Mailing List Archive

problems with tls and rsyslog
Hi I am trying to get rsyslog to receive store/forward messages w/ tls on
both sides.

client --->tls---> rsyslog --->tls---> remote.something

I got it set up so i could send to the rsyslog server but then i couldn't
add another ca/cert files. My config was using global and defaultnetstream

I found on rsyslog.com that prior to 8.2202 it couldn't use tls on two
different source/dest. I found the cent 7 repo and got rsyslog-8.2204
installed. Now nothing works. I think i got the config correct but the
client keeps getting rejected.

Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry returned
error: The TLS connection was non-properly terminated. [v8.2204.0 try
https://www.rsyslog.com/e/2083 ]
Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session 0x7f6a04013360 from
192.168.5.22 will be closed due to error [v8.2204.0 try
https://www.rsyslog.com/e/2089 ]

So then i tried going to the ossl module. Now its even worse. My config
is a mess now too.

Does tls on both sides work?
Do I need the 8.2202+ version?
Do you have an example config?
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: problems with tls and rsyslog [ In reply to ]
I would be surprised if this does not work, but I have not (yet) attempted
to configure this. However it is a configuration that I need, so, I'm
hoping to see an answer.

-derek

On Sat, April 23, 2022 6:35 pm, Shane via rsyslog wrote:
> Hi I am trying to get rsyslog to receive store/forward messages w/ tls on
> both sides.
>
> client --->tls---> rsyslog --->tls---> remote.something
>
> I got it set up so i could send to the rsyslog server but then i couldn't
> add another ca/cert files. My config was using global and
> defaultnetstream
>
> I found on rsyslog.com that prior to 8.2202 it couldn't use tls on two
> different source/dest. I found the cent 7 repo and got rsyslog-8.2204
> installed. Now nothing works. I think i got the config correct but the
> client keeps getting rejected.
>
> Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry returned
> error: The TLS connection was non-properly terminated. [v8.2204.0 try
> https://www.rsyslog.com/e/2083 ]
> Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session 0x7f6a04013360
> from
> 192.168.5.22 will be closed due to error [v8.2204.0 try
> https://www.rsyslog.com/e/2089 ]
>
> So then i tried going to the ossl module. Now its even worse. My config
> is a mess now too.
>
> Does tls on both sides work?
> Do I need the 8.2202+ version?
> Do you have an example config?
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
>


--
Derek Atkins 617-623-3745
derek@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: problems with tls and rsyslog [ In reply to ]
v8.2204 was just released with some significant TLS fixes.

David Lang

On Sun, 24 Apr 2022, Derek Atkins via rsyslog wrote:

> Date: Sun, 24 Apr 2022 15:42:14 -0400
> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Derek Atkins <derek@ihtfp.com>, Shane <s3019172@gmail.com>
> Subject: Re: [rsyslog] problems with tls and rsyslog
>
> I would be surprised if this does not work, but I have not (yet) attempted
> to configure this. However it is a configuration that I need, so, I'm
> hoping to see an answer.
>
> -derek
>
> On Sat, April 23, 2022 6:35 pm, Shane via rsyslog wrote:
>> Hi I am trying to get rsyslog to receive store/forward messages w/ tls on
>> both sides.
>>
>> client --->tls---> rsyslog --->tls---> remote.something
>>
>> I got it set up so i could send to the rsyslog server but then i couldn't
>> add another ca/cert files. My config was using global and
>> defaultnetstream
>>
>> I found on rsyslog.com that prior to 8.2202 it couldn't use tls on two
>> different source/dest. I found the cent 7 repo and got rsyslog-8.2204
>> installed. Now nothing works. I think i got the config correct but the
>> client keeps getting rejected.
>>
>> Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry returned
>> error: The TLS connection was non-properly terminated. [v8.2204.0 try
>> https://www.rsyslog.com/e/2083 ]
>> Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session 0x7f6a04013360
>> from
>> 192.168.5.22 will be closed due to error [v8.2204.0 try
>> https://www.rsyslog.com/e/2089 ]
>>
>> So then i tried going to the ossl module. Now its even worse. My config
>> is a mess now too.
>>
>> Does tls on both sides work?
>> Do I need the 8.2202+ version?
>> Do you have an example config?
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>
>
>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: problems with tls and rsyslog [ In reply to ]
There were some improvements to TLS handling introduced over several
versions so you'd have to review the changelog and docs.

But from what I see, the omfwd module supports setting separate TLS
key/cert/cacert per action since 8.2108.

The imtcp module also supports setting those on a per-input level since
8.2108.

So it should work.

It is always a good idea to do a tcpdump and see how the handshake
progresses and when and where it fails.

MK

On 24.04.2022 00:35, Shane via rsyslog wrote:
> Hi I am trying to get rsyslog to receive store/forward messages w/ tls on
> both sides.
>
> client --->tls---> rsyslog --->tls---> remote.something
>
> I got it set up so i could send to the rsyslog server but then i couldn't
> add another ca/cert files. My config was using global and defaultnetstream
>
> I found on rsyslog.com that prior to 8.2202 it couldn't use tls on two
> different source/dest. I found the cent 7 repo and got rsyslog-8.2204
> installed. Now nothing works. I think i got the config correct but the
> client keeps getting rejected.
>
> Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry returned
> error: The TLS connection was non-properly terminated. [v8.2204.0 try
> https://www.rsyslog.com/e/2083 ]
> Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session 0x7f6a04013360 from
> 192.168.5.22 will be closed due to error [v8.2204.0 try
> https://www.rsyslog.com/e/2089 ]
>
> So then i tried going to the ossl module. Now its even worse. My config
> is a mess now too.
>
> Does tls on both sides work?
> Do I need the 8.2202+ version?
> Do you have an example config?
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: problems with tls and rsyslog [ In reply to ]
Yes, it's possible. Worked on that for quite some time last year ;-)

Rainer

El lun, 25 abr 2022 a las 7:41, Mariusz Kruk via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> There were some improvements to TLS handling introduced over several
> versions so you'd have to review the changelog and docs.
>
> But from what I see, the omfwd module supports setting separate TLS
> key/cert/cacert per action since 8.2108.
>
> The imtcp module also supports setting those on a per-input level since
> 8.2108.
>
> So it should work.
>
> It is always a good idea to do a tcpdump and see how the handshake
> progresses and when and where it fails.
>
> MK
>
> On 24.04.2022 00:35, Shane via rsyslog wrote:
> > Hi I am trying to get rsyslog to receive store/forward messages w/ tls on
> > both sides.
> >
> > client --->tls---> rsyslog --->tls---> remote.something
> >
> > I got it set up so i could send to the rsyslog server but then i couldn't
> > add another ca/cert files. My config was using global and defaultnetstream
> >
> > I found on rsyslog.com that prior to 8.2202 it couldn't use tls on two
> > different source/dest. I found the cent 7 repo and got rsyslog-8.2204
> > installed. Now nothing works. I think i got the config correct but the
> > client keeps getting rejected.
> >
> > Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry returned
> > error: The TLS connection was non-properly terminated. [v8.2204.0 try
> > https://www.rsyslog.com/e/2083 ]
> > Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session 0x7f6a04013360 from
> > 192.168.5.22 will be closed due to error [v8.2204.0 try
> > https://www.rsyslog.com/e/2089 ]
> >
> > So then i tried going to the ossl module. Now its even worse. My config
> > is a mess now too.
> >
> > Does tls on both sides work?
> > Do I need the 8.2202+ version?
> > Do you have an example config?
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: problems with tls and rsyslog [ In reply to ]
Hi,

Are there docs on how to set this up on a per-input and/or per-omfwd basis?

All the docs I can find suggest setting the global DefaultNetstreamDriver*
variables, which in my case are not what I want because I need to be able
to use different keys/certs/CAs for the input/imtcp vs the omfwd
operations.

I am running 8.2204.1.

Thanks,

-derek

On Mon, April 25, 2022 3:03 am, Rainer Gerhards via rsyslog wrote:
> Yes, it's possible. Worked on that for quite some time last year ;-)
>
> Rainer
>
> El lun, 25 abr 2022 a las 7:41, Mariusz Kruk via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
>>
>> There were some improvements to TLS handling introduced over several
>> versions so you'd have to review the changelog and docs.
>>
>> But from what I see, the omfwd module supports setting separate TLS
>> key/cert/cacert per action since 8.2108.
>>
>> The imtcp module also supports setting those on a per-input level since
>> 8.2108.
>>
>> So it should work.
>>
>> It is always a good idea to do a tcpdump and see how the handshake
>> progresses and when and where it fails.
>>
>> MK
>>
>> On 24.04.2022 00:35, Shane via rsyslog wrote:
>> > Hi I am trying to get rsyslog to receive store/forward messages w/ tls
>> on
>> > both sides.
>> >
>> > client --->tls---> rsyslog --->tls---> remote.something
>> >
>> > I got it set up so i could send to the rsyslog server but then i
>> couldn't
>> > add another ca/cert files. My config was using global and
>> defaultnetstream
>> >
>> > I found on rsyslog.com that prior to 8.2202 it couldn't use tls on two
>> > different source/dest. I found the cent 7 repo and got rsyslog-8.2204
>> > installed. Now nothing works. I think i got the config correct but
>> the
>> > client keeps getting rejected.
>> >
>> > Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry returned
>> > error: The TLS connection was non-properly terminated. [v8.2204.0 try
>> > https://www.rsyslog.com/e/2083 ]
>> > Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session 0x7f6a04013360
>> from
>> > 192.168.5.22 will be closed due to error [v8.2204.0 try
>> > https://www.rsyslog.com/e/2089 ]
>> >
>> > So then i tried going to the ossl module. Now its even worse. My
>> config
>> > is a mess now too.
>> >
>> > Does tls on both sides work?
>> > Do I need the 8.2202+ version?
>> > Do you have an example config?
>> > _______________________________________________
>> > rsyslog mailing list
>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>> if you DON'T LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.


--
Derek Atkins 617-623-3745
derek@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: problems with tls and rsyslog [ In reply to ]
https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html

https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html

HTH
Rainer

Sent from phone, thus brief.

Derek Atkins <derek@ihtfp.com> schrieb am Di., 17. Mai 2022, 22:01:

> Hi,
>
> Are there docs on how to set this up on a per-input and/or per-omfwd basis?
>
> All the docs I can find suggest setting the global DefaultNetstreamDriver*
> variables, which in my case are not what I want because I need to be able
> to use different keys/certs/CAs for the input/imtcp vs the omfwd
> operations.
>
> I am running 8.2204.1.
>
> Thanks,
>
> -derek
>
> On Mon, April 25, 2022 3:03 am, Rainer Gerhards via rsyslog wrote:
> > Yes, it's possible. Worked on that for quite some time last year ;-)
> >
> > Rainer
> >
> > El lun, 25 abr 2022 a las 7:41, Mariusz Kruk via rsyslog
> > (<rsyslog@lists.adiscon.com>) escribió:
> >>
> >> There were some improvements to TLS handling introduced over several
> >> versions so you'd have to review the changelog and docs.
> >>
> >> But from what I see, the omfwd module supports setting separate TLS
> >> key/cert/cacert per action since 8.2108.
> >>
> >> The imtcp module also supports setting those on a per-input level since
> >> 8.2108.
> >>
> >> So it should work.
> >>
> >> It is always a good idea to do a tcpdump and see how the handshake
> >> progresses and when and where it fails.
> >>
> >> MK
> >>
> >> On 24.04.2022 00:35, Shane via rsyslog wrote:
> >> > Hi I am trying to get rsyslog to receive store/forward messages w/ tls
> >> on
> >> > both sides.
> >> >
> >> > client --->tls---> rsyslog --->tls---> remote.something
> >> >
> >> > I got it set up so i could send to the rsyslog server but then i
> >> couldn't
> >> > add another ca/cert files. My config was using global and
> >> defaultnetstream
> >> >
> >> > I found on rsyslog.com that prior to 8.2202 it couldn't use tls on
> two
> >> > different source/dest. I found the cent 7 repo and got rsyslog-8.2204
> >> > installed. Now nothing works. I think i got the config correct but
> >> the
> >> > client keeps getting rejected.
> >> >
> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry returned
> >> > error: The TLS connection was non-properly terminated. [v8.2204.0 try
> >> > https://www.rsyslog.com/e/2083 ]
> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session 0x7f6a04013360
> >> from
> >> > 192.168.5.22 will be closed due to error [v8.2204.0 try
> >> > https://www.rsyslog.com/e/2089 ]
> >> >
> >> > So then i tried going to the ossl module. Now its even worse. My
> >> config
> >> > is a mess now too.
> >> >
> >> > Does tls on both sides work?
> >> > Do I need the 8.2202+ version?
> >> > Do you have an example config?
> >> > _______________________________________________
> >> > rsyslog mailing list
> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > http://www.rsyslog.com/professional-services/
> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> >> if you DON'T LIKE THAT.
> >> _______________________________________________
> >> rsyslog mailing list
> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> http://www.rsyslog.com/professional-services/
> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T LIKE THAT.
>
>
> --
> Derek Atkins 617-623-3745
> derek@ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: problems with tls and rsyslog [ In reply to ]
Thank you.
I spent almost an hour googling and didn't find that!! *sigh*

-derek

On Tue, May 17, 2022 4:12 pm, Rainer Gerhards wrote:
> https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html
>
> https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
>
> HTH
> Rainer
>
> Sent from phone, thus brief.
>
> Derek Atkins <derek@ihtfp.com> schrieb am Di., 17. Mai 2022, 22:01:
>
>> Hi,
>>
>> Are there docs on how to set this up on a per-input and/or per-omfwd
>> basis?
>>
>> All the docs I can find suggest setting the global
>> DefaultNetstreamDriver*
>> variables, which in my case are not what I want because I need to be
>> able
>> to use different keys/certs/CAs for the input/imtcp vs the omfwd
>> operations.
>>
>> I am running 8.2204.1.
>>
>> Thanks,
>>
>> -derek
>>
>> On Mon, April 25, 2022 3:03 am, Rainer Gerhards via rsyslog wrote:
>> > Yes, it's possible. Worked on that for quite some time last year ;-)
>> >
>> > Rainer
>> >
>> > El lun, 25 abr 2022 a las 7:41, Mariusz Kruk via rsyslog
>> > (<rsyslog@lists.adiscon.com>) escribió:
>> >>
>> >> There were some improvements to TLS handling introduced over several
>> >> versions so you'd have to review the changelog and docs.
>> >>
>> >> But from what I see, the omfwd module supports setting separate TLS
>> >> key/cert/cacert per action since 8.2108.
>> >>
>> >> The imtcp module also supports setting those on a per-input level
>> since
>> >> 8.2108.
>> >>
>> >> So it should work.
>> >>
>> >> It is always a good idea to do a tcpdump and see how the handshake
>> >> progresses and when and where it fails.
>> >>
>> >> MK
>> >>
>> >> On 24.04.2022 00:35, Shane via rsyslog wrote:
>> >> > Hi I am trying to get rsyslog to receive store/forward messages w/
>> tls
>> >> on
>> >> > both sides.
>> >> >
>> >> > client --->tls---> rsyslog --->tls---> remote.something
>> >> >
>> >> > I got it set up so i could send to the rsyslog server but then i
>> >> couldn't
>> >> > add another ca/cert files. My config was using global and
>> >> defaultnetstream
>> >> >
>> >> > I found on rsyslog.com that prior to 8.2202 it couldn't use tls on
>> two
>> >> > different source/dest. I found the cent 7 repo and got
>> rsyslog-8.2204
>> >> > installed. Now nothing works. I think i got the config correct
>> but
>> >> the
>> >> > client keeps getting rejected.
>> >> >
>> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry
>> returned
>> >> > error: The TLS connection was non-properly terminated. [v8.2204.0
>> try
>> >> > https://www.rsyslog.com/e/2083 ]
>> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session
>> 0x7f6a04013360
>> >> from
>> >> > 192.168.5.22 will be closed due to error [v8.2204.0 try
>> >> > https://www.rsyslog.com/e/2089 ]
>> >> >
>> >> > So then i tried going to the ossl module. Now its even worse. My
>> >> config
>> >> > is a mess now too.
>> >> >
>> >> > Does tls on both sides work?
>> >> > Do I need the 8.2202+ version?
>> >> > Do you have an example config?
>> >> > _______________________________________________
>> >> > rsyslog mailing list
>> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> >> > http://www.rsyslog.com/professional-services/
>> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> POST
>> >> if you DON'T LIKE THAT.
>> >> _______________________________________________
>> >> rsyslog mailing list
>> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> >> http://www.rsyslog.com/professional-services/
>> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad
>> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>> you
>> >> DON'T LIKE THAT.
>> > _______________________________________________
>> > rsyslog mailing list
>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad
>> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> > DON'T LIKE THAT.
>>
>>
>> --
>> Derek Atkins 617-623-3745
>> derek@ihtfp.com www.ihtfp.com
>> Computer and Internet Security Consultant
>>
>>
>


--
Derek Atkins 617-623-3745
derek@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: problems with tls and rsyslog [ In reply to ]
Thanks Rainer,

This is working smashingly!

The next issue I'm trying to solve is how do I add the client certificate
information into the log message? I'd like to add e.g. the client
certificate subject (or subjectAltName) into my log template (similar to
how you can add the client hostname or fromhost-ip).

Again, I am having issues searching, as any combination of "rsyslog" and
"certificate" seems to bring up documentation on "how to configure TLS"
which, obviously, I already know how to do...

Any help or guidance would be appreciated.

