31.07.2020 22:18, Dalibor Pospíšil via rsyslog wrote:
> I'm not sure how to activate both module at the same time while they
> are of the same type. The only difference is NetStream driver.
> Can you provide a configuration snippet to illustrate it?
> I would like basically something like this:
> module( # instance 1
>     load="imtcp"
>     StreamDriver.AuthMode="x509/name"
>     StreamDriver.Mode="1"
>     StreamDriver.Name="gtls"
> )
> input( # instance 1
>     type="imtcp"
>     Port="6514"
> )
> module( # instance 2
>     load="imtcp"
> )
> input( # instance 2
>     type="imtcp"
>     Port="514"
> )
>
> Obviously, one would say the configuration should look like:
>
> module(
>     load="imtcp"
> )
> input(
>     type="imtcp"
>     Port="6514"
>     StreamDriver.AuthMode="x509/name"
>     StreamDriver.Mode="1"
>     StreamDriver.Name="gtls"
> )
> input(
>     type="imtcp"
>     Port="514"
> )
>
> which would be equal to omfwd but this is not possible, AFAIK.
>
>
> Dalibor
>
> On 31. 07. 20 14:10, Naoum, A. (Alexandros) wrote:
>> You need:
>>
>> a) activate both modules for plain TCP and TLS
>> b)  have rules which will be bind on the specific module and the port
>> that will be used. In that way rsyslog will listen on both ports.
>>
>> It is the same case like having UDP and TCP. TLS will be different
>> module with the special driver for encryption enabled (gtls or ossl).
>>
>> Regards,
>> Alexandros
>>
>> -----Original Message-----
>> From: rsyslog <rsyslog-bounces@lists.adiscon.com> On Behalf Of
>> Dalibor Pospíšil via rsyslog
>> Sent: Friday, July 31, 2020 11:36 AM
>> To: rsyslog@lists.adiscon.com
>> Cc: Dalibor Pospíšil <dapospis@redhat.com>
>> Subject: [rsyslog] server with TLS and non-TLS incoming TCP connections
>>
>> Hello,
>> I was wondering how to setup a rsyslog server to accept both TLS and
>> non-TLS connection over TCP.
>> On the client side it is possible as all the relevant options are
>> placed in the omfwd action itself. However, on the server side the
>> options a located in the module, not in the input. So all the related
>> inputs "inherit" the TLS setting from the module.
>> It there a way to split it?
>>
>> The usecase:
>> I have system producing logs. Some of the systems are not capable of
>> TLS.
>> I want to collect logs from all the clients so I need to open one
>> port for incoming TLS connections and one for non-TLS at the same time.
>>
>> I can imagine running separate rsyslog instance for TLS connections
>> forwarding the traffing locally to instance with non-TLS or vice
>> versa. But that's not really efficient solution.
>>
>> Thanks,
>> Dalibor
>>
>> _______________________________________________
>> rsyslog mailing list
>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.adiscon.net%2Fmailman%2Flistinfo%2Frsyslog&amp;data=02%7C01%7Calexandros.naoum%40nn.cz%7C1cac9eeb6e9d4167b8fd08d835352a3e%7Cfed95e698d7343feaffba7d85ede36fb%7C1%7C0%7C637317849760749626&amp;sdata=gkVY2%2BmdyJ6TSa%2FUyUWRlwM1yWA9xpNI8gfI8GEVhYQ%3D&amp;reserved=0
>>
>> https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rsyslog.com%2Fprofessional-services%2F&amp;data=02%7C01%7Calexandros.naoum%40nn.cz%7C1cac9eeb6e9d4167b8fd08d835352a3e%7Cfed95e698d7343feaffba7d85ede36fb%7C1%7C0%7C637317849760749626&amp;sdata=6sUJf1HsYkvGBSAoaPz7CQYOF9QG3T5KylTKOFtRDfE%3D&amp;reserved=0
>>
>> What's up with rsyslog? Follow
>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Frgerhards&amp;data=02%7C01%7Calexandros.naoum%40nn.cz%7C1cac9eeb6e9d4167b8fd08d835352a3e%7Cfed95e698d7343feaffba7d85ede36fb%7C1%7C0%7C637317849760749626&amp;sdata=LjqBmgdT8eafWlroRj3HaVdH3rFXOtqfp7XXN0xrWCg%3D&amp;reserved=0
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> POST if you DON'T LIKE THAT.
>> This message (including any attachments) may contain confidential
>> information. It is intended for use by the recipient only. Any
>> dissemination, copying or distribution to third parties without the
>> express consent of the sender is strictly prohibited. If you have
>> received this message in error, please delete it immediately and
>> notify the sender. Thank you for your collaboration.
>>
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: server with TLS and non-TLS incoming TCP connections [ In reply to ]
I'm watching this thread for a better solution, but the work-around I've used for years is to use imptcp for non-TLS and imtcp for TLS:

## Plain TCP syslog reception:
module (load="imptcp")

## TCP syslog reception:
module (load="imtcp"
MaxListeners = "30"
MaxSessions = "1024"
StreamDriver.Name="ossl"
# StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.AuthMode="x509/name"
# StreamDriver.AuthMode="anon"
PermittedPeer=.....
)


And when I need to open a new port or create a new ruleset, I tie it to appropriate module depending on whether TLS or non-TLS is needed:

root@logs-n2:~> cat /etc/rsyslog.d/inputs/port514.conf
## Define port 514 listeners, bound to the appropriate ruleset:
input(type="imptcp" name="tcp-514" port="514" ruleset="port514")
input(type="imudp" name="udp-514" port="514" ruleset="port514")

root@logs-n2:~> cat /etc/rsyslog.d/inputs/port6514.conf
## Define port 6514 listener, bound to the appropriate ruleset:
input(type="imtcp" name="tcp-6514" port="6514" ruleset="port6514")


Tod A. Sandman
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: server with TLS and non-TLS incoming TCP connections [ In reply to ]
I like this "workaround".

Thanks,
Dalibor

On 03. 08. 20 15:06, Tod A Sandman via rsyslog wrote:
> I'm watching this thread for a better solution, but the work-around I've used for years is to use imptcp for non-TLS and imtcp for TLS:
>
> ## Plain TCP syslog reception:
> module (load="imptcp")
>
> ## TCP syslog reception:
> module (load="imtcp"
> MaxListeners = "30"
> MaxSessions = "1024"
> StreamDriver.Name="ossl"
> # StreamDriver.Name="gtls"
> StreamDriver.Mode="1"
> StreamDriver.AuthMode="x509/name"
> # StreamDriver.AuthMode="anon"
> PermittedPeer=.....
> )
>
>
> And when I need to open a new port or create a new ruleset, I tie it to appropriate module depending on whether TLS or non-TLS is needed:
>
> root@logs-n2:~> cat /etc/rsyslog.d/inputs/port514.conf
> ## Define port 514 listeners, bound to the appropriate ruleset:
> input(type="imptcp" name="tcp-514" port="514" ruleset="port514")
> input(type="imudp" name="udp-514" port="514" ruleset="port514")
>
> root@logs-n2:~> cat /etc/rsyslog.d/inputs/port6514.conf
> ## Define port 6514 listener, bound to the appropriate ruleset:
> input(type="imtcp" name="tcp-6514" port="6514" ruleset="port6514")
>
>
> Tod A. Sandman
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.