Thanks,

-derek

On Tue, May 17, 2022 4:12 pm, Rainer Gerhards wrote:
> https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html
>
> https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
>
> HTH
> Rainer
>
> Sent from phone, thus brief.
>
> Derek Atkins <derek@ihtfp.com> schrieb am Di., 17. Mai 2022, 22:01:
>
>> Hi,
>>
>> Are there docs on how to set this up on a per-input and/or per-omfwd
>> basis?
>>
>> All the docs I can find suggest setting the global
>> DefaultNetstreamDriver*
>> variables, which in my case are not what I want because I need to be
>> able
>> to use different keys/certs/CAs for the input/imtcp vs the omfwd
>> operations.
>>
>> I am running 8.2204.1.
>>
>> Thanks,
>>
>> -derek
>>
>> On Mon, April 25, 2022 3:03 am, Rainer Gerhards via rsyslog wrote:
>> > Yes, it's possible. Worked on that for quite some time last year ;-)
>> >
>> > Rainer
>> >
>> > El lun, 25 abr 2022 a las 7:41, Mariusz Kruk via rsyslog
>> > (<rsyslog@lists.adiscon.com>) escribió:
>> >>
>> >> There were some improvements to TLS handling introduced over several
>> >> versions so you'd have to review the changelog and docs.
>> >>
>> >> But from what I see, the omfwd module supports setting separate TLS
>> >> key/cert/cacert per action since 8.2108.
>> >>
>> >> The imtcp module also supports setting those on a per-input level
>> since
>> >> 8.2108.
>> >>
>> >> So it should work.
>> >>
>> >> It is always a good idea to do a tcpdump and see how the handshake
>> >> progresses and when and where it fails.
>> >>
>> >> MK
>> >>
>> >> On 24.04.2022 00:35, Shane via rsyslog wrote:
>> >> > Hi I am trying to get rsyslog to receive store/forward messages w/
>> tls
>> >> on
>> >> > both sides.
>> >> >
>> >> > client --->tls---> rsyslog --->tls---> remote.something
>> >> >
>> >> > I got it set up so i could send to the rsyslog server but then i
>> >> couldn't
>> >> > add another ca/cert files. My config was using global and
>> >> defaultnetstream
>> >> >
>> >> > I found on rsyslog.com that prior to 8.2202 it couldn't use tls on
>> two
>> >> > different source/dest. I found the cent 7 repo and got
>> rsyslog-8.2204
>> >> > installed. Now nothing works. I think i got the config correct
>> but
>> >> the
>> >> > client keeps getting rejected.
>> >> >
>> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry
>> returned
>> >> > error: The TLS connection was non-properly terminated. [v8.2204.0
>> try
>> >> > https://www.rsyslog.com/e/2083 ]
>> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session
>> 0x7f6a04013360
>> >> from
>> >> > 192.168.5.22 will be closed due to error [v8.2204.0 try
>> >> > https://www.rsyslog.com/e/2089 ]
>> >> >
>> >> > So then i tried going to the ossl module. Now its even worse. My
>> >> config
>> >> > is a mess now too.
>> >> >
>> >> > Does tls on both sides work?
>> >> > Do I need the 8.2202+ version?
>> >> > Do you have an example config?
>> >> > _______________________________________________
>> >> > rsyslog mailing list
>> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> >> > http://www.rsyslog.com/professional-services/
>> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> POST
>> >> if you DON'T LIKE THAT.
>> >> _______________________________________________
>> >> rsyslog mailing list
>> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> >> http://www.rsyslog.com/professional-services/
>> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad
>> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>> you
>> >> DON'T LIKE THAT.
>> > _______________________________________________
>> > rsyslog mailing list
>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> > http://www.rsyslog.com/professional-services/
>> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad
>> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> > DON'T LIKE THAT.
>>
>>
>> --
>> Derek Atkins 617-623-3745
>> derek@ihtfp.com www.ihtfp.com
>> Computer and Internet Security Consultant
>>
>>
>


--
Derek Atkins 617-623-3745
derek@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: problems with tls and rsyslog [ In reply to ]
unfortunately, this property is not yet available :-(

Rainer

El jue, 26 may 2022 a las 13:53, Derek Atkins (<derek@ihtfp.com>) escribió:
>
> Thanks Rainer,
>
> This is working smashingly!
>
> The next issue I'm trying to solve is how do I add the client certificate
> information into the log message? I'd like to add e.g. the client
> certificate subject (or subjectAltName) into my log template (similar to
> how you can add the client hostname or fromhost-ip).
>
> Again, I am having issues searching, as any combination of "rsyslog" and
> "certificate" seems to bring up documentation on "how to configure TLS"
> which, obviously, I already know how to do...
>
> Any help or guidance would be appreciated.
>
> Thanks,
>
> -derek
>
> On Tue, May 17, 2022 4:12 pm, Rainer Gerhards wrote:
> > https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html
> >
> > https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
> >
> > HTH
> > Rainer
> >
> > Sent from phone, thus brief.
> >
> > Derek Atkins <derek@ihtfp.com> schrieb am Di., 17. Mai 2022, 22:01:
> >
> >> Hi,
> >>
> >> Are there docs on how to set this up on a per-input and/or per-omfwd
> >> basis?
> >>
> >> All the docs I can find suggest setting the global
> >> DefaultNetstreamDriver*
> >> variables, which in my case are not what I want because I need to be
> >> able
> >> to use different keys/certs/CAs for the input/imtcp vs the omfwd
> >> operations.
> >>
> >> I am running 8.2204.1.
> >>
> >> Thanks,
> >>
> >> -derek
> >>
> >> On Mon, April 25, 2022 3:03 am, Rainer Gerhards via rsyslog wrote:
> >> > Yes, it's possible. Worked on that for quite some time last year ;-)
> >> >
> >> > Rainer
> >> >
> >> > El lun, 25 abr 2022 a las 7:41, Mariusz Kruk via rsyslog
> >> > (<rsyslog@lists.adiscon.com>) escribió:
> >> >>
> >> >> There were some improvements to TLS handling introduced over several
> >> >> versions so you'd have to review the changelog and docs.
> >> >>
> >> >> But from what I see, the omfwd module supports setting separate TLS
> >> >> key/cert/cacert per action since 8.2108.
> >> >>
> >> >> The imtcp module also supports setting those on a per-input level
> >> since
> >> >> 8.2108.
> >> >>
> >> >> So it should work.
> >> >>
> >> >> It is always a good idea to do a tcpdump and see how the handshake
> >> >> progresses and when and where it fails.
> >> >>
> >> >> MK
> >> >>
> >> >> On 24.04.2022 00:35, Shane via rsyslog wrote:
> >> >> > Hi I am trying to get rsyslog to receive store/forward messages w/
> >> tls
> >> >> on
> >> >> > both sides.
> >> >> >
> >> >> > client --->tls---> rsyslog --->tls---> remote.something
> >> >> >
> >> >> > I got it set up so i could send to the rsyslog server but then i
> >> >> couldn't
> >> >> > add another ca/cert files. My config was using global and
> >> >> defaultnetstream
> >> >> >
> >> >> > I found on rsyslog.com that prior to 8.2202 it couldn't use tls on
> >> two
> >> >> > different source/dest. I found the cent 7 repo and got
> >> rsyslog-8.2204
> >> >> > installed. Now nothing works. I think i got the config correct
> >> but
> >> >> the
> >> >> > client keeps getting rejected.
> >> >> >
> >> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry
> >> returned
> >> >> > error: The TLS connection was non-properly terminated. [v8.2204.0
> >> try
> >> >> > https://www.rsyslog.com/e/2083 ]
> >> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session
> >> 0x7f6a04013360
> >> >> from
> >> >> > 192.168.5.22 will be closed due to error [v8.2204.0 try
> >> >> > https://www.rsyslog.com/e/2089 ]
> >> >> >
> >> >> > So then i tried going to the ossl module. Now its even worse. My
> >> >> config
> >> >> > is a mess now too.
> >> >> >
> >> >> > Does tls on both sides work?
> >> >> > Do I need the 8.2202+ version?
> >> >> > Do you have an example config?
> >> >> > _______________________________________________
> >> >> > rsyslog mailing list
> >> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> >> > http://www.rsyslog.com/professional-services/
> >> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> >> POST
> >> >> if you DON'T LIKE THAT.
> >> >> _______________________________________________
> >> >> rsyslog mailing list
> >> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> >> http://www.rsyslog.com/professional-services/
> >> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >> myriad
> >> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> >> you
> >> >> DON'T LIKE THAT.
> >> > _______________________________________________
> >> > rsyslog mailing list
> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> >> > http://www.rsyslog.com/professional-services/
> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> >> myriad
> >> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> > DON'T LIKE THAT.
> >>
> >>
> >> --
> >> Derek Atkins 617-623-3745
> >> derek@ihtfp.com www.ihtfp.com
> >> Computer and Internet Security Consultant
> >>
> >>
> >
>
>
> --
> Derek Atkins 617-623-3745
> derek@ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: problems with tls and rsyslog [ In reply to ]
Hi Rainer.

Thank you for the reply (even though it's not the answer I was hoping to
hear).

So I guess the next question is how (or where) to add an identifier for an
intermediary.

Let's say I have a network that looks like this:

[ Client1 ] --\
[ Client2 ] ---+- [ Forwarder1 ] -\
[ Client3 ] --/ \
+-- [ Aggregator ]
[ Client4 ] --\ /
[ Client5 ] ---+- [ Forwarder2 ] -/
[ Client6 ] --/


When I see messages at the Aggregator I want to know not only what Client
it came from, but also what Forwarder it came through.

Right now on the forwarders I change the message to include the client IP
and Client hostname (using set $!msg), and then send it using an onfwd
template (note that I have a intermediary variable for fromhost-ip here):

type="string" string="%timegenerated% from:%$fromhost-ip%
%syslogseverity-text%%$!msg%\n"

At the aggregator I also need to know whether a message came from
Forwarder1 or Forwarder2, so I would like to add the Forwarder IP and
hostname to the message that goes up to the aggregator. Right now it uses
this template for omfile:

type="string" string="%timegenerated% %msg%\n"

Will $hostname and $fromhost-ip on the aggregator be the hostname and ip
of the forwarder? Or the client?

What would be the best way to include this extra information in my log
entries?

Thanks,

-derek

On Thu, May 26, 2022 12:31 pm, Rainer Gerhards wrote:
> unfortunately, this property is not yet available :-(
>
> Rainer
>
> El jue, 26 may 2022 a las 13:53, Derek Atkins (<derek@ihtfp.com>)
> escribió:
>>
>> Thanks Rainer,
>>
>> This is working smashingly!
>>
>> The next issue I'm trying to solve is how do I add the client
>> certificate
>> information into the log message? I'd like to add e.g. the client
>> certificate subject (or subjectAltName) into my log template (similar to
>> how you can add the client hostname or fromhost-ip).
>>
>> Again, I am having issues searching, as any combination of "rsyslog" and
>> "certificate" seems to bring up documentation on "how to configure TLS"
>> which, obviously, I already know how to do...
>>
>> Any help or guidance would be appreciated.
>>
>> Thanks,
>>
>> -derek
>>
>> On Tue, May 17, 2022 4:12 pm, Rainer Gerhards wrote:
>> > https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html
>> >
>> > https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
>> >
>> > HTH
>> > Rainer
>> >
>> > Sent from phone, thus brief.
>> >
>> > Derek Atkins <derek@ihtfp.com> schrieb am Di., 17. Mai 2022, 22:01:
>> >
>> >> Hi,
>> >>
>> >> Are there docs on how to set this up on a per-input and/or per-omfwd
>> >> basis?
>> >>
>> >> All the docs I can find suggest setting the global
>> >> DefaultNetstreamDriver*
>> >> variables, which in my case are not what I want because I need to be
>> >> able
>> >> to use different keys/certs/CAs for the input/imtcp vs the omfwd
>> >> operations.
>> >>
>> >> I am running 8.2204.1.
>> >>
>> >> Thanks,
>> >>
>> >> -derek
>> >>
>> >> On Mon, April 25, 2022 3:03 am, Rainer Gerhards via rsyslog wrote:
>> >> > Yes, it's possible. Worked on that for quite some time last year
>> ;-)
>> >> >
>> >> > Rainer
>> >> >
>> >> > El lun, 25 abr 2022 a las 7:41, Mariusz Kruk via rsyslog
>> >> > (<rsyslog@lists.adiscon.com>) escribió:
>> >> >>
>> >> >> There were some improvements to TLS handling introduced over
>> several
>> >> >> versions so you'd have to review the changelog and docs.
>> >> >>
>> >> >> But from what I see, the omfwd module supports setting separate
>> TLS
>> >> >> key/cert/cacert per action since 8.2108.
>> >> >>
>> >> >> The imtcp module also supports setting those on a per-input level
>> >> since
>> >> >> 8.2108.
>> >> >>
>> >> >> So it should work.
>> >> >>
>> >> >> It is always a good idea to do a tcpdump and see how the handshake
>> >> >> progresses and when and where it fails.
>> >> >>
>> >> >> MK
>> >> >>
>> >> >> On 24.04.2022 00:35, Shane via rsyslog wrote:
>> >> >> > Hi I am trying to get rsyslog to receive store/forward messages
>> w/
>> >> tls
>> >> >> on
>> >> >> > both sides.
>> >> >> >
>> >> >> > client --->tls---> rsyslog --->tls---> remote.something
>> >> >> >
>> >> >> > I got it set up so i could send to the rsyslog server but then i
>> >> >> couldn't
>> >> >> > add another ca/cert files. My config was using global and
>> >> >> defaultnetstream
>> >> >> >
>> >> >> > I found on rsyslog.com that prior to 8.2202 it couldn't use tls
>> on
>> >> two
>> >> >> > different source/dest. I found the cent 7 repo and got
>> >> rsyslog-8.2204
>> >> >> > installed. Now nothing works. I think i got the config correct
>> >> but
>> >> >> the
>> >> >> > client keeps getting rejected.
>> >> >> >
>> >> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry
>> >> returned
>> >> >> > error: The TLS connection was non-properly terminated.
>> [v8.2204.0
>> >> try
>> >> >> > https://www.rsyslog.com/e/2083 ]
>> >> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session
>> >> 0x7f6a04013360
>> >> >> from
>> >> >> > 192.168.5.22 will be closed due to error [v8.2204.0 try
>> >> >> > https://www.rsyslog.com/e/2089 ]
>> >> >> >
>> >> >> > So then i tried going to the ossl module. Now its even worse.
>> My
>> >> >> config
>> >> >> > is a mess now too.
>> >> >> >
>> >> >> > Does tls on both sides work?
>> >> >> > Do I need the 8.2202+ version?
>> >> >> > Do you have an example config?
>> >> >> > _______________________________________________
>> >> >> > rsyslog mailing list
>> >> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> >> >> > http://www.rsyslog.com/professional-services/
>> >> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
>> a
>> >> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> >> POST
>> >> >> if you DON'T LIKE THAT.
>> >> >> _______________________________________________
>> >> >> rsyslog mailing list
>> >> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> >> >> http://www.rsyslog.com/professional-services/
>> >> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> >> myriad
>> >> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>> >> you
>> >> >> DON'T LIKE THAT.
>> >> > _______________________________________________
>> >> > rsyslog mailing list
>> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> >> > http://www.rsyslog.com/professional-services/
>> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> >> myriad
>> >> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>> you
>> >> > DON'T LIKE THAT.
>> >>
>> >>
>> >> --
>> >> Derek Atkins 617-623-3745
>> >> derek@ihtfp.com www.ihtfp.com
>> >> Computer and Internet Security Consultant
>> >>
>> >>
>> >
>>
>>
>> --
>> Derek Atkins 617-623-3745
>> derek@ihtfp.com www.ihtfp.com
>> Computer and Internet Security Consultant
>>
>


--
Derek Atkins 617-623-3745
derek@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: problems with tls and rsyslog [ In reply to ]
what I like to do is to format the body of the message as json, I create
$!msg=$msg and then I create a tree $!trusted and in that I add additional
metadata, including $!trusted.relay

set $.relay = $!trusted.relay;
set $!trusted.relay.last = $.relay;
set $!trusted.relay.host = $hostname;
set $!trusted.relay.last = $!fromhost-ip;
set $!trusted.relay.time = $timegenerated;

then in the final aggregator, I have all the info I could want about what relays
the log has gone through, when it was proccessed by each relay, etc.

I also have the sender add additional metadata here as well (if it's reading
from a file , what filename for example)

David Lang

On Thu, 26 May 2022, Derek Atkins via
rsyslog wrote:

> Date: Thu, 26 May 2022 13:04:00 -0400
> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
> To: Rainer Gerhards <rgerhards@hq.adiscon.com>
> Cc: Derek Atkins <derek@ihtfp.com>, rsyslog-users <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] problems with tls and rsyslog
>
> Hi Rainer.
>
> Thank you for the reply (even though it's not the answer I was hoping to
> hear).
>
> So I guess the next question is how (or where) to add an identifier for an
> intermediary.
>
> Let's say I have a network that looks like this:
>
> [ Client1 ] --\
> [ Client2 ] ---+- [ Forwarder1 ] -\
> [ Client3 ] --/ \
> +-- [ Aggregator ]
> [ Client4 ] --\ /
> [ Client5 ] ---+- [ Forwarder2 ] -/
> [ Client6 ] --/
>
>
> When I see messages at the Aggregator I want to know not only what Client
> it came from, but also what Forwarder it came through.
>
> Right now on the forwarders I change the message to include the client IP
> and Client hostname (using set $!msg), and then send it using an onfwd
> template (note that I have a intermediary variable for fromhost-ip here):
>
> type="string" string="%timegenerated% from:%$fromhost-ip%
> %syslogseverity-text%%$!msg%\n"
>
> At the aggregator I also need to know whether a message came from
> Forwarder1 or Forwarder2, so I would like to add the Forwarder IP and
> hostname to the message that goes up to the aggregator. Right now it uses
> this template for omfile:
>
> type="string" string="%timegenerated% %msg%\n"
>
> Will $hostname and $fromhost-ip on the aggregator be the hostname and ip
> of the forwarder? Or the client?
>
> What would be the best way to include this extra information in my log
> entries?
>
> Thanks,
>
> -derek
>
> On Thu, May 26, 2022 12:31 pm, Rainer Gerhards wrote:
>> unfortunately, this property is not yet available :-(
>>
>> Rainer
>>
>> El jue, 26 may 2022 a las 13:53, Derek Atkins (<derek@ihtfp.com>)
>> escribió:
>>>
>>> Thanks Rainer,
>>>
>>> This is working smashingly!
>>>
>>> The next issue I'm trying to solve is how do I add the client
>>> certificate
>>> information into the log message? I'd like to add e.g. the client
>>> certificate subject (or subjectAltName) into my log template (similar to
>>> how you can add the client hostname or fromhost-ip).
>>>
>>> Again, I am having issues searching, as any combination of "rsyslog" and
>>> "certificate" seems to bring up documentation on "how to configure TLS"
>>> which, obviously, I already know how to do...
>>>
>>> Any help or guidance would be appreciated.
>>>
>>> Thanks,
>>>
>>> -derek
>>>
>>> On Tue, May 17, 2022 4:12 pm, Rainer Gerhards wrote:
>>> > https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html
>>> >
>>> > https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
>>> >
>>> > HTH
>>> > Rainer
>>> >
>>> > Sent from phone, thus brief.
>>> >
>>> > Derek Atkins <derek@ihtfp.com> schrieb am Di., 17. Mai 2022, 22:01:
>>> >
>>> >> Hi,
>>> >>
>>> >> Are there docs on how to set this up on a per-input and/or per-omfwd
>>> >> basis?
>>> >>
>>> >> All the docs I can find suggest setting the global
>>> >> DefaultNetstreamDriver*
>>> >> variables, which in my case are not what I want because I need to be
>>> >> able
>>> >> to use different keys/certs/CAs for the input/imtcp vs the omfwd
>>> >> operations.
>>> >>
>>> >> I am running 8.2204.1.
>>> >>
>>> >> Thanks,
>>> >>
>>> >> -derek
>>> >>
>>> >> On Mon, April 25, 2022 3:03 am, Rainer Gerhards via rsyslog wrote:
>>> >> > Yes, it's possible. Worked on that for quite some time last year
>>> ;-)
>>> >> >
>>> >> > Rainer
>>> >> >
>>> >> > El lun, 25 abr 2022 a las 7:41, Mariusz Kruk via rsyslog
>>> >> > (<rsyslog@lists.adiscon.com>) escribió:
>>> >> >>
>>> >> >> There were some improvements to TLS handling introduced over
>>> several
>>> >> >> versions so you'd have to review the changelog and docs.
>>> >> >>
>>> >> >> But from what I see, the omfwd module supports setting separate
>>> TLS
>>> >> >> key/cert/cacert per action since 8.2108.
>>> >> >>
>>> >> >> The imtcp module also supports setting those on a per-input level
>>> >> since
>>> >> >> 8.2108.
>>> >> >>
>>> >> >> So it should work.
>>> >> >>
>>> >> >> It is always a good idea to do a tcpdump and see how the handshake
>>> >> >> progresses and when and where it fails.
>>> >> >>
>>> >> >> MK
>>> >> >>
>>> >> >> On 24.04.2022 00:35, Shane via rsyslog wrote:
>>> >> >> > Hi I am trying to get rsyslog to receive store/forward messages
>>> w/
>>> >> tls
>>> >> >> on
>>> >> >> > both sides.
>>> >> >> >
>>> >> >> > client --->tls---> rsyslog --->tls---> remote.something
>>> >> >> >
>>> >> >> > I got it set up so i could send to the rsyslog server but then i
>>> >> >> couldn't
>>> >> >> > add another ca/cert files. My config was using global and
>>> >> >> defaultnetstream
>>> >> >> >
>>> >> >> > I found on rsyslog.com that prior to 8.2202 it couldn't use tls
>>> on
>>> >> two
>>> >> >> > different source/dest. I found the cent 7 repo and got
>>> >> rsyslog-8.2204
>>> >> >> > installed. Now nothing works. I think i got the config correct
>>> >> but
>>> >> >> the
>>> >> >> > client keeps getting rejected.
>>> >> >> >
>>> >> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry
>>> >> returned
>>> >> >> > error: The TLS connection was non-properly terminated.
>>> [v8.2204.0
>>> >> try
>>> >> >> > https://www.rsyslog.com/e/2083 ]
>>> >> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session
>>> >> 0x7f6a04013360
>>> >> >> from
>>> >> >> > 192.168.5.22 will be closed due to error [v8.2204.0 try
>>> >> >> > https://www.rsyslog.com/e/2089 ]
>>> >> >> >
>>> >> >> > So then i tried going to the ossl module. Now its even worse.
>>> My
>>> >> >> config
>>> >> >> > is a mess now too.
>>> >> >> >
>>> >> >> > Does tls on both sides work?
>>> >> >> > Do I need the 8.2202+ version?
>>> >> >> > Do you have an example config?
>>> >> >> > _______________________________________________
>>> >> >> > rsyslog mailing list
>>> >> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> >> >> > http://www.rsyslog.com/professional-services/
>>> >> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> >> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
>>> a
>>> >> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>>> >> POST
>>> >> >> if you DON'T LIKE THAT.
>>> >> >> _______________________________________________
>>> >> >> rsyslog mailing list
>>> >> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> >> >> http://www.rsyslog.com/professional-services/
>>> >> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> >> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>> >> myriad
>>> >> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>>> >> you
>>> >> >> DON'T LIKE THAT.
>>> >> > _______________________________________________
>>> >> > rsyslog mailing list
>>> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> >> > http://www.rsyslog.com/professional-services/
>>> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>> >> myriad
>>> >> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>>> you
>>> >> > DON'T LIKE THAT.
>>> >>
>>> >>
>>> >> --
>>> >> Derek Atkins 617-623-3745
>>> >> derek@ihtfp.com www.ihtfp.com
>>> >> Computer and Internet Security Consultant
>>> >>
>>> >>
>>> >
>>>
>>>
>>> --
>>> Derek Atkins 617-623-3745
>>> derek@ihtfp.com www.ihtfp.com
>>> Computer and Internet Security Consultant
>>>
>>
>
>
> --
> Derek Atkins 617-623-3745
> derek@ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: problems with tls and rsyslog [ In reply to ]
There is also the $$myhostname variable that can be used to identify “this” host.


> On May 26, 2022, at 12:15, David Lang via rsyslog <rsyslog@lists.adiscon.com> wrote:
>
> what I like to do is to format the body of the message as json, I create $!msg=$msg and then I create a tree $!trusted and in that I add additional metadata, including $!trusted.relay
>
> set $.relay = $!trusted.relay;
> set $!trusted.relay.last = $.relay;
> set $!trusted.relay.host = $hostname;
> set $!trusted.relay.last = $!fromhost-ip;
> set $!trusted.relay.time = $timegenerated;
>
> then in the final aggregator, I have all the info I could want about what relays the log has gone through, when it was proccessed by each relay, etc.
>
> I also have the sender add additional metadata here as well (if it's reading from a file , what filename for example)
>
> David Lang
>
> On Thu, 26 May 2022, Derek Atkins via rsyslog wrote:
>
>> Date: Thu, 26 May 2022 13:04:00 -0400
>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
>> To: Rainer Gerhards <rgerhards@hq.adiscon.com>
>> Cc: Derek Atkins <derek@ihtfp.com>, rsyslog-users <rsyslog@lists.adiscon.com>
>> Subject: Re: [rsyslog] problems with tls and rsyslog
>> Hi Rainer.
>>
>> Thank you for the reply (even though it's not the answer I was hoping to
>> hear).
>>
>> So I guess the next question is how (or where) to add an identifier for an
>> intermediary.
>>
>> Let's say I have a network that looks like this:
>>
>> [ Client1 ] --\
>> [ Client2 ] ---+- [ Forwarder1 ] -\
>> [ Client3 ] --/ \
>> +-- [ Aggregator ]
>> [ Client4 ] --\ /
>> [ Client5 ] ---+- [ Forwarder2 ] -/
>> [ Client6 ] --/
>>
>>
>> When I see messages at the Aggregator I want to know not only what Client
>> it came from, but also what Forwarder it came through.
>>
>> Right now on the forwarders I change the message to include the client IP
>> and Client hostname (using set $!msg), and then send it using an onfwd
>> template (note that I have a intermediary variable for fromhost-ip here):
>>
>> type="string" string="%timegenerated% from:%$fromhost-ip%
>> %syslogseverity-text%%$!msg%\n"
>>
>> At the aggregator I also need to know whether a message came from
>> Forwarder1 or Forwarder2, so I would like to add the Forwarder IP and
>> hostname to the message that goes up to the aggregator. Right now it uses
>> this template for omfile:
>>
>> type="string" string="%timegenerated% %msg%\n"
>>
>> Will $hostname and $fromhost-ip on the aggregator be the hostname and ip
>> of the forwarder? Or the client?
>>
>> What would be the best way to include this extra information in my log
>> entries?
>>
>> Thanks,
>>
>> -derek
>>
>> On Thu, May 26, 2022 12:31 pm, Rainer Gerhards wrote:
>>> unfortunately, this property is not yet available :-(
>>>
>>> Rainer
>>>
>>> El jue, 26 may 2022 a las 13:53, Derek Atkins (<derek@ihtfp.com>)
>>> escribió:
>>>>
>>>> Thanks Rainer,
>>>>
>>>> This is working smashingly!
>>>>
>>>> The next issue I'm trying to solve is how do I add the client
>>>> certificate
>>>> information into the log message? I'd like to add e.g. the client
>>>> certificate subject (or subjectAltName) into my log template (similar to
>>>> how you can add the client hostname or fromhost-ip).
>>>>
>>>> Again, I am having issues searching, as any combination of "rsyslog" and
>>>> "certificate" seems to bring up documentation on "how to configure TLS"
>>>> which, obviously, I already know how to do...
>>>>
>>>> Any help or guidance would be appreciated.
>>>>
>>>> Thanks,
>>>>
>>>> -derek
>>>>
>>>> On Tue, May 17, 2022 4:12 pm, Rainer Gerhards wrote:
>>>> > https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html
>>>> >
>>>> > https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
>>>> >
>>>> > HTH
>>>> > Rainer
>>>> >
>>>> > Sent from phone, thus brief.
>>>> >
>>>> > Derek Atkins <derek@ihtfp.com> schrieb am Di., 17. Mai 2022, 22:01:
>>>> >
>>>> >> Hi,
>>>> >>
>>>> >> Are there docs on how to set this up on a per-input and/or per-omfwd
>>>> >> basis?
>>>> >>
>>>> >> All the docs I can find suggest setting the global
>>>> >> DefaultNetstreamDriver*
>>>> >> variables, which in my case are not what I want because I need to be
>>>> >> able
>>>> >> to use different keys/certs/CAs for the input/imtcp vs the omfwd
>>>> >> operations.
>>>> >>
>>>> >> I am running 8.2204.1.
>>>> >>
>>>> >> Thanks,
>>>> >>
>>>> >> -derek
>>>> >>
>>>> >> On Mon, April 25, 2022 3:03 am, Rainer Gerhards via rsyslog wrote:
>>>> >> > Yes, it's possible. Worked on that for quite some time last year
>>>> ;-)
>>>> >> >
>>>> >> > Rainer
>>>> >> >
>>>> >> > El lun, 25 abr 2022 a las 7:41, Mariusz Kruk via rsyslog
>>>> >> > (<rsyslog@lists.adiscon.com>) escribió:
>>>> >> >>
>>>> >> >> There were some improvements to TLS handling introduced over
>>>> several
>>>> >> >> versions so you'd have to review the changelog and docs.
>>>> >> >>
>>>> >> >> But from what I see, the omfwd module supports setting separate
>>>> TLS
>>>> >> >> key/cert/cacert per action since 8.2108.
>>>> >> >>
>>>> >> >> The imtcp module also supports setting those on a per-input level
>>>> >> since
>>>> >> >> 8.2108.
>>>> >> >>
>>>> >> >> So it should work.
>>>> >> >>
>>>> >> >> It is always a good idea to do a tcpdump and see how the handshake
>>>> >> >> progresses and when and where it fails.
>>>> >> >>
>>>> >> >> MK
>>>> >> >>
>>>> >> >> On 24.04.2022 00:35, Shane via rsyslog wrote:
>>>> >> >> > Hi I am trying to get rsyslog to receive store/forward messages
>>>> w/
>>>> >> tls
>>>> >> >> on
>>>> >> >> > both sides.
>>>> >> >> >
>>>> >> >> > client --->tls---> rsyslog --->tls---> remote.something
>>>> >> >> >
>>>> >> >> > I got it set up so i could send to the rsyslog server but then i
>>>> >> >> couldn't
>>>> >> >> > add another ca/cert files. My config was using global and
>>>> >> >> defaultnetstream
>>>> >> >> >
>>>> >> >> > I found on rsyslog.com that prior to 8.2202 it couldn't use tls
>>>> on
>>>> >> two
>>>> >> >> > different source/dest. I found the cent 7 repo and got
>>>> >> rsyslog-8.2204
>>>> >> >> > installed. Now nothing works. I think i got the config correct
>>>> >> but
>>>> >> >> the
>>>> >> >> > client keeps getting rejected.
>>>> >> >> >
>>>> >> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry
>>>> >> returned
>>>> >> >> > error: The TLS connection was non-properly terminated.
>>>> [v8.2204.0
>>>> >> try
>>>> >> >> > https://www.rsyslog.com/e/2083 ]
>>>> >> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session
>>>> >> 0x7f6a04013360
>>>> >> >> from
>>>> >> >> > 192.168.5.22 will be closed due to error [v8.2204.0 try
>>>> >> >> > https://www.rsyslog.com/e/2089 ]
>>>> >> >> >
>>>> >> >> > So then i tried going to the ossl module. Now its even worse.
>>>> My
>>>> >> >> config
>>>> >> >> > is a mess now too.
>>>> >> >> >
>>>> >> >> > Does tls on both sides work?
>>>> >> >> > Do I need the 8.2202+ version?
>>>> >> >> > Do you have an example config?
>>>> >> >> > _______________________________________________
>>>> >> >> > rsyslog mailing list
>>>> >> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> >> >> > http://www.rsyslog.com/professional-services/
>>>> >> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> >> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
>>>> a
>>>> >> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>>>> >> POST
>>>> >> >> if you DON'T LIKE THAT.
>>>> >> >> _______________________________________________
>>>> >> >> rsyslog mailing list
>>>> >> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> >> >> http://www.rsyslog.com/professional-services/
>>>> >> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> >> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>> >> myriad
>>>> >> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>>>> >> you
>>>> >> >> DON'T LIKE THAT.
>>>> >> > _______________________________________________
>>>> >> > rsyslog mailing list
>>>> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> >> > http://www.rsyslog.com/professional-services/
>>>> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>> >> myriad
>>>> >> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>>>> you
>>>> >> > DON'T LIKE THAT.
>>>> >>
>>>> >>
>>>> >> --
>>>> >> Derek Atkins 617-623-3745
>>>> >> derek@ihtfp.com www.ihtfp.com
>>>> >> Computer and Internet Security Consultant
>>>> >>
>>>> >>
>>>> >
>>>>
>>>>
>>>> --
>>>> Derek Atkins 617-623-3745
>>>> derek@ihtfp.com www.ihtfp.com
>>>> Computer and Internet Security Consultant
>>>>
>>>
>>
>>
>> --
>> Derek Atkins 617-623-3745
>> derek@ihtfp.com www.ihtfp.com
>> Computer and Internet Security Consultant
>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: problems with tls and rsyslog [ In reply to ]
Thanks, David!!

Interesting (and pretty cool) concept. In my case I know there will
always only be the 3-level hierarchy (client/forwarder/aggregator), so I'm
not sure I need something that generic, I only need to know the client and
forwarder. Still, I will consider that.

Silly n00b question: What is the difference between $fromhost-ip (which is
what my current forwarder config is using) and $!fromhost-ip (that you
use)? (The difference being the '!' in there?)

Thanks,

-derek

On Thu, May 26, 2022 1:15 pm, David Lang wrote:
> what I like to do is to format the body of the message as json, I create
> $!msg=$msg and then I create a tree $!trusted and in that I add additional
> metadata, including $!trusted.relay
>
> set $.relay = $!trusted.relay;
> set $!trusted.relay.last = $.relay;
> set $!trusted.relay.host = $hostname;
> set $!trusted.relay.last = $!fromhost-ip;
> set $!trusted.relay.time = $timegenerated;
>
> then in the final aggregator, I have all the info I could want about what
> relays
> the log has gone through, when it was proccessed by each relay, etc.
>
> I also have the sender add additional metadata here as well (if it's
> reading
> from a file , what filename for example)
>
> David Lang
>
> On Thu, 26 May 2022, Derek Atkins via
> rsyslog wrote:
>
>> Date: Thu, 26 May 2022 13:04:00 -0400
>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
>> To: Rainer Gerhards <rgerhards@hq.adiscon.com>
>> Cc: Derek Atkins <derek@ihtfp.com>, rsyslog-users
>> <rsyslog@lists.adiscon.com>
>> Subject: Re: [rsyslog] problems with tls and rsyslog
>>
>> Hi Rainer.
>>
>> Thank you for the reply (even though it's not the answer I was hoping to
>> hear).
>>
>> So I guess the next question is how (or where) to add an identifier for
>> an
>> intermediary.
>>
>> Let's say I have a network that looks like this:
>>
>> [ Client1 ] --\
>> [ Client2 ] ---+- [ Forwarder1 ] -\
>> [ Client3 ] --/ \
>> +-- [ Aggregator ]
>> [ Client4 ] --\ /
>> [ Client5 ] ---+- [ Forwarder2 ] -/
>> [ Client6 ] --/
>>
>>
>> When I see messages at the Aggregator I want to know not only what
>> Client
>> it came from, but also what Forwarder it came through.
>>
>> Right now on the forwarders I change the message to include the client
>> IP
>> and Client hostname (using set $!msg), and then send it using an onfwd
>> template (note that I have a intermediary variable for fromhost-ip
>> here):
>>
>> type="string" string="%timegenerated% from:%$fromhost-ip%
>> %syslogseverity-text%%$!msg%\n"
>>
>> At the aggregator I also need to know whether a message came from
>> Forwarder1 or Forwarder2, so I would like to add the Forwarder IP and
>> hostname to the message that goes up to the aggregator. Right now it
>> uses
>> this template for omfile:
>>
>> type="string" string="%timegenerated% %msg%\n"
>>
>> Will $hostname and $fromhost-ip on the aggregator be the hostname and ip
>> of the forwarder? Or the client?
>>
>> What would be the best way to include this extra information in my log
>> entries?
>>
>> Thanks,
>>
>> -derek
>>
>> On Thu, May 26, 2022 12:31 pm, Rainer Gerhards wrote:
>>> unfortunately, this property is not yet available :-(
>>>
>>> Rainer
>>>
>>> El jue, 26 may 2022 a las 13:53, Derek Atkins (<derek@ihtfp.com>)
>>> escribió:
>>>>
>>>> Thanks Rainer,
>>>>
>>>> This is working smashingly!
>>>>
>>>> The next issue I'm trying to solve is how do I add the client
>>>> certificate
>>>> information into the log message? I'd like to add e.g. the client
>>>> certificate subject (or subjectAltName) into my log template (similar
>>>> to
>>>> how you can add the client hostname or fromhost-ip).
>>>>
>>>> Again, I am having issues searching, as any combination of "rsyslog"
>>>> and
>>>> "certificate" seems to bring up documentation on "how to configure
>>>> TLS"
>>>> which, obviously, I already know how to do...
>>>>
>>>> Any help or guidance would be appreciated.
>>>>
>>>> Thanks,
>>>>
>>>> -derek
>>>>
>>>> On Tue, May 17, 2022 4:12 pm, Rainer Gerhards wrote:
>>>> > https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html
>>>> >
>>>> > https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
>>>> >
>>>> > HTH
>>>> > Rainer
>>>> >
>>>> > Sent from phone, thus brief.
>>>> >
>>>> > Derek Atkins <derek@ihtfp.com> schrieb am Di., 17. Mai 2022, 22:01:
>>>> >
>>>> >> Hi,
>>>> >>
>>>> >> Are there docs on how to set this up on a per-input and/or
>>>> per-omfwd
>>>> >> basis?
>>>> >>
>>>> >> All the docs I can find suggest setting the global
>>>> >> DefaultNetstreamDriver*
>>>> >> variables, which in my case are not what I want because I need to
>>>> be
>>>> >> able
>>>> >> to use different keys/certs/CAs for the input/imtcp vs the omfwd
>>>> >> operations.
>>>> >>
>>>> >> I am running 8.2204.1.
>>>> >>
>>>> >> Thanks,
>>>> >>
>>>> >> -derek
>>>> >>
>>>> >> On Mon, April 25, 2022 3:03 am, Rainer Gerhards via rsyslog wrote:
>>>> >> > Yes, it's possible. Worked on that for quite some time last year
>>>> ;-)
>>>> >> >
>>>> >> > Rainer
>>>> >> >
>>>> >> > El lun, 25 abr 2022 a las 7:41, Mariusz Kruk via rsyslog
>>>> >> > (<rsyslog@lists.adiscon.com>) escribió:
>>>> >> >>
>>>> >> >> There were some improvements to TLS handling introduced over
>>>> several
>>>> >> >> versions so you'd have to review the changelog and docs.
>>>> >> >>
>>>> >> >> But from what I see, the omfwd module supports setting separate
>>>> TLS
>>>> >> >> key/cert/cacert per action since 8.2108.
>>>> >> >>
>>>> >> >> The imtcp module also supports setting those on a per-input
>>>> level
>>>> >> since
>>>> >> >> 8.2108.
>>>> >> >>
>>>> >> >> So it should work.
>>>> >> >>
>>>> >> >> It is always a good idea to do a tcpdump and see how the
>>>> handshake
>>>> >> >> progresses and when and where it fails.
>>>> >> >>
>>>> >> >> MK
>>>> >> >>
>>>> >> >> On 24.04.2022 00:35, Shane via rsyslog wrote:
>>>> >> >> > Hi I am trying to get rsyslog to receive store/forward
>>>> messages
>>>> w/
>>>> >> tls
>>>> >> >> on
>>>> >> >> > both sides.
>>>> >> >> >
>>>> >> >> > client --->tls---> rsyslog --->tls---> remote.something
>>>> >> >> >
>>>> >> >> > I got it set up so i could send to the rsyslog server but then
>>>> i
>>>> >> >> couldn't
>>>> >> >> > add another ca/cert files. My config was using global and
>>>> >> >> defaultnetstream
>>>> >> >> >
>>>> >> >> > I found on rsyslog.com that prior to 8.2202 it couldn't use
>>>> tls
>>>> on
>>>> >> two
>>>> >> >> > different source/dest. I found the cent 7 repo and got
>>>> >> rsyslog-8.2204
>>>> >> >> > installed. Now nothing works. I think i got the config
>>>> correct
>>>> >> but
>>>> >> >> the
>>>> >> >> > client keeps getting rejected.
>>>> >> >> >
>>>> >> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry
>>>> >> returned
>>>> >> >> > error: The TLS connection was non-properly terminated.
>>>> [v8.2204.0
>>>> >> try
>>>> >> >> > https://www.rsyslog.com/e/2083 ]
>>>> >> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session
>>>> >> 0x7f6a04013360
>>>> >> >> from
>>>> >> >> > 192.168.5.22 will be closed due to error [v8.2204.0 try
>>>> >> >> > https://www.rsyslog.com/e/2089 ]
>>>> >> >> >
>>>> >> >> > So then i tried going to the ossl module. Now its even worse.
>>>> My
>>>> >> >> config
>>>> >> >> > is a mess now too.
>>>> >> >> >
>>>> >> >> > Does tls on both sides work?
>>>> >> >> > Do I need the 8.2202+ version?
>>>> >> >> > Do you have an example config?
>>>> >> >> > _______________________________________________
>>>> >> >> > rsyslog mailing list
>>>> >> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> >> >> > http://www.rsyslog.com/professional-services/
>>>> >> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> >> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED
>>>> by
>>>> a
>>>> >> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO
>>>> NOT
>>>> >> POST
>>>> >> >> if you DON'T LIKE THAT.
>>>> >> >> _______________________________________________
>>>> >> >> rsyslog mailing list
>>>> >> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> >> >> http://www.rsyslog.com/professional-services/
>>>> >> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> >> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
>>>> a
>>>> >> myriad
>>>> >> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>>>> if
>>>> >> you
>>>> >> >> DON'T LIKE THAT.
>>>> >> > _______________________________________________
>>>> >> > rsyslog mailing list
>>>> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> >> > http://www.rsyslog.com/professional-services/
>>>> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>> >> myriad
>>>> >> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>>>> if
>>>> you
>>>> >> > DON'T LIKE THAT.
>>>> >>
>>>> >>
>>>> >> --
>>>> >> Derek Atkins 617-623-3745
>>>> >> derek@ihtfp.com www.ihtfp.com
>>>> >> Computer and Internet Security Consultant
>>>> >>
>>>> >>
>>>> >
>>>>
>>>>
>>>> --
>>>> Derek Atkins 617-623-3745
>>>> derek@ihtfp.com www.ihtfp.com
>>>> Computer and Internet Security Consultant
>>>>
>>>
>>
>>
>> --
>> Derek Atkins 617-623-3745
>> derek@ihtfp.com www.ihtfp.com
>> Computer and Internet Security Consultant
>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.


--
Derek Atkins 617-623-3745
derek@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: problems with tls and rsyslog [ In reply to ]
sorry, that's what I ment to use (typeing from memory to lay out the idea)

David Lang

On Thu, 26 May 2022, John Chivian wrote:

> Date: Thu, 26 May 2022 12:20:12 -0500
> From: John Chivian <jchivian@chivian.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: David Lang <david@lang.hm>
> Subject: Re: [rsyslog] problems with tls and rsyslog
>
> There is also the $$myhostname variable that can be used to identify “this” host.
>
>
>> On May 26, 2022, at 12:15, David Lang via rsyslog <rsyslog@lists.adiscon.com> wrote:
>>
>> what I like to do is to format the body of the message as json, I create $!msg=$msg and then I create a tree $!trusted and in that I add additional metadata, including $!trusted.relay
>>
>> set $.relay = $!trusted.relay;
>> set $!trusted.relay.last = $.relay;
>> set $!trusted.relay.host = $hostname;
>> set $!trusted.relay.last = $!fromhost-ip;
>> set $!trusted.relay.time = $timegenerated;
>>
>> then in the final aggregator, I have all the info I could want about what relays the log has gone through, when it was proccessed by each relay, etc.
>>
>> I also have the sender add additional metadata here as well (if it's reading from a file , what filename for example)
>>
>> David Lang
>>
>> On Thu, 26 May 2022, Derek Atkins via rsyslog wrote:
>>
>>> Date: Thu, 26 May 2022 13:04:00 -0400
>>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
>>> To: Rainer Gerhards <rgerhards@hq.adiscon.com>
>>> Cc: Derek Atkins <derek@ihtfp.com>, rsyslog-users <rsyslog@lists.adiscon.com>
>>> Subject: Re: [rsyslog] problems with tls and rsyslog
>>> Hi Rainer.
>>>
>>> Thank you for the reply (even though it's not the answer I was hoping to
>>> hear).
>>>
>>> So I guess the next question is how (or where) to add an identifier for an
>>> intermediary.
>>>
>>> Let's say I have a network that looks like this:
>>>
>>> [ Client1 ] --\
>>> [ Client2 ] ---+- [ Forwarder1 ] -\
>>> [ Client3 ] --/ \
>>> +-- [ Aggregator ]
>>> [ Client4 ] --\ /
>>> [ Client5 ] ---+- [ Forwarder2 ] -/
>>> [ Client6 ] --/
>>>
>>>
>>> When I see messages at the Aggregator I want to know not only what Client
>>> it came from, but also what Forwarder it came through.
>>>
>>> Right now on the forwarders I change the message to include the client IP
>>> and Client hostname (using set $!msg), and then send it using an onfwd
>>> template (note that I have a intermediary variable for fromhost-ip here):
>>>
>>> type="string" string="%timegenerated% from:%$fromhost-ip%
>>> %syslogseverity-text%%$!msg%\n"
>>>
>>> At the aggregator I also need to know whether a message came from
>>> Forwarder1 or Forwarder2, so I would like to add the Forwarder IP and
>>> hostname to the message that goes up to the aggregator. Right now it uses
>>> this template for omfile:
>>>
>>> type="string" string="%timegenerated% %msg%\n"
>>>
>>> Will $hostname and $fromhost-ip on the aggregator be the hostname and ip
>>> of the forwarder? Or the client?
>>>
>>> What would be the best way to include this extra information in my log
>>> entries?
>>>
>>> Thanks,
>>>
>>> -derek
>>>
>>> On Thu, May 26, 2022 12:31 pm, Rainer Gerhards wrote:
>>>> unfortunately, this property is not yet available :-(
>>>>
>>>> Rainer
>>>>
>>>> El jue, 26 may 2022 a las 13:53, Derek Atkins (<derek@ihtfp.com>)
>>>> escribió:
>>>>>
>>>>> Thanks Rainer,
>>>>>
>>>>> This is working smashingly!
>>>>>
>>>>> The next issue I'm trying to solve is how do I add the client
>>>>> certificate
>>>>> information into the log message? I'd like to add e.g. the client
>>>>> certificate subject (or subjectAltName) into my log template (similar to
>>>>> how you can add the client hostname or fromhost-ip).
>>>>>
>>>>> Again, I am having issues searching, as any combination of "rsyslog" and
>>>>> "certificate" seems to bring up documentation on "how to configure TLS"
>>>>> which, obviously, I already know how to do...
>>>>>
>>>>> Any help or guidance would be appreciated.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> -derek
>>>>>
>>>>> On Tue, May 17, 2022 4:12 pm, Rainer Gerhards wrote:
>>>>>> https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html
>>>>>>
>>>>>> https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
>>>>>>
>>>>>> HTH
>>>>>> Rainer
>>>>>>
>>>>>> Sent from phone, thus brief.
>>>>>>
>>>>>> Derek Atkins <derek@ihtfp.com> schrieb am Di., 17. Mai 2022, 22:01:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Are there docs on how to set this up on a per-input and/or per-omfwd
>>>>>>> basis?
>>>>>>>
>>>>>>> All the docs I can find suggest setting the global
>>>>>>> DefaultNetstreamDriver*
>>>>>>> variables, which in my case are not what I want because I need to be
>>>>>>> able
>>>>>>> to use different keys/certs/CAs for the input/imtcp vs the omfwd
>>>>>>> operations.
>>>>>>>
>>>>>>> I am running 8.2204.1.
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> -derek
>>>>>>>
>>>>>>> On Mon, April 25, 2022 3:03 am, Rainer Gerhards via rsyslog wrote:
>>>>>>>> Yes, it's possible. Worked on that for quite some time last year
>>>>> ;-)
>>>>>>>>
>>>>>>>> Rainer
>>>>>>>>
>>>>>>>> El lun, 25 abr 2022 a las 7:41, Mariusz Kruk via rsyslog
>>>>>>>> (<rsyslog@lists.adiscon.com>) escribió:
>>>>>>>>>
>>>>>>>>> There were some improvements to TLS handling introduced over
>>>>> several
>>>>>>>>> versions so you'd have to review the changelog and docs.
>>>>>>>>>
>>>>>>>>> But from what I see, the omfwd module supports setting separate
>>>>> TLS
>>>>>>>>> key/cert/cacert per action since 8.2108.
>>>>>>>>>
>>>>>>>>> The imtcp module also supports setting those on a per-input level
>>>>>>> since
>>>>>>>>> 8.2108.
>>>>>>>>>
>>>>>>>>> So it should work.
>>>>>>>>>
>>>>>>>>> It is always a good idea to do a tcpdump and see how the handshake
>>>>>>>>> progresses and when and where it fails.
>>>>>>>>>
>>>>>>>>> MK
>>>>>>>>>
>>>>>>>>> On 24.04.2022 00:35, Shane via rsyslog wrote:
>>>>>>>>>> Hi I am trying to get rsyslog to receive store/forward messages
>>>>> w/
>>>>>>> tls
>>>>>>>>> on
>>>>>>>>>> both sides.
>>>>>>>>>>
>>>>>>>>>> client --->tls---> rsyslog --->tls---> remote.something
>>>>>>>>>>
>>>>>>>>>> I got it set up so i could send to the rsyslog server but then i
>>>>>>>>> couldn't
>>>>>>>>>> add another ca/cert files. My config was using global and
>>>>>>>>> defaultnetstream
>>>>>>>>>>
>>>>>>>>>> I found on rsyslog.com that prior to 8.2202 it couldn't use tls
>>>>> on
>>>>>>> two
>>>>>>>>>> different source/dest. I found the cent 7 repo and got
>>>>>>> rsyslog-8.2204
>>>>>>>>>> installed. Now nothing works. I think i got the config correct
>>>>>>> but
>>>>>>>>> the
>>>>>>>>>> client keeps getting rejected.
>>>>>>>>>>
>>>>>>>>>> Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry
>>>>>>> returned
>>>>>>>>>> error: The TLS connection was non-properly terminated.
>>>>> [v8.2204.0
>>>>>>> try
>>>>>>>>>> https://www.rsyslog.com/e/2083 ]
>>>>>>>>>> Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session
>>>>>>> 0x7f6a04013360
>>>>>>>>> from
>>>>>>>>>> 192.168.5.22 will be closed due to error [v8.2204.0 try
>>>>>>>>>> https://www.rsyslog.com/e/2089 ]
>>>>>>>>>>
>>>>>>>>>> So then i tried going to the ossl module. Now its even worse.
>>>>> My
>>>>>>>>> config
>>>>>>>>>> is a mess now too.
>>>>>>>>>>
>>>>>>>>>> Does tls on both sides work?
>>>>>>>>>> Do I need the 8.2202+ version?
>>>>>>>>>> Do you have an example config?
>>>>>>>>>> _______________________________________________
>>>>>>>>>> rsyslog mailing list
>>>>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>>>> http://www.rsyslog.com/professional-services/
>>>>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
>>>>> a
>>>>>>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>>>>>>> POST
>>>>>>>>> if you DON'T LIKE THAT.
>>>>>>>>> _______________________________________________
>>>>>>>>> rsyslog mailing list
>>>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>>> http://www.rsyslog.com/professional-services/
>>>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>>>>> myriad
>>>>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>>>>>>> you
>>>>>>>>> DON'T LIKE THAT.
>>>>>>>> _______________________________________________
>>>>>>>> rsyslog mailing list
>>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>> http://www.rsyslog.com/professional-services/
>>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>>>>> myriad
>>>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>>>>> you
>>>>>>>> DON'T LIKE THAT.
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Derek Atkins 617-623-3745
>>>>>>> derek@ihtfp.com www.ihtfp.com
>>>>>>> Computer and Internet Security Consultant
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Derek Atkins 617-623-3745
>>>>> derek@ihtfp.com www.ihtfp.com
>>>>> Computer and Internet Security Consultant
>>>>>
>>>>
>>>
>>>
>>> --
>>> Derek Atkins 617-623-3745
>>> derek@ihtfp.com www.ihtfp.com
>>> Computer and Internet Security Consultant
>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: problems with tls and rsyslog [ In reply to ]
I presume that was a typo and it should be "$myhostname" and not
"$$myhostname"? Or is there something special about "$$"?

-derek

On Thu, May 26, 2022 1:29 pm, David Lang via rsyslog wrote:
> sorry, that's what I ment to use (typeing from memory to lay out the idea)
>
> David Lang
>
> On Thu, 26 May 2022, John Chivian wrote:
>
>> Date: Thu, 26 May 2022 12:20:12 -0500
>> From: John Chivian <jchivian@chivian.com>
>> To: rsyslog-users <rsyslog@lists.adiscon.com>
>> Cc: David Lang <david@lang.hm>
>> Subject: Re: [rsyslog] problems with tls and rsyslog
>>
>> There is also the $$myhostname variable that can be used to identify
>> “this” host.
>>
>>
>>> On May 26, 2022, at 12:15, David Lang via rsyslog
>>> <rsyslog@lists.adiscon.com> wrote:
>>>
>>> what I like to do is to format the body of the message as json, I
>>> create $!msg=$msg and then I create a tree $!trusted and in that I add
>>> additional metadata, including $!trusted.relay
>>>
>>> set $.relay = $!trusted.relay;
>>> set $!trusted.relay.last = $.relay;
>>> set $!trusted.relay.host = $hostname;
>>> set $!trusted.relay.last = $!fromhost-ip;
>>> set $!trusted.relay.time = $timegenerated;
>>>
>>> then in the final aggregator, I have all the info I could want about
>>> what relays the log has gone through, when it was proccessed by each
>>> relay, etc.
>>>
>>> I also have the sender add additional metadata here as well (if it's
>>> reading from a file , what filename for example)
>>>
>>> David Lang
>>>
>>> On Thu, 26 May 2022, Derek Atkins via rsyslog wrote:
>>>
>>>> Date: Thu, 26 May 2022 13:04:00 -0400
>>>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
>>>> To: Rainer Gerhards <rgerhards@hq.adiscon.com>
>>>> Cc: Derek Atkins <derek@ihtfp.com>, rsyslog-users
>>>> <rsyslog@lists.adiscon.com>
>>>> Subject: Re: [rsyslog] problems with tls and rsyslog
>>>> Hi Rainer.
>>>>
>>>> Thank you for the reply (even though it's not the answer I was hoping
>>>> to
>>>> hear).
>>>>
>>>> So I guess the next question is how (or where) to add an identifier
>>>> for an
>>>> intermediary.
>>>>
>>>> Let's say I have a network that looks like this:
>>>>
>>>> [ Client1 ] --\
>>>> [ Client2 ] ---+- [ Forwarder1 ] -\
>>>> [ Client3 ] --/ \
>>>> +-- [ Aggregator ]
>>>> [ Client4 ] --\ /
>>>> [ Client5 ] ---+- [ Forwarder2 ] -/
>>>> [ Client6 ] --/
>>>>
>>>>
>>>> When I see messages at the Aggregator I want to know not only what
>>>> Client
>>>> it came from, but also what Forwarder it came through.
>>>>
>>>> Right now on the forwarders I change the message to include the client
>>>> IP
>>>> and Client hostname (using set $!msg), and then send it using an onfwd
>>>> template (note that I have a intermediary variable for fromhost-ip
>>>> here):
>>>>
>>>> type="string" string="%timegenerated% from:%$fromhost-ip%
>>>> %syslogseverity-text%%$!msg%\n"
>>>>
>>>> At the aggregator I also need to know whether a message came from
>>>> Forwarder1 or Forwarder2, so I would like to add the Forwarder IP and
>>>> hostname to the message that goes up to the aggregator. Right now it
>>>> uses
>>>> this template for omfile:
>>>>
>>>> type="string" string="%timegenerated% %msg%\n"
>>>>
>>>> Will $hostname and $fromhost-ip on the aggregator be the hostname and
>>>> ip
>>>> of the forwarder? Or the client?
>>>>
>>>> What would be the best way to include this extra information in my log
>>>> entries?
>>>>
>>>> Thanks,
>>>>
>>>> -derek
>>>>
>>>> On Thu, May 26, 2022 12:31 pm, Rainer Gerhards wrote:
>>>>> unfortunately, this property is not yet available :-(
>>>>>
>>>>> Rainer
>>>>>
>>>>> El jue, 26 may 2022 a las 13:53, Derek Atkins (<derek@ihtfp.com>)
>>>>> escribió:
>>>>>>
>>>>>> Thanks Rainer,
>>>>>>
>>>>>> This is working smashingly!
>>>>>>
>>>>>> The next issue I'm trying to solve is how do I add the client
>>>>>> certificate
>>>>>> information into the log message? I'd like to add e.g. the client
>>>>>> certificate subject (or subjectAltName) into my log template
>>>>>> (similar to
>>>>>> how you can add the client hostname or fromhost-ip).
>>>>>>
>>>>>> Again, I am having issues searching, as any combination of "rsyslog"
>>>>>> and
>>>>>> "certificate" seems to bring up documentation on "how to configure
>>>>>> TLS"
>>>>>> which, obviously, I already know how to do...
>>>>>>
>>>>>> Any help or guidance would be appreciated.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> -derek
>>>>>>
>>>>>> On Tue, May 17, 2022 4:12 pm, Rainer Gerhards wrote:
>>>>>>> https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html
>>>>>>>
>>>>>>> https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
>>>>>>>
>>>>>>> HTH
>>>>>>> Rainer
>>>>>>>
>>>>>>> Sent from phone, thus brief.
>>>>>>>
>>>>>>> Derek Atkins <derek@ihtfp.com> schrieb am Di., 17. Mai 2022, 22:01:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Are there docs on how to set this up on a per-input and/or
>>>>>>>> per-omfwd
>>>>>>>> basis?
>>>>>>>>
>>>>>>>> All the docs I can find suggest setting the global
>>>>>>>> DefaultNetstreamDriver*
>>>>>>>> variables, which in my case are not what I want because I need to
>>>>>>>> be
>>>>>>>> able
>>>>>>>> to use different keys/certs/CAs for the input/imtcp vs the omfwd
>>>>>>>> operations.
>>>>>>>>
>>>>>>>> I am running 8.2204.1.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> -derek
>>>>>>>>
>>>>>>>> On Mon, April 25, 2022 3:03 am, Rainer Gerhards via rsyslog wrote:
>>>>>>>>> Yes, it's possible. Worked on that for quite some time last year
>>>>>> ;-)
>>>>>>>>>
>>>>>>>>> Rainer
>>>>>>>>>
>>>>>>>>> El lun, 25 abr 2022 a las 7:41, Mariusz Kruk via rsyslog
>>>>>>>>> (<rsyslog@lists.adiscon.com>) escribió:
>>>>>>>>>>
>>>>>>>>>> There were some improvements to TLS handling introduced over
>>>>>> several
>>>>>>>>>> versions so you'd have to review the changelog and docs.
>>>>>>>>>>
>>>>>>>>>> But from what I see, the omfwd module supports setting separate
>>>>>> TLS
>>>>>>>>>> key/cert/cacert per action since 8.2108.
>>>>>>>>>>
>>>>>>>>>> The imtcp module also supports setting those on a per-input
>>>>>>>>>> level
>>>>>>>> since
>>>>>>>>>> 8.2108.
>>>>>>>>>>
>>>>>>>>>> So it should work.
>>>>>>>>>>
>>>>>>>>>> It is always a good idea to do a tcpdump and see how the
>>>>>>>>>> handshake
>>>>>>>>>> progresses and when and where it fails.
>>>>>>>>>>
>>>>>>>>>> MK
>>>>>>>>>>
>>>>>>>>>> On 24.04.2022 00:35, Shane via rsyslog wrote:
>>>>>>>>>>> Hi I am trying to get rsyslog to receive store/forward messages
>>>>>> w/
>>>>>>>> tls
>>>>>>>>>> on
>>>>>>>>>>> both sides.
>>>>>>>>>>>
>>>>>>>>>>> client --->tls---> rsyslog --->tls---> remote.something
>>>>>>>>>>>
>>>>>>>>>>> I got it set up so i could send to the rsyslog server but then
>>>>>>>>>>> i
>>>>>>>>>> couldn't
>>>>>>>>>>> add another ca/cert files. My config was using global and
>>>>>>>>>> defaultnetstream
>>>>>>>>>>>
>>>>>>>>>>> I found on rsyslog.com that prior to 8.2202 it couldn't use tls
>>>>>> on
>>>>>>>> two
>>>>>>>>>>> different source/dest. I found the cent 7 repo and got
>>>>>>>> rsyslog-8.2204
>>>>>>>>>>> installed. Now nothing works. I think i got the config
>>>>>>>>>>> correct
>>>>>>>> but
>>>>>>>>>> the
>>>>>>>>>>> client keeps getting rejected.
>>>>>>>>>>>
>>>>>>>>>>> Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry
>>>>>>>> returned
>>>>>>>>>>> error: The TLS connection was non-properly terminated.
>>>>>> [v8.2204.0
>>>>>>>> try
>>>>>>>>>>> https://www.rsyslog.com/e/2083 ]
>>>>>>>>>>> Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session
>>>>>>>> 0x7f6a04013360
>>>>>>>>>> from
>>>>>>>>>>> 192.168.5.22 will be closed due to error [v8.2204.0 try
>>>>>>>>>>> https://www.rsyslog.com/e/2089 ]
>>>>>>>>>>>
>>>>>>>>>>> So then i tried going to the ossl module. Now its even worse.
>>>>>> My
>>>>>>>>>> config
>>>>>>>>>>> is a mess now too.
>>>>>>>>>>>
>>>>>>>>>>> Does tls on both sides work?
>>>>>>>>>>> Do I need the 8.2202+ version?
>>>>>>>>>>> Do you have an example config?
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> rsyslog mailing list
>>>>>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>>>>> http://www.rsyslog.com/professional-services/
>>>>>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
>>>>>> a
>>>>>>>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO
>>>>>>>>>> NOT
>>>>>>>> POST
>>>>>>>>>> if you DON'T LIKE THAT.
>>>>>>>>>> _______________________________________________
>>>>>>>>>> rsyslog mailing list
>>>>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>>>> http://www.rsyslog.com/professional-services/
>>>>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
>>>>>>>>>> a
>>>>>>>> myriad
>>>>>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>>>>>>>>>> if
>>>>>>>> you
>>>>>>>>>> DON'T LIKE THAT.
>>>>>>>>> _______________________________________________
>>>>>>>>> rsyslog mailing list
>>>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>>> http://www.rsyslog.com/professional-services/
>>>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>>>>>> myriad
>>>>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>>>>>>>>> if
>>>>>> you
>>>>>>>>> DON'T LIKE THAT.
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Derek Atkins 617-623-3745
>>>>>>>> derek@ihtfp.com www.ihtfp.com
>>>>>>>> Computer and Internet Security Consultant
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Derek Atkins 617-623-3745
>>>>>> derek@ihtfp.com www.ihtfp.com
>>>>>> Computer and Internet Security Consultant
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Derek Atkins 617-623-3745
>>>> derek@ihtfp.com www.ihtfp.com
>>>> Computer and Internet Security Consultant
>>>>
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>>>> if you DON'T LIKE THAT.
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>>> if you DON'T LIKE THAT.
>>
>>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.


--
Derek Atkins 617-623-3745
derek@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: problems with tls and rsyslog [ In reply to ]
there should not have been the ! on the right side

rsyslog has three trees of variables that you can set, plus properties that look
like variables that you can't set (rsyslog sets them from the message)

log with the template RSYSLOG_DebugFormat to see how it works.

$! and $. are very flexible, $! was created first and is the default for message
modification modules to use, so the idea is to use it for things that you intend
to have in the message (so you can put $! in the message template), !. was
created so that you have a place to set variables that you don't intend to be
part of the message (aka temp variables, things you will use in dynafile
templates, etc)

re--doing my example as I had flaws in it that I'm now seeing.

set $.relay = $!trusted!relay;
set $!trusted!relay!last = $.relay;
set $!trusted!relay!host = $myhostname;
set $!trusted!relay!last = $fromhost-ip;
set $!trusted!relay!time = $timegenerated;

David Lang

On Thu, 26 May 2022, Derek Atkins wrote:

> Date: Thu, 26 May 2022 13:28:52 -0400
> From: Derek Atkins <derek@ihtfp.com>
> To: David Lang <david@lang.hm>
> Cc: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>,
> Rainer Gerhards <rgerhards@hq.adiscon.com>
> Subject: Re: [rsyslog] problems with tls and rsyslog
>
> Thanks, David!!
>
> Interesting (and pretty cool) concept. In my case I know there will
> always only be the 3-level hierarchy (client/forwarder/aggregator), so I'm
> not sure I need something that generic, I only need to know the client and
> forwarder. Still, I will consider that.
>
> Silly n00b question: What is the difference between $fromhost-ip (which is
> what my current forwarder config is using) and $!fromhost-ip (that you
> use)? (The difference being the '!' in there?)
>
> Thanks,
>
> -derek
>
> On Thu, May 26, 2022 1:15 pm, David Lang wrote:
>> what I like to do is to format the body of the message as json, I create
>> $!msg=$msg and then I create a tree $!trusted and in that I add additional
>> metadata, including $!trusted.relay
>>
>> set $.relay = $!trusted.relay;
>> set $!trusted.relay.last = $.relay;
>> set $!trusted.relay.host = $hostname;
>> set $!trusted.relay.last = $!fromhost-ip;
>> set $!trusted.relay.time = $timegenerated;
>>
>> then in the final aggregator, I have all the info I could want about what
>> relays
>> the log has gone through, when it was proccessed by each relay, etc.
>>
>> I also have the sender add additional metadata here as well (if it's
>> reading
>> from a file , what filename for example)
>>
>> David Lang
>>
>> On Thu, 26 May 2022, Derek Atkins via
>> rsyslog wrote:
>>
>>> Date: Thu, 26 May 2022 13:04:00 -0400
>>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
>>> To: Rainer Gerhards <rgerhards@hq.adiscon.com>
>>> Cc: Derek Atkins <derek@ihtfp.com>, rsyslog-users
>>> <rsyslog@lists.adiscon.com>
>>> Subject: Re: [rsyslog] problems with tls and rsyslog
>>>
>>> Hi Rainer.
>>>
>>> Thank you for the reply (even though it's not the answer I was hoping to
>>> hear).
>>>
>>> So I guess the next question is how (or where) to add an identifier for
>>> an
>>> intermediary.
>>>
>>> Let's say I have a network that looks like this:
>>>
>>> [ Client1 ] --\
>>> [ Client2 ] ---+- [ Forwarder1 ] -\
>>> [ Client3 ] --/ \
>>> +-- [ Aggregator ]
>>> [ Client4 ] --\ /
>>> [ Client5 ] ---+- [ Forwarder2 ] -/
>>> [ Client6 ] --/
>>>
>>>
>>> When I see messages at the Aggregator I want to know not only what
>>> Client
>>> it came from, but also what Forwarder it came through.
>>>
>>> Right now on the forwarders I change the message to include the client
>>> IP
>>> and Client hostname (using set $!msg), and then send it using an onfwd
>>> template (note that I have a intermediary variable for fromhost-ip
>>> here):
>>>
>>> type="string" string="%timegenerated% from:%$fromhost-ip%
>>> %syslogseverity-text%%$!msg%\n"
>>>
>>> At the aggregator I also need to know whether a message came from
>>> Forwarder1 or Forwarder2, so I would like to add the Forwarder IP and
>>> hostname to the message that goes up to the aggregator. Right now it
>>> uses
>>> this template for omfile:
>>>
>>> type="string" string="%timegenerated% %msg%\n"
>>>
>>> Will $hostname and $fromhost-ip on the aggregator be the hostname and ip
>>> of the forwarder? Or the client?
>>>
>>> What would be the best way to include this extra information in my log
>>> entries?
>>>
>>> Thanks,
>>>
>>> -derek
>>>
>>> On Thu, May 26, 2022 12:31 pm, Rainer Gerhards wrote:
>>>> unfortunately, this property is not yet available :-(
>>>>
>>>> Rainer
>>>>
>>>> El jue, 26 may 2022 a las 13:53, Derek Atkins (<derek@ihtfp.com>)
>>>> escribió:
>>>>>
>>>>> Thanks Rainer,
>>>>>
>>>>> This is working smashingly!
>>>>>
>>>>> The next issue I'm trying to solve is how do I add the client
>>>>> certificate
>>>>> information into the log message? I'd like to add e.g. the client
>>>>> certificate subject (or subjectAltName) into my log template (similar
>>>>> to
>>>>> how you can add the client hostname or fromhost-ip).
>>>>>
>>>>> Again, I am having issues searching, as any combination of "rsyslog"
>>>>> and
>>>>> "certificate" seems to bring up documentation on "how to configure
>>>>> TLS"
>>>>> which, obviously, I already know how to do...
>>>>>
>>>>> Any help or guidance would be appreciated.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> -derek
>>>>>
>>>>> On Tue, May 17, 2022 4:12 pm, Rainer Gerhards wrote:
>>>>>> https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html
>>>>>>
>>>>>> https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
>>>>>>
>>>>>> HTH
>>>>>> Rainer
>>>>>>
>>>>>> Sent from phone, thus brief.
>>>>>>
>>>>>> Derek Atkins <derek@ihtfp.com> schrieb am Di., 17. Mai 2022, 22:01:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> Are there docs on how to set this up on a per-input and/or
>>>>> per-omfwd
>>>>>>> basis?
>>>>>>>
>>>>>>> All the docs I can find suggest setting the global
>>>>>>> DefaultNetstreamDriver*
>>>>>>> variables, which in my case are not what I want because I need to
>>>>> be
>>>>>>> able
>>>>>>> to use different keys/certs/CAs for the input/imtcp vs the omfwd
>>>>>>> operations.
>>>>>>>
>>>>>>> I am running 8.2204.1.
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> -derek
>>>>>>>
>>>>>>> On Mon, April 25, 2022 3:03 am, Rainer Gerhards via rsyslog wrote:
>>>>>>>> Yes, it's possible. Worked on that for quite some time last year
>>>>> ;-)
>>>>>>>>
>>>>>>>> Rainer
>>>>>>>>
>>>>>>>> El lun, 25 abr 2022 a las 7:41, Mariusz Kruk via rsyslog
>>>>>>>> (<rsyslog@lists.adiscon.com>) escribió:
>>>>>>>>>
>>>>>>>>> There were some improvements to TLS handling introduced over
>>>>> several
>>>>>>>>> versions so you'd have to review the changelog and docs.
>>>>>>>>>
>>>>>>>>> But from what I see, the omfwd module supports setting separate
>>>>> TLS
>>>>>>>>> key/cert/cacert per action since 8.2108.
>>>>>>>>>
>>>>>>>>> The imtcp module also supports setting those on a per-input
>>>>> level
>>>>>>> since
>>>>>>>>> 8.2108.
>>>>>>>>>
>>>>>>>>> So it should work.
>>>>>>>>>
>>>>>>>>> It is always a good idea to do a tcpdump and see how the
>>>>> handshake
>>>>>>>>> progresses and when and where it fails.
>>>>>>>>>
>>>>>>>>> MK
>>>>>>>>>
>>>>>>>>> On 24.04.2022 00:35, Shane via rsyslog wrote:
>>>>>>>>>> Hi I am trying to get rsyslog to receive store/forward
>>>>> messages
>>>>> w/
>>>>>>> tls
>>>>>>>>> on
>>>>>>>>>> both sides.
>>>>>>>>>>
>>>>>>>>>> client --->tls---> rsyslog --->tls---> remote.something
>>>>>>>>>>
>>>>>>>>>> I got it set up so i could send to the rsyslog server but then
>>>>> i
>>>>>>>>> couldn't
>>>>>>>>>> add another ca/cert files. My config was using global and
>>>>>>>>> defaultnetstream
>>>>>>>>>>
>>>>>>>>>> I found on rsyslog.com that prior to 8.2202 it couldn't use
>>>>> tls
>>>>> on
>>>>>>> two
>>>>>>>>>> different source/dest. I found the cent 7 repo and got
>>>>>>> rsyslog-8.2204
>>>>>>>>>> installed. Now nothing works. I think i got the config
>>>>> correct
>>>>>>> but
>>>>>>>>> the
>>>>>>>>>> client keeps getting rejected.
>>>>>>>>>>
>>>>>>>>>> Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry
>>>>>>> returned
>>>>>>>>>> error: The TLS connection was non-properly terminated.
>>>>> [v8.2204.0
>>>>>>> try
>>>>>>>>>> https://www.rsyslog.com/e/2083 ]
>>>>>>>>>> Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session
>>>>>>> 0x7f6a04013360
>>>>>>>>> from
>>>>>>>>>> 192.168.5.22 will be closed due to error [v8.2204.0 try
>>>>>>>>>> https://www.rsyslog.com/e/2089 ]
>>>>>>>>>>
>>>>>>>>>> So then i tried going to the ossl module. Now its even worse.
>>>>> My
>>>>>>>>> config
>>>>>>>>>> is a mess now too.
>>>>>>>>>>
>>>>>>>>>> Does tls on both sides work?
>>>>>>>>>> Do I need the 8.2202+ version?
>>>>>>>>>> Do you have an example config?
>>>>>>>>>> _______________________________________________
>>>>>>>>>> rsyslog mailing list
>>>>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>>>> http://www.rsyslog.com/professional-services/
>>>>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED
>>>>> by
>>>>> a
>>>>>>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO
>>>>> NOT
>>>>>>> POST
>>>>>>>>> if you DON'T LIKE THAT.
>>>>>>>>> _______________________________________________
>>>>>>>>> rsyslog mailing list
>>>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>>> http://www.rsyslog.com/professional-services/
>>>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
>>>>> a
>>>>>>> myriad
>>>>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>>>>> if
>>>>>>> you
>>>>>>>>> DON'T LIKE THAT.
>>>>>>>> _______________________________________________
>>>>>>>> rsyslog mailing list
>>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>> http://www.rsyslog.com/professional-services/
>>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>>>>> myriad
>>>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>>>>> if
>>>>> you
>>>>>>>> DON'T LIKE THAT.
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Derek Atkins 617-623-3745
>>>>>>> derek@ihtfp.com www.ihtfp.com
>>>>>>> Computer and Internet Security Consultant
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Derek Atkins 617-623-3745
>>>>> derek@ihtfp.com www.ihtfp.com
>>>>> Computer and Internet Security Consultant
>>>>>
>>>>
>>>
>>>
>>> --
>>> Derek Atkins 617-623-3745
>>> derek@ihtfp.com www.ihtfp.com
>>> Computer and Internet Security Consultant
>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>
>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: problems with tls and rsyslog [ In reply to ]
actually, there are things that need $$, check the rsyslog properties docs
(these things evolved, and so if they were being designed today they would be
more consistant)

David Lang

On Thu, 26 May 2022, Derek Atkins wrote:

> Date: Thu, 26 May 2022 13:34:52 -0400
> From: Derek Atkins <derek@ihtfp.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: John Chivian <jchivian@chivian.com>, David Lang <david@lang.hm>
> Subject: Re: [rsyslog] problems with tls and rsyslog
>
> I presume that was a typo and it should be "$myhostname" and not
> "$$myhostname"? Or is there something special about "$$"?
>
> -derek
>
> On Thu, May 26, 2022 1:29 pm, David Lang via rsyslog wrote:
>> sorry, that's what I ment to use (typeing from memory to lay out the idea)
>>
>> David Lang
>>
>> On Thu, 26 May 2022, John Chivian wrote:
>>
>>> Date: Thu, 26 May 2022 12:20:12 -0500
>>> From: John Chivian <jchivian@chivian.com>
>>> To: rsyslog-users <rsyslog@lists.adiscon.com>
>>> Cc: David Lang <david@lang.hm>
>>> Subject: Re: [rsyslog] problems with tls and rsyslog
>>>
>>> There is also the $$myhostname variable that can be used to identify
>>> “this” host.
>>>
>>>
>>>> On May 26, 2022, at 12:15, David Lang via rsyslog
>>>> <rsyslog@lists.adiscon.com> wrote:
>>>>
>>>> what I like to do is to format the body of the message as json, I
>>>> create $!msg=$msg and then I create a tree $!trusted and in that I add
>>>> additional metadata, including $!trusted.relay
>>>>
>>>> set $.relay = $!trusted.relay;
>>>> set $!trusted.relay.last = $.relay;
>>>> set $!trusted.relay.host = $hostname;
>>>> set $!trusted.relay.last = $!fromhost-ip;
>>>> set $!trusted.relay.time = $timegenerated;
>>>>
>>>> then in the final aggregator, I have all the info I could want about
>>>> what relays the log has gone through, when it was proccessed by each
>>>> relay, etc.
>>>>
>>>> I also have the sender add additional metadata here as well (if it's
>>>> reading from a file , what filename for example)
>>>>
>>>> David Lang
>>>>
>>>> On Thu, 26 May 2022, Derek Atkins via rsyslog wrote:
>>>>
>>>>> Date: Thu, 26 May 2022 13:04:00 -0400
>>>>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
>>>>> To: Rainer Gerhards <rgerhards@hq.adiscon.com>
>>>>> Cc: Derek Atkins <derek@ihtfp.com>, rsyslog-users
>>>>> <rsyslog@lists.adiscon.com>
>>>>> Subject: Re: [rsyslog] problems with tls and rsyslog
>>>>> Hi Rainer.
>>>>>
>>>>> Thank you for the reply (even though it's not the answer I was hoping
>>>>> to
>>>>> hear).
>>>>>
>>>>> So I guess the next question is how (or where) to add an identifier
>>>>> for an
>>>>> intermediary.
>>>>>
>>>>> Let's say I have a network that looks like this:
>>>>>
>>>>> [ Client1 ] --\
>>>>> [ Client2 ] ---+- [ Forwarder1 ] -\
>>>>> [ Client3 ] --/ \
>>>>> +-- [ Aggregator ]
>>>>> [ Client4 ] --\ /
>>>>> [ Client5 ] ---+- [ Forwarder2 ] -/
>>>>> [ Client6 ] --/
>>>>>
>>>>>
>>>>> When I see messages at the Aggregator I want to know not only what
>>>>> Client
>>>>> it came from, but also what Forwarder it came through.
>>>>>
>>>>> Right now on the forwarders I change the message to include the client
>>>>> IP
>>>>> and Client hostname (using set $!msg), and then send it using an onfwd
>>>>> template (note that I have a intermediary variable for fromhost-ip
>>>>> here):
>>>>>
>>>>> type="string" string="%timegenerated% from:%$fromhost-ip%
>>>>> %syslogseverity-text%%$!msg%\n"
>>>>>
>>>>> At the aggregator I also need to know whether a message came from
>>>>> Forwarder1 or Forwarder2, so I would like to add the Forwarder IP and
>>>>> hostname to the message that goes up to the aggregator. Right now it
>>>>> uses
>>>>> this template for omfile:
>>>>>
>>>>> type="string" string="%timegenerated% %msg%\n"
>>>>>
>>>>> Will $hostname and $fromhost-ip on the aggregator be the hostname and
>>>>> ip
>>>>> of the forwarder? Or the client?
>>>>>
>>>>> What would be the best way to include this extra information in my log
>>>>> entries?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> -derek
>>>>>
>>>>> On Thu, May 26, 2022 12:31 pm, Rainer Gerhards wrote:
>>>>>> unfortunately, this property is not yet available :-(
>>>>>>
>>>>>> Rainer
>>>>>>
>>>>>> El jue, 26 may 2022 a las 13:53, Derek Atkins (<derek@ihtfp.com>)
>>>>>> escribió:
>>>>>>>
>>>>>>> Thanks Rainer,
>>>>>>>
>>>>>>> This is working smashingly!
>>>>>>>
>>>>>>> The next issue I'm trying to solve is how do I add the client
>>>>>>> certificate
>>>>>>> information into the log message? I'd like to add e.g. the client
>>>>>>> certificate subject (or subjectAltName) into my log template
>>>>>>> (similar to
>>>>>>> how you can add the client hostname or fromhost-ip).
>>>>>>>
>>>>>>> Again, I am having issues searching, as any combination of "rsyslog"
>>>>>>> and
>>>>>>> "certificate" seems to bring up documentation on "how to configure
>>>>>>> TLS"
>>>>>>> which, obviously, I already know how to do...
>>>>>>>
>>>>>>> Any help or guidance would be appreciated.
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> -derek
>>>>>>>
>>>>>>> On Tue, May 17, 2022 4:12 pm, Rainer Gerhards wrote:
>>>>>>>> https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html
>>>>>>>>
>>>>>>>> https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
>>>>>>>>
>>>>>>>> HTH
>>>>>>>> Rainer
>>>>>>>>
>>>>>>>> Sent from phone, thus brief.
>>>>>>>>
>>>>>>>> Derek Atkins <derek@ihtfp.com> schrieb am Di., 17. Mai 2022, 22:01:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> Are there docs on how to set this up on a per-input and/or
>>>>>>>>> per-omfwd
>>>>>>>>> basis?
>>>>>>>>>
>>>>>>>>> All the docs I can find suggest setting the global
>>>>>>>>> DefaultNetstreamDriver*
>>>>>>>>> variables, which in my case are not what I want because I need to
>>>>>>>>> be
>>>>>>>>> able
>>>>>>>>> to use different keys/certs/CAs for the input/imtcp vs the omfwd
>>>>>>>>> operations.
>>>>>>>>>
>>>>>>>>> I am running 8.2204.1.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>> -derek
>>>>>>>>>
>>>>>>>>> On Mon, April 25, 2022 3:03 am, Rainer Gerhards via rsyslog wrote:
>>>>>>>>>> Yes, it's possible. Worked on that for quite some time last year
>>>>>>> ;-)
>>>>>>>>>>
>>>>>>>>>> Rainer
>>>>>>>>>>
>>>>>>>>>> El lun, 25 abr 2022 a las 7:41, Mariusz Kruk via rsyslog
>>>>>>>>>> (<rsyslog@lists.adiscon.com>) escribió:
>>>>>>>>>>>
>>>>>>>>>>> There were some improvements to TLS handling introduced over
>>>>>>> several
>>>>>>>>>>> versions so you'd have to review the changelog and docs.
>>>>>>>>>>>
>>>>>>>>>>> But from what I see, the omfwd module supports setting separate
>>>>>>> TLS
>>>>>>>>>>> key/cert/cacert per action since 8.2108.
>>>>>>>>>>>
>>>>>>>>>>> The imtcp module also supports setting those on a per-input
>>>>>>>>>>> level
>>>>>>>>> since
>>>>>>>>>>> 8.2108.
>>>>>>>>>>>
>>>>>>>>>>> So it should work.
>>>>>>>>>>>
>>>>>>>>>>> It is always a good idea to do a tcpdump and see how the
>>>>>>>>>>> handshake
>>>>>>>>>>> progresses and when and where it fails.
>>>>>>>>>>>
>>>>>>>>>>> MK
>>>>>>>>>>>
>>>>>>>>>>> On 24.04.2022 00:35, Shane via rsyslog wrote:
>>>>>>>>>>>> Hi I am trying to get rsyslog to receive store/forward messages
>>>>>>> w/
>>>>>>>>> tls
>>>>>>>>>>> on
>>>>>>>>>>>> both sides.
>>>>>>>>>>>>
>>>>>>>>>>>> client --->tls---> rsyslog --->tls---> remote.something
>>>>>>>>>>>>
>>>>>>>>>>>> I got it set up so i could send to the rsyslog server but then
>>>>>>>>>>>> i
>>>>>>>>>>> couldn't
>>>>>>>>>>>> add another ca/cert files. My config was using global and
>>>>>>>>>>> defaultnetstream
>>>>>>>>>>>>
>>>>>>>>>>>> I found on rsyslog.com that prior to 8.2202 it couldn't use tls
>>>>>>> on
>>>>>>>>> two
>>>>>>>>>>>> different source/dest. I found the cent 7 repo and got
>>>>>>>>> rsyslog-8.2204
>>>>>>>>>>>> installed. Now nothing works. I think i got the config
>>>>>>>>>>>> correct
>>>>>>>>> but
>>>>>>>>>>> the
>>>>>>>>>>>> client keeps getting rejected.
>>>>>>>>>>>>
>>>>>>>>>>>> Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry
>>>>>>>>> returned
>>>>>>>>>>>> error: The TLS connection was non-properly terminated.
>>>>>>> [v8.2204.0
>>>>>>>>> try
>>>>>>>>>>>> https://www.rsyslog.com/e/2083 ]
>>>>>>>>>>>> Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session
>>>>>>>>> 0x7f6a04013360
>>>>>>>>>>> from
>>>>>>>>>>>> 192.168.5.22 will be closed due to error [v8.2204.0 try
>>>>>>>>>>>> https://www.rsyslog.com/e/2089 ]
>>>>>>>>>>>>
>>>>>>>>>>>> So then i tried going to the ossl module. Now its even worse.
>>>>>>> My
>>>>>>>>>>> config
>>>>>>>>>>>> is a mess now too.
>>>>>>>>>>>>
>>>>>>>>>>>> Does tls on both sides work?
>>>>>>>>>>>> Do I need the 8.2202+ version?
>>>>>>>>>>>> Do you have an example config?
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> rsyslog mailing list
>>>>>>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>>>>>> http://www.rsyslog.com/professional-services/
>>>>>>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
>>>>>>> a
>>>>>>>>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO
>>>>>>>>>>> NOT
>>>>>>>>> POST
>>>>>>>>>>> if you DON'T LIKE THAT.
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> rsyslog mailing list
>>>>>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>>>>> http://www.rsyslog.com/professional-services/
>>>>>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
>>>>>>>>>>> a
>>>>>>>>> myriad
>>>>>>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>>>>>>>>>>> if
>>>>>>>>> you
>>>>>>>>>>> DON'T LIKE THAT.
>>>>>>>>>> _______________________________________________
>>>>>>>>>> rsyslog mailing list
>>>>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>>>> http://www.rsyslog.com/professional-services/
>>>>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>>>>>>> myriad
>>>>>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>>>>>>>>>> if
>>>>>>> you
>>>>>>>>>> DON'T LIKE THAT.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Derek Atkins 617-623-3745
>>>>>>>>> derek@ihtfp.com www.ihtfp.com
>>>>>>>>> Computer and Internet Security Consultant
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Derek Atkins 617-623-3745
>>>>>>> derek@ihtfp.com www.ihtfp.com
>>>>>>> Computer and Internet Security Consultant
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Derek Atkins 617-623-3745
>>>>> derek@ihtfp.com www.ihtfp.com
>>>>> Computer and Internet Security Consultant
>>>>>
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com/professional-services/
>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>>>>> if you DON'T LIKE THAT.
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>>>> if you DON'T LIKE THAT.
>>>
>>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>
>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: problems with tls and rsyslog [ In reply to ]
I'm using a similat setup but for performance reasons I don't embed the original event in json but instead I glue a delimiter and an additional value at the end of the event. Then in the aggregator I use field() to split them back. One caveat is that you need a character which is really really unlikely to appear in the normal event as a delimiter. Tab is not a very bad choice but there are types of sources which can contain it sometimes.


On 26 May 2022 19:28:52 CEST, Derek Atkins via rsyslog <rsyslog@lists.adiscon.com> wrote:
>Thanks, David!!
>
>Interesting (and pretty cool) concept. In my case I know there will
>always only be the 3-level hierarchy (client/forwarder/aggregator), so I'm
>not sure I need something that generic, I only need to know the client and
>forwarder. Still, I will consider that.
>
>Silly n00b question: What is the difference between $fromhost-ip (which is
>what my current forwarder config is using) and $!fromhost-ip (that you
>use)? (The difference being the '!' in there?)
>
>Thanks,
>
>-derek
>
>On Thu, May 26, 2022 1:15 pm, David Lang wrote:
>> what I like to do is to format the body of the message as json, I create
>> $!msg=$msg and then I create a tree $!trusted and in that I add additional
>> metadata, including $!trusted.relay
>>
>> set $.relay = $!trusted.relay;
>> set $!trusted.relay.last = $.relay;
>> set $!trusted.relay.host = $hostname;
>> set $!trusted.relay.last = $!fromhost-ip;
>> set $!trusted.relay.time = $timegenerated;
>>
>> then in the final aggregator, I have all the info I could want about what
>> relays
>> the log has gone through, when it was proccessed by each relay, etc.
>>
>> I also have the sender add additional metadata here as well (if it's
>> reading
>> from a file , what filename for example)
>>
>> David Lang
>>
>> On Thu, 26 May 2022, Derek Atkins via
>> rsyslog wrote:
>>
>>> Date: Thu, 26 May 2022 13:04:00 -0400
>>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
>>> To: Rainer Gerhards <rgerhards@hq.adiscon.com>
>>> Cc: Derek Atkins <derek@ihtfp.com>, rsyslog-users
>>> <rsyslog@lists.adiscon.com>
>>> Subject: Re: [rsyslog] problems with tls and rsyslog
>>>
>>> Hi Rainer.
>>>
>>> Thank you for the reply (even though it's not the answer I was hoping to
>>> hear).
>>>
>>> So I guess the next question is how (or where) to add an identifier for
>>> an
>>> intermediary.
>>>
>>> Let's say I have a network that looks like this:
>>>
>>> [ Client1 ] --\
>>> [ Client2 ] ---+- [ Forwarder1 ] -\
>>> [ Client3 ] --/ \
>>> +-- [ Aggregator ]
>>> [ Client4 ] --\ /
>>> [ Client5 ] ---+- [ Forwarder2 ] -/
>>> [ Client6 ] --/
>>>
>>>
>>> When I see messages at the Aggregator I want to know not only what
>>> Client
>>> it came from, but also what Forwarder it came through.
>>>
>>> Right now on the forwarders I change the message to include the client
>>> IP
>>> and Client hostname (using set $!msg), and then send it using an onfwd
>>> template (note that I have a intermediary variable for fromhost-ip
>>> here):
>>>
>>> type="string" string="%timegenerated% from:%$fromhost-ip%
>>> %syslogseverity-text%%$!msg%\n"
>>>
>>> At the aggregator I also need to know whether a message came from
>>> Forwarder1 or Forwarder2, so I would like to add the Forwarder IP and
>>> hostname to the message that goes up to the aggregator. Right now it
>>> uses
>>> this template for omfile:
>>>
>>> type="string" string="%timegenerated% %msg%\n"
>>>
>>> Will $hostname and $fromhost-ip on the aggregator be the hostname and ip
>>> of the forwarder? Or the client?
>>>
>>> What would be the best way to include this extra information in my log
>>> entries?
>>>
>>> Thanks,
>>>
>>> -derek
>>>
>>> On Thu, May 26, 2022 12:31 pm, Rainer Gerhards wrote:
>>>> unfortunately, this property is not yet available :-(
>>>>
>>>> Rainer
>>>>
>>>> El jue, 26 may 2022 a las 13:53, Derek Atkins (<derek@ihtfp.com>)
>>>> escribió:
>>>>>
>>>>> Thanks Rainer,
>>>>>
>>>>> This is working smashingly!
>>>>>
>>>>> The next issue I'm trying to solve is how do I add the client
>>>>> certificate
>>>>> information into the log message? I'd like to add e.g. the client
>>>>> certificate subject (or subjectAltName) into my log template (similar
>>>>> to
>>>>> how you can add the client hostname or fromhost-ip).
>>>>>
>>>>> Again, I am having issues searching, as any combination of "rsyslog"
>>>>> and
>>>>> "certificate" seems to bring up documentation on "how to configure
>>>>> TLS"
>>>>> which, obviously, I already know how to do...
>>>>>
>>>>> Any help or guidance would be appreciated.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> -derek
>>>>>
>>>>> On Tue, May 17, 2022 4:12 pm, Rainer Gerhards wrote:
>>>>> > https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html
>>>>> >
>>>>> > https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
>>>>> >
>>>>> > HTH
>>>>> > Rainer
>>>>> >
>>>>> > Sent from phone, thus brief.
>>>>> >
>>>>> > Derek Atkins <derek@ihtfp.com> schrieb am Di., 17. Mai 2022, 22:01:
>>>>> >
>>>>> >> Hi,
>>>>> >>
>>>>> >> Are there docs on how to set this up on a per-input and/or
>>>>> per-omfwd
>>>>> >> basis?
>>>>> >>
>>>>> >> All the docs I can find suggest setting the global
>>>>> >> DefaultNetstreamDriver*
>>>>> >> variables, which in my case are not what I want because I need to
>>>>> be
>>>>> >> able
>>>>> >> to use different keys/certs/CAs for the input/imtcp vs the omfwd
>>>>> >> operations.
>>>>> >>
>>>>> >> I am running 8.2204.1.
>>>>> >>
>>>>> >> Thanks,
>>>>> >>
>>>>> >> -derek
>>>>> >>
>>>>> >> On Mon, April 25, 2022 3:03 am, Rainer Gerhards via rsyslog wrote:
>>>>> >> > Yes, it's possible. Worked on that for quite some time last year
>>>>> ;-)
>>>>> >> >
>>>>> >> > Rainer
>>>>> >> >
>>>>> >> > El lun, 25 abr 2022 a las 7:41, Mariusz Kruk via rsyslog
>>>>> >> > (<rsyslog@lists.adiscon.com>) escribió:
>>>>> >> >>
>>>>> >> >> There were some improvements to TLS handling introduced over
>>>>> several
>>>>> >> >> versions so you'd have to review the changelog and docs.
>>>>> >> >>
>>>>> >> >> But from what I see, the omfwd module supports setting separate
>>>>> TLS
>>>>> >> >> key/cert/cacert per action since 8.2108.
>>>>> >> >>
>>>>> >> >> The imtcp module also supports setting those on a per-input
>>>>> level
>>>>> >> since
>>>>> >> >> 8.2108.
>>>>> >> >>
>>>>> >> >> So it should work.
>>>>> >> >>
>>>>> >> >> It is always a good idea to do a tcpdump and see how the
>>>>> handshake
>>>>> >> >> progresses and when and where it fails.
>>>>> >> >>
>>>>> >> >> MK
>>>>> >> >>
>>>>> >> >> On 24.04.2022 00:35, Shane via rsyslog wrote:
>>>>> >> >> > Hi I am trying to get rsyslog to receive store/forward
>>>>> messages
>>>>> w/
>>>>> >> tls
>>>>> >> >> on
>>>>> >> >> > both sides.
>>>>> >> >> >
>>>>> >> >> > client --->tls---> rsyslog --->tls---> remote.something
>>>>> >> >> >
>>>>> >> >> > I got it set up so i could send to the rsyslog server but then
>>>>> i
>>>>> >> >> couldn't
>>>>> >> >> > add another ca/cert files. My config was using global and
>>>>> >> >> defaultnetstream
>>>>> >> >> >
>>>>> >> >> > I found on rsyslog.com that prior to 8.2202 it couldn't use
>>>>> tls
>>>>> on
>>>>> >> two
>>>>> >> >> > different source/dest. I found the cent 7 repo and got
>>>>> >> rsyslog-8.2204
>>>>> >> >> > installed. Now nothing works. I think i got the config
>>>>> correct
>>>>> >> but
>>>>> >> >> the
>>>>> >> >> > client keeps getting rejected.
>>>>> >> >> >
>>>>> >> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry
>>>>> >> returned
>>>>> >> >> > error: The TLS connection was non-properly terminated.
>>>>> [v8.2204.0
>>>>> >> try
>>>>> >> >> > https://www.rsyslog.com/e/2083 ]
>>>>> >> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session
>>>>> >> 0x7f6a04013360
>>>>> >> >> from
>>>>> >> >> > 192.168.5.22 will be closed due to error [v8.2204.0 try
>>>>> >> >> > https://www.rsyslog.com/e/2089 ]
>>>>> >> >> >
>>>>> >> >> > So then i tried going to the ossl module. Now its even worse.
>>>>> My
>>>>> >> >> config
>>>>> >> >> > is a mess now too.
>>>>> >> >> >
>>>>> >> >> > Does tls on both sides work?
>>>>> >> >> > Do I need the 8.2202+ version?
>>>>> >> >> > Do you have an example config?
>>>>> >> >> > _______________________________________________
>>>>> >> >> > rsyslog mailing list
>>>>> >> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> >> >> > http://www.rsyslog.com/professional-services/
>>>>> >> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>> >> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED
>>>>> by
>>>>> a
>>>>> >> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO
>>>>> NOT
>>>>> >> POST
>>>>> >> >> if you DON'T LIKE THAT.
>>>>> >> >> _______________________________________________
>>>>> >> >> rsyslog mailing list
>>>>> >> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> >> >> http://www.rsyslog.com/professional-services/
>>>>> >> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>> >> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
>>>>> a
>>>>> >> myriad
>>>>> >> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>>>>> if
>>>>> >> you
>>>>> >> >> DON'T LIKE THAT.
>>>>> >> > _______________________________________________
>>>>> >> > rsyslog mailing list
>>>>> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> >> > http://www.rsyslog.com/professional-services/
>>>>> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>>> >> myriad
>>>>> >> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>>>>> if
>>>>> you
>>>>> >> > DON'T LIKE THAT.
>>>>> >>
>>>>> >>
>>>>> >> --
>>>>> >> Derek Atkins 617-623-3745
>>>>> >> derek@ihtfp.com www.ihtfp.com
>>>>> >> Computer and Internet Security Consultant
>>>>> >>
>>>>> >>
>>>>> >
>>>>>
>>>>>
>>>>> --
>>>>> Derek Atkins 617-623-3745
>>>>> derek@ihtfp.com www.ihtfp.com
>>>>> Computer and Internet Security Consultant
>>>>>
>>>>
>>>
>>>
>>> --
>>> Derek Atkins 617-623-3745
>>> derek@ihtfp.com www.ihtfp.com
>>> Computer and Internet Security Consultant
>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>> DON'T LIKE THAT.
>
>
>--
> Derek Atkins 617-623-3745
> derek@ihtfp.com www.ihtfp.com
> Computer and Internet Security Consultant
>
>_______________________________________________
>rsyslog mailing list
>https://lists.adiscon.net/mailman/listinfo/rsyslog
>http://www.rsyslog.com/professional-services/
>What's up with rsyslog? Follow https://twitter.com/rgerhards
>NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: problems with tls and rsyslog [ In reply to ]
David is correct. The $$myhostname variable is one of those for which two dollar sign characters is needed.

> On May 26, 2022, at 12:42, Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com> wrote:
>
> I'm using a similat setup but for performance reasons I don't embed the original event in json but instead I glue a delimiter and an additional value at the end of the event. Then in the aggregator I use field() to split them back. One caveat is that you need a character which is really really unlikely to appear in the normal event as a delimiter. Tab is not a very bad choice but there are types of sources which can contain it sometimes.
>
>
> On 26 May 2022 19:28:52 CEST, Derek Atkins via rsyslog <rsyslog@lists.adiscon.com> wrote:
>> Thanks, David!!
>>
>> Interesting (and pretty cool) concept. In my case I know there will
>> always only be the 3-level hierarchy (client/forwarder/aggregator), so I'm
>> not sure I need something that generic, I only need to know the client and
>> forwarder. Still, I will consider that.
>>
>> Silly n00b question: What is the difference between $fromhost-ip (which is
>> what my current forwarder config is using) and $!fromhost-ip (that you
>> use)? (The difference being the '!' in there?)
>>
>> Thanks,
>>
>> -derek
>>
>> On Thu, May 26, 2022 1:15 pm, David Lang wrote:
>>> what I like to do is to format the body of the message as json, I create
>>> $!msg=$msg and then I create a tree $!trusted and in that I add additional
>>> metadata, including $!trusted.relay
>>>
>>> set $.relay = $!trusted.relay;
>>> set $!trusted.relay.last = $.relay;
>>> set $!trusted.relay.host = $hostname;
>>> set $!trusted.relay.last = $!fromhost-ip;
>>> set $!trusted.relay.time = $timegenerated;
>>>
>>> then in the final aggregator, I have all the info I could want about what
>>> relays
>>> the log has gone through, when it was proccessed by each relay, etc.
>>>
>>> I also have the sender add additional metadata here as well (if it's
>>> reading
>>> from a file , what filename for example)
>>>
>>> David Lang
>>>
>>> On Thu, 26 May 2022, Derek Atkins via
>>> rsyslog wrote:
>>>
>>>> Date: Thu, 26 May 2022 13:04:00 -0400
>>>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
>>>> To: Rainer Gerhards <rgerhards@hq.adiscon.com>
>>>> Cc: Derek Atkins <derek@ihtfp.com>, rsyslog-users
>>>> <rsyslog@lists.adiscon.com>
>>>> Subject: Re: [rsyslog] problems with tls and rsyslog
>>>>
>>>> Hi Rainer.
>>>>
>>>> Thank you for the reply (even though it's not the answer I was hoping to
>>>> hear).
>>>>
>>>> So I guess the next question is how (or where) to add an identifier for
>>>> an
>>>> intermediary.
>>>>
>>>> Let's say I have a network that looks like this:
>>>>
>>>> [ Client1 ] --\
>>>> [ Client2 ] ---+- [ Forwarder1 ] -\
>>>> [ Client3 ] --/ \
>>>> +-- [ Aggregator ]
>>>> [ Client4 ] --\ /
>>>> [ Client5 ] ---+- [ Forwarder2 ] -/
>>>> [ Client6 ] --/
>>>>
>>>>
>>>> When I see messages at the Aggregator I want to know not only what
>>>> Client
>>>> it came from, but also what Forwarder it came through.
>>>>
>>>> Right now on the forwarders I change the message to include the client
>>>> IP
>>>> and Client hostname (using set $!msg), and then send it using an onfwd
>>>> template (note that I have a intermediary variable for fromhost-ip
>>>> here):
>>>>
>>>> type="string" string="%timegenerated% from:%$fromhost-ip%
>>>> %syslogseverity-text%%$!msg%\n"
>>>>
>>>> At the aggregator I also need to know whether a message came from
>>>> Forwarder1 or Forwarder2, so I would like to add the Forwarder IP and
>>>> hostname to the message that goes up to the aggregator. Right now it
>>>> uses
>>>> this template for omfile:
>>>>
>>>> type="string" string="%timegenerated% %msg%\n"
>>>>
>>>> Will $hostname and $fromhost-ip on the aggregator be the hostname and ip
>>>> of the forwarder? Or the client?
>>>>
>>>> What would be the best way to include this extra information in my log
>>>> entries?
>>>>
>>>> Thanks,
>>>>
>>>> -derek
>>>>
>>>> On Thu, May 26, 2022 12:31 pm, Rainer Gerhards wrote:
>>>>> unfortunately, this property is not yet available :-(
>>>>>
>>>>> Rainer
>>>>>
>>>>> El jue, 26 may 2022 a las 13:53, Derek Atkins (<derek@ihtfp.com>)
>>>>> escribió:
>>>>>>
>>>>>> Thanks Rainer,
>>>>>>
>>>>>> This is working smashingly!
>>>>>>
>>>>>> The next issue I'm trying to solve is how do I add the client
>>>>>> certificate
>>>>>> information into the log message? I'd like to add e.g. the client
>>>>>> certificate subject (or subjectAltName) into my log template (similar
>>>>>> to
>>>>>> how you can add the client hostname or fromhost-ip).
>>>>>>
>>>>>> Again, I am having issues searching, as any combination of "rsyslog"
>>>>>> and
>>>>>> "certificate" seems to bring up documentation on "how to configure
>>>>>> TLS"
>>>>>> which, obviously, I already know how to do...
>>>>>>
>>>>>> Any help or guidance would be appreciated.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> -derek
>>>>>>
>>>>>> On Tue, May 17, 2022 4:12 pm, Rainer Gerhards wrote:
>>>>>>> https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html
>>>>>>>
>>>>>>> https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
>>>>>>>
>>>>>>> HTH
>>>>>>> Rainer
>>>>>>>
>>>>>>> Sent from phone, thus brief.
>>>>>>>
>>>>>>> Derek Atkins <derek@ihtfp.com> schrieb am Di., 17. Mai 2022, 22:01:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Are there docs on how to set this up on a per-input and/or
>>>>>> per-omfwd
>>>>>>>> basis?
>>>>>>>>
>>>>>>>> All the docs I can find suggest setting the global
>>>>>>>> DefaultNetstreamDriver*
>>>>>>>> variables, which in my case are not what I want because I need to
>>>>>> be
>>>>>>>> able
>>>>>>>> to use different keys/certs/CAs for the input/imtcp vs the omfwd
>>>>>>>> operations.
>>>>>>>>
>>>>>>>> I am running 8.2204.1.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>>
>>>>>>>> -derek
>>>>>>>>
>>>>>>>> On Mon, April 25, 2022 3:03 am, Rainer Gerhards via rsyslog wrote:
>>>>>>>>> Yes, it's possible. Worked on that for quite some time last year
>>>>>> ;-)
>>>>>>>>>
>>>>>>>>> Rainer
>>>>>>>>>
>>>>>>>>> El lun, 25 abr 2022 a las 7:41, Mariusz Kruk via rsyslog
>>>>>>>>> (<rsyslog@lists.adiscon.com>) escribió:
>>>>>>>>>>
>>>>>>>>>> There were some improvements to TLS handling introduced over
>>>>>> several
>>>>>>>>>> versions so you'd have to review the changelog and docs.
>>>>>>>>>>
>>>>>>>>>> But from what I see, the omfwd module supports setting separate
>>>>>> TLS
>>>>>>>>>> key/cert/cacert per action since 8.2108.
>>>>>>>>>>
>>>>>>>>>> The imtcp module also supports setting those on a per-input
>>>>>> level
>>>>>>>> since
>>>>>>>>>> 8.2108.
>>>>>>>>>>
>>>>>>>>>> So it should work.
>>>>>>>>>>
>>>>>>>>>> It is always a good idea to do a tcpdump and see how the
>>>>>> handshake
>>>>>>>>>> progresses and when and where it fails.
>>>>>>>>>>
>>>>>>>>>> MK
>>>>>>>>>>
>>>>>>>>>> On 24.04.2022 00:35, Shane via rsyslog wrote:
>>>>>>>>>>> Hi I am trying to get rsyslog to receive store/forward
>>>>>> messages
>>>>>> w/
>>>>>>>> tls
>>>>>>>>>> on
>>>>>>>>>>> both sides.
>>>>>>>>>>>
>>>>>>>>>>> client --->tls---> rsyslog --->tls---> remote.something
>>>>>>>>>>>
>>>>>>>>>>> I got it set up so i could send to the rsyslog server but then
>>>>>> i
>>>>>>>>>> couldn't
>>>>>>>>>>> add another ca/cert files. My config was using global and
>>>>>>>>>> defaultnetstream
>>>>>>>>>>>
>>>>>>>>>>> I found on rsyslog.com that prior to 8.2202 it couldn't use
>>>>>> tls
>>>>>> on
>>>>>>>> two
>>>>>>>>>>> different source/dest. I found the cent 7 repo and got
>>>>>>>> rsyslog-8.2204
>>>>>>>>>>> installed. Now nothing works. I think i got the config
>>>>>> correct
>>>>>>>> but
>>>>>>>>>> the
>>>>>>>>>>> client keeps getting rejected.
>>>>>>>>>>>
>>>>>>>>>>> Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry
>>>>>>>> returned
>>>>>>>>>>> error: The TLS connection was non-properly terminated.
>>>>>> [v8.2204.0
>>>>>>>> try
>>>>>>>>>>> https://www.rsyslog.com/e/2083 ]
>>>>>>>>>>> Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session
>>>>>>>> 0x7f6a04013360
>>>>>>>>>> from
>>>>>>>>>>> 192.168.5.22 will be closed due to error [v8.2204.0 try
>>>>>>>>>>> https://www.rsyslog.com/e/2089 ]
>>>>>>>>>>>
>>>>>>>>>>> So then i tried going to the ossl module. Now its even worse.
>>>>>> My
>>>>>>>>>> config
>>>>>>>>>>> is a mess now too.
>>>>>>>>>>>
>>>>>>>>>>> Does tls on both sides work?
>>>>>>>>>>> Do I need the 8.2202+ version?
>>>>>>>>>>> Do you have an example config?
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> rsyslog mailing list
>>>>>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>>>>> http://www.rsyslog.com/professional-services/
>>>>>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED
>>>>>> by
>>>>>> a
>>>>>>>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO
>>>>>> NOT
>>>>>>>> POST
>>>>>>>>>> if you DON'T LIKE THAT.
>>>>>>>>>> _______________________________________________
>>>>>>>>>> rsyslog mailing list
>>>>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>>>> http://www.rsyslog.com/professional-services/
>>>>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
>>>>>> a
>>>>>>>> myriad
>>>>>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>>>>>> if
>>>>>>>> you
>>>>>>>>>> DON'T LIKE THAT.
>>>>>>>>> _______________________________________________
>>>>>>>>> rsyslog mailing list
>>>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>>>> http://www.rsyslog.com/professional-services/
>>>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>>>>>> myriad
>>>>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>>>>>> if
>>>>>> you
>>>>>>>>> DON'T LIKE THAT.
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Derek Atkins 617-623-3745
>>>>>>>> derek@ihtfp.com www.ihtfp.com
>>>>>>>> Computer and Internet Security Consultant
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Derek Atkins 617-623-3745
>>>>>> derek@ihtfp.com www.ihtfp.com
>>>>>> Computer and Internet Security Consultant
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Derek Atkins 617-623-3745
>>>> derek@ihtfp.com www.ihtfp.com
>>>> Computer and Internet Security Consultant
>>>>
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T LIKE THAT.
>>
>>
>> --
>> Derek Atkins 617-623-3745
>> derek@ihtfp.com www.ihtfp.com
>> Computer and Internet Security Consultant
>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: problems with tls and rsyslog [ In reply to ]
mmjsonparse and mmnormalize have good performance, and they avoid the problem of
the unusual character showing up in the message (although they do have a problem
if the message gets truncated)

David Lang

On Thu, 26 May 2022, Mariusz Kruk via rsyslog
wrote:

> Date: Thu, 26 May 2022 19:42:47 +0200
> From: Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Mariusz Kruk <kruk@epsilon.eu.org>
> Subject: Re: [rsyslog] problems with tls and rsyslog
>
> I'm using a similat setup but for performance reasons I don't embed the original event in json but instead I glue a delimiter and an additional value at the end of the event. Then in the aggregator I use field() to split them back. One caveat is that you need a character which is really really unlikely to appear in the normal event as a delimiter. Tab is not a very bad choice but there are types of sources which can contain it sometimes.
>
>
> On 26 May 2022 19:28:52 CEST, Derek Atkins via rsyslog <rsyslog@lists.adiscon.com> wrote:
>> Thanks, David!!
>>
>> Interesting (and pretty cool) concept. In my case I know there will
>> always only be the 3-level hierarchy (client/forwarder/aggregator), so I'm
>> not sure I need something that generic, I only need to know the client and
>> forwarder. Still, I will consider that.
>>
>> Silly n00b question: What is the difference between $fromhost-ip (which is
>> what my current forwarder config is using) and $!fromhost-ip (that you
>> use)? (The difference being the '!' in there?)
>>
>> Thanks,
>>
>> -derek
>>
>> On Thu, May 26, 2022 1:15 pm, David Lang wrote:
>>> what I like to do is to format the body of the message as json, I create
>>> $!msg=$msg and then I create a tree $!trusted and in that I add additional
>>> metadata, including $!trusted.relay
>>>
>>> set $.relay = $!trusted.relay;
>>> set $!trusted.relay.last = $.relay;
>>> set $!trusted.relay.host = $hostname;
>>> set $!trusted.relay.last = $!fromhost-ip;
>>> set $!trusted.relay.time = $timegenerated;
>>>
>>> then in the final aggregator, I have all the info I could want about what
>>> relays
>>> the log has gone through, when it was proccessed by each relay, etc.
>>>
>>> I also have the sender add additional metadata here as well (if it's
>>> reading
>>> from a file , what filename for example)
>>>
>>> David Lang
>>>
>>> On Thu, 26 May 2022, Derek Atkins via
>>> rsyslog wrote:
>>>
>>>> Date: Thu, 26 May 2022 13:04:00 -0400
>>>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
>>>> To: Rainer Gerhards <rgerhards@hq.adiscon.com>
>>>> Cc: Derek Atkins <derek@ihtfp.com>, rsyslog-users
>>>> <rsyslog@lists.adiscon.com>
>>>> Subject: Re: [rsyslog] problems with tls and rsyslog
>>>>
>>>> Hi Rainer.
>>>>
>>>> Thank you for the reply (even though it's not the answer I was hoping to
>>>> hear).
>>>>
>>>> So I guess the next question is how (or where) to add an identifier for
>>>> an
>>>> intermediary.
>>>>
>>>> Let's say I have a network that looks like this:
>>>>
>>>> [ Client1 ] --\
>>>> [ Client2 ] ---+- [ Forwarder1 ] -\
>>>> [ Client3 ] --/ \
>>>> +-- [ Aggregator ]
>>>> [ Client4 ] --\ /
>>>> [ Client5 ] ---+- [ Forwarder2 ] -/
>>>> [ Client6 ] --/
>>>>
>>>>
>>>> When I see messages at the Aggregator I want to know not only what
>>>> Client
>>>> it came from, but also what Forwarder it came through.
>>>>
>>>> Right now on the forwarders I change the message to include the client
>>>> IP
>>>> and Client hostname (using set $!msg), and then send it using an onfwd
>>>> template (note that I have a intermediary variable for fromhost-ip
>>>> here):
>>>>
>>>> type="string" string="%timegenerated% from:%$fromhost-ip%
>>>> %syslogseverity-text%%$!msg%\n"
>>>>
>>>> At the aggregator I also need to know whether a message came from
>>>> Forwarder1 or Forwarder2, so I would like to add the Forwarder IP and
>>>> hostname to the message that goes up to the aggregator. Right now it
>>>> uses
>>>> this template for omfile:
>>>>
>>>> type="string" string="%timegenerated% %msg%\n"
>>>>
>>>> Will $hostname and $fromhost-ip on the aggregator be the hostname and ip
>>>> of the forwarder? Or the client?
>>>>
>>>> What would be the best way to include this extra information in my log
>>>> entries?
>>>>
>>>> Thanks,
>>>>
>>>> -derek
>>>>
>>>> On Thu, May 26, 2022 12:31 pm, Rainer Gerhards wrote:
>>>>> unfortunately, this property is not yet available :-(
>>>>>
>>>>> Rainer
>>>>>
>>>>> El jue, 26 may 2022 a las 13:53, Derek Atkins (<derek@ihtfp.com>)
>>>>> escribió:
>>>>>>
>>>>>> Thanks Rainer,
>>>>>>
>>>>>> This is working smashingly!
>>>>>>
>>>>>> The next issue I'm trying to solve is how do I add the client
>>>>>> certificate
>>>>>> information into the log message? I'd like to add e.g. the client
>>>>>> certificate subject (or subjectAltName) into my log template (similar
>>>>>> to
>>>>>> how you can add the client hostname or fromhost-ip).
>>>>>>
>>>>>> Again, I am having issues searching, as any combination of "rsyslog"
>>>>>> and
>>>>>> "certificate" seems to bring up documentation on "how to configure
>>>>>> TLS"
>>>>>> which, obviously, I already know how to do...
>>>>>>
>>>>>> Any help or guidance would be appreciated.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> -derek
>>>>>>
>>>>>> On Tue, May 17, 2022 4:12 pm, Rainer Gerhards wrote:
>>>>>> > https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html
>>>>>> >
>>>>>> > https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
>>>>>> >
>>>>>> > HTH
>>>>>> > Rainer
>>>>>> >
>>>>>> > Sent from phone, thus brief.
>>>>>> >
>>>>>> > Derek Atkins <derek@ihtfp.com> schrieb am Di., 17. Mai 2022, 22:01:
>>>>>> >
>>>>>> >> Hi,
>>>>>> >>
>>>>>> >> Are there docs on how to set this up on a per-input and/or
>>>>>> per-omfwd
>>>>>> >> basis?
>>>>>> >>
>>>>>> >> All the docs I can find suggest setting the global
>>>>>> >> DefaultNetstreamDriver*
>>>>>> >> variables, which in my case are not what I want because I need to
>>>>>> be
>>>>>> >> able
>>>>>> >> to use different keys/certs/CAs for the input/imtcp vs the omfwd
>>>>>> >> operations.
>>>>>> >>
>>>>>> >> I am running 8.2204.1.
>>>>>> >>
>>>>>> >> Thanks,
>>>>>> >>
>>>>>> >> -derek
>>>>>> >>
>>>>>> >> On Mon, April 25, 2022 3:03 am, Rainer Gerhards via rsyslog wrote:
>>>>>> >> > Yes, it's possible. Worked on that for quite some time last year
>>>>>> ;-)
>>>>>> >> >
>>>>>> >> > Rainer
>>>>>> >> >
>>>>>> >> > El lun, 25 abr 2022 a las 7:41, Mariusz Kruk via rsyslog
>>>>>> >> > (<rsyslog@lists.adiscon.com>) escribió:
>>>>>> >> >>
>>>>>> >> >> There were some improvements to TLS handling introduced over
>>>>>> several
>>>>>> >> >> versions so you'd have to review the changelog and docs.
>>>>>> >> >>
>>>>>> >> >> But from what I see, the omfwd module supports setting separate
>>>>>> TLS
>>>>>> >> >> key/cert/cacert per action since 8.2108.
>>>>>> >> >>
>>>>>> >> >> The imtcp module also supports setting those on a per-input
>>>>>> level
>>>>>> >> since
>>>>>> >> >> 8.2108.
>>>>>> >> >>
>>>>>> >> >> So it should work.
>>>>>> >> >>
>>>>>> >> >> It is always a good idea to do a tcpdump and see how the
>>>>>> handshake
>>>>>> >> >> progresses and when and where it fails.
>>>>>> >> >>
>>>>>> >> >> MK
>>>>>> >> >>
>>>>>> >> >> On 24.04.2022 00:35, Shane via rsyslog wrote:
>>>>>> >> >> > Hi I am trying to get rsyslog to receive store/forward
>>>>>> messages
>>>>>> w/
>>>>>> >> tls
>>>>>> >> >> on
>>>>>> >> >> > both sides.
>>>>>> >> >> >
>>>>>> >> >> > client --->tls---> rsyslog --->tls---> remote.something
>>>>>> >> >> >
>>>>>> >> >> > I got it set up so i could send to the rsyslog server but then
>>>>>> i
>>>>>> >> >> couldn't
>>>>>> >> >> > add another ca/cert files. My config was using global and
>>>>>> >> >> defaultnetstream
>>>>>> >> >> >
>>>>>> >> >> > I found on rsyslog.com that prior to 8.2202 it couldn't use
>>>>>> tls
>>>>>> on
>>>>>> >> two
>>>>>> >> >> > different source/dest. I found the cent 7 repo and got
>>>>>> >> rsyslog-8.2204
>>>>>> >> >> > installed. Now nothing works. I think i got the config
>>>>>> correct
>>>>>> >> but
>>>>>> >> >> the
>>>>>> >> >> > client keeps getting rejected.
>>>>>> >> >> >
>>>>>> >> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry
>>>>>> >> returned
>>>>>> >> >> > error: The TLS connection was non-properly terminated.
>>>>>> [v8.2204.0
>>>>>> >> try
>>>>>> >> >> > https://www.rsyslog.com/e/2083 ]
>>>>>> >> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session
>>>>>> >> 0x7f6a04013360
>>>>>> >> >> from
>>>>>> >> >> > 192.168.5.22 will be closed due to error [v8.2204.0 try
>>>>>> >> >> > https://www.rsyslog.com/e/2089 ]
>>>>>> >> >> >
>>>>>> >> >> > So then i tried going to the ossl module. Now its even worse.
>>>>>> My
>>>>>> >> >> config
>>>>>> >> >> > is a mess now too.
>>>>>> >> >> >
>>>>>> >> >> > Does tls on both sides work?
>>>>>> >> >> > Do I need the 8.2202+ version?
>>>>>> >> >> > Do you have an example config?
>>>>>> >> >> > _______________________________________________
>>>>>> >> >> > rsyslog mailing list
>>>>>> >> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>> >> >> > http://www.rsyslog.com/professional-services/
>>>>>> >> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>> >> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED
>>>>>> by
>>>>>> a
>>>>>> >> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO
>>>>>> NOT
>>>>>> >> POST
>>>>>> >> >> if you DON'T LIKE THAT.
>>>>>> >> >> _______________________________________________
>>>>>> >> >> rsyslog mailing list
>>>>>> >> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>> >> >> http://www.rsyslog.com/professional-services/
>>>>>> >> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>> >> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
>>>>>> a
>>>>>> >> myriad
>>>>>> >> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>>>>>> if
>>>>>> >> you
>>>>>> >> >> DON'T LIKE THAT.
>>>>>> >> > _______________________________________________
>>>>>> >> > rsyslog mailing list
>>>>>> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>> >> > http://www.rsyslog.com/professional-services/
>>>>>> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>>>> >> myriad
>>>>>> >> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
>>>>>> if
>>>>>> you
>>>>>> >> > DON'T LIKE THAT.
>>>>>> >>
>>>>>> >>
>>>>>> >> --
>>>>>> >> Derek Atkins 617-623-3745
>>>>>> >> derek@ihtfp.com www.ihtfp.com
>>>>>> >> Computer and Internet Security Consultant
>>>>>> >>
>>>>>> >>
>>>>>> >
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Derek Atkins 617-623-3745
>>>>>> derek@ihtfp.com www.ihtfp.com
>>>>>> Computer and Internet Security Consultant
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Derek Atkins 617-623-3745
>>>> derek@ihtfp.com www.ihtfp.com
>>>> Computer and Internet Security Consultant
>>>>
>>>> _______________________________________________
>>>> rsyslog mailing list
>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>> http://www.rsyslog.com/professional-services/
>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T LIKE THAT.
>>
>>
>> --
>> Derek Atkins 617-623-3745
>> derek@ihtfp.com www.ihtfp.com
>> Computer and Internet Security Consultant
>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: problems with tls and rsyslog [ In reply to ]
I'm not saying they don't :-)

But json parsing will always be slower than just finding a single
character ;-)

Works for me, anyway.

On 26.05.2022 19:48, David Lang wrote:
> mmjsonparse and mmnormalize have good performance, and they avoid the
> problem of the unusual character showing up in the message (although
> they do have a problem if the message gets truncated)
>
> David Lang
>
>  On Thu, 26 May 2022, Mariusz Kruk via rsyslog wrote:
>
>> Date: Thu, 26 May 2022 19:42:47 +0200
>> From: Mariusz Kruk via rsyslog <rsyslog@lists.adiscon.com>
>> To: rsyslog-users <rsyslog@lists.adiscon.com>
>> Cc: Mariusz Kruk <kruk@epsilon.eu.org>
>> Subject: Re: [rsyslog] problems with tls and rsyslog
>>
>> I'm using a similat setup but for performance reasons I don't embed
>> the original event in json but instead I glue a delimiter and an
>> additional value at the end of the event. Then in the aggregator I
>> use field() to split them back. One caveat is that you need a
>> character which is really really unlikely to appear in the normal
>> event as a delimiter. Tab is not a very bad choice but there are
>> types of sources which can contain it sometimes.
>>
>>
>> On 26 May 2022 19:28:52 CEST, Derek Atkins via rsyslog
>> <rsyslog@lists.adiscon.com> wrote:
>>> Thanks, David!!
>>>
>>> Interesting (and pretty cool) concept.  In my case I know there will
>>> always only be the 3-level hierarchy (client/forwarder/aggregator),
>>> so I'm
>>> not sure I need something that generic, I only need to know the
>>> client and
>>> forwarder.  Still, I will consider that.
>>>
>>> Silly n00b question: What is the difference between $fromhost-ip
>>> (which is
>>> what my current forwarder config is using) and $!fromhost-ip (that you
>>> use)?  (The difference being the '!' in there?)
>>>
>>> Thanks,
>>>
>>> -derek
>>>
>>> On Thu, May 26, 2022 1:15 pm, David Lang wrote:
>>>> what I like to do is to format the body of the message as json, I
>>>> create
>>>> $!msg=$msg and then I create a tree $!trusted and in that I add
>>>> additional
>>>> metadata, including $!trusted.relay
>>>>
>>>> set $.relay = $!trusted.relay;
>>>> set $!trusted.relay.last = $.relay;
>>>> set $!trusted.relay.host = $hostname;
>>>> set $!trusted.relay.last = $!fromhost-ip;
>>>> set $!trusted.relay.time = $timegenerated;
>>>>
>>>> then in the final aggregator, I have all the info I could want
>>>> about what
>>>> relays
>>>> the log has gone through, when it was proccessed by each relay, etc.
>>>>
>>>> I also have the sender add additional metadata here as well (if it's
>>>> reading
>>>> from a file , what filename for example)
>>>>
>>>> David Lang
>>>>
>>>>   On Thu, 26 May 2022, Derek Atkins via
>>>> rsyslog wrote:
>>>>
>>>>> Date: Thu, 26 May 2022 13:04:00 -0400
>>>>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com>
>>>>> To: Rainer Gerhards <rgerhards@hq.adiscon.com>
>>>>> Cc: Derek Atkins <derek@ihtfp.com>, rsyslog-users
>>>>> <rsyslog@lists.adiscon.com>
>>>>> Subject: Re: [rsyslog] problems with tls and rsyslog
>>>>>
>>>>> Hi Rainer.
>>>>>
>>>>> Thank you for the reply (even though it's not the answer I was
>>>>> hoping to
>>>>> hear).
>>>>>
>>>>> So I guess the next question is how (or where) to add an
>>>>> identifier for
>>>>> an
>>>>> intermediary.
>>>>>
>>>>> Let's say I have a network that looks like this:
>>>>>
>>>>> [ Client1 ] --\
>>>>> [ Client2 ] ---+- [ Forwarder1 ] -\
>>>>> [ Client3 ] --/                    \
>>>>>                                    +-- [ Aggregator ]
>>>>> [ Client4 ] --\                    /
>>>>> [ Client5 ] ---+- [ Forwarder2 ] -/
>>>>> [ Client6 ] --/
>>>>>
>>>>>
>>>>> When I see messages at the Aggregator I want to know not only what
>>>>> Client
>>>>> it came from, but also what Forwarder it came through.
>>>>>
>>>>> Right now on the forwarders I change the message to include the
>>>>> client
>>>>> IP
>>>>> and Client hostname (using set $!msg), and then send it using an
>>>>> onfwd
>>>>> template (note that I have a intermediary variable for fromhost-ip
>>>>> here):
>>>>>
>>>>> type="string" string="%timegenerated% from:%$fromhost-ip%
>>>>> %syslogseverity-text%%$!msg%\n"
>>>>>
>>>>> At the aggregator I also need to know whether a message came from
>>>>> Forwarder1 or Forwarder2, so I would like to add the Forwarder IP and
>>>>> hostname to the message that goes up to the aggregator. Right now it
>>>>> uses
>>>>> this template for omfile:
>>>>>
>>>>> type="string" string="%timegenerated% %msg%\n"
>>>>>
>>>>> Will $hostname and $fromhost-ip on the aggregator be the hostname
>>>>> and ip
>>>>> of the forwarder?  Or the client?
>>>>>
>>>>> What would be the best way to include this extra information in my
>>>>> log
>>>>> entries?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> -derek
>>>>>
>>>>> On Thu, May 26, 2022 12:31 pm, Rainer Gerhards wrote:
>>>>>> unfortunately, this property is not yet available :-(
>>>>>>
>>>>>> Rainer
>>>>>>
>>>>>> El jue, 26 may 2022 a las 13:53, Derek Atkins (<derek@ihtfp.com>)
>>>>>> escribió:
>>>>>>>
>>>>>>> Thanks Rainer,
>>>>>>>
>>>>>>> This is working smashingly!
>>>>>>>
>>>>>>> The next issue I'm trying to solve is how do I add the client
>>>>>>> certificate
>>>>>>> information into the log message?  I'd like to add e.g. the client
>>>>>>> certificate subject (or subjectAltName) into my log template
>>>>>>> (similar
>>>>>>> to
>>>>>>> how you can add the client hostname or fromhost-ip).
>>>>>>>
>>>>>>> Again, I am having issues searching, as any combination of
>>>>>>> "rsyslog"
>>>>>>> and
>>>>>>> "certificate" seems to bring up documentation on "how to configure
>>>>>>> TLS"
>>>>>>> which, obviously, I already know how to do...
>>>>>>>
>>>>>>> Any help or guidance would be appreciated.
>>>>>>>
>>>>>>> Thanks,
>>>>>>>
>>>>>>> -derek
>>>>>>>
>>>>>>> On Tue, May 17, 2022 4:12 pm, Rainer Gerhards wrote:
>>>>>>> >
>>>>>>> https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html
>>>>>>>
>>>>>>> >
>>>>>>> >
>>>>>>> https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
>>>>>>>
>>>>>>> >
>>>>>>> > HTH
>>>>>>> > Rainer
>>>>>>> >
>>>>>>> > Sent from phone, thus brief.
>>>>>>> >
>>>>>>> > Derek Atkins <derek@ihtfp.com> schrieb am Di., 17. Mai 2022,
>>>>>>> 22:01:
>>>>>>> >
>>>>>>> >> Hi,
>>>>>>> >>
>>>>>>> >> Are there docs on how to set this up on a per-input and/or
>>>>>>> per-omfwd
>>>>>>> >> basis?
>>>>>>> >>
>>>>>>> >> All the docs I can find suggest setting the global
>>>>>>> >> DefaultNetstreamDriver*
>>>>>>> >> variables, which in my case are not what I want because I
>>>>>>> need to
>>>>>>> be
>>>>>>> >> able
>>>>>>> >> to use different keys/certs/CAs for the input/imtcp vs the omfwd
>>>>>>> >> operations.
>>>>>>> >>
>>>>>>> >> I am running 8.2204.1.
>>>>>>> >>
>>>>>>> >> Thanks,
>>>>>>> >>
>>>>>>> >> -derek
>>>>>>> >>
>>>>>>> >> On Mon, April 25, 2022 3:03 am, Rainer Gerhards via rsyslog
>>>>>>> wrote:
>>>>>>> >> > Yes, it's possible. Worked on that for quite some time last
>>>>>>> year
>>>>>>> ;-)
>>>>>>> >> >
>>>>>>> >> > Rainer
>>>>>>> >> >
>>>>>>> >> > El lun, 25 abr 2022 a las 7:41, Mariusz Kruk via rsyslog
>>>>>>> >> > (<rsyslog@lists.adiscon.com>) escribió:
>>>>>>> >> >>
>>>>>>> >> >> There were some improvements to TLS handling introduced over
>>>>>>> several
>>>>>>> >> >> versions so you'd have to review the changelog and docs.
>>>>>>> >> >>
>>>>>>> >> >> But from what I see, the omfwd module supports setting
>>>>>>> separate
>>>>>>> TLS
>>>>>>> >> >> key/cert/cacert per action since 8.2108.
>>>>>>> >> >>
>>>>>>> >> >> The imtcp module also supports setting those on a per-input
>>>>>>> level
>>>>>>> >> since
>>>>>>> >> >> 8.2108.
>>>>>>> >> >>
>>>>>>> >> >> So it should work.
>>>>>>> >> >>
>>>>>>> >> >> It is always a good idea to do a tcpdump and see how the
>>>>>>> handshake
>>>>>>> >> >> progresses and when and where it fails.
>>>>>>> >> >>
>>>>>>> >> >> MK
>>>>>>> >> >>
>>>>>>> >> >> On 24.04.2022 00:35, Shane via rsyslog wrote:
>>>>>>> >> >> > Hi I am trying to get rsyslog to receive store/forward
>>>>>>> messages
>>>>>>> w/
>>>>>>> >> tls
>>>>>>> >> >> on
>>>>>>> >> >> > both sides.
>>>>>>> >> >> >
>>>>>>> >> >> > client --->tls---> rsyslog --->tls---> remote.something
>>>>>>> >> >> >
>>>>>>> >> >> > I got it set up so i could send to the rsyslog server
>>>>>>> but then
>>>>>>> i
>>>>>>> >> >> couldn't
>>>>>>> >> >> > add another ca/cert files.  My config was using global and
>>>>>>> >> >> defaultnetstream
>>>>>>> >> >> >
>>>>>>> >> >> > I found on rsyslog.com that prior to 8.2202 it couldn't use
>>>>>>> tls
>>>>>>> on
>>>>>>> >> two
>>>>>>> >> >> > different source/dest.  I found the cent 7 repo and got
>>>>>>> >> rsyslog-8.2204
>>>>>>> >> >> > installed.  Now nothing works. I think i got the config
>>>>>>> correct
>>>>>>> >> but
>>>>>>> >> >> the
>>>>>>> >> >> > client keeps getting rejected.
>>>>>>> >> >> >
>>>>>>> >> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake
>>>>>>> retry
>>>>>>> >> returned
>>>>>>> >> >> > error: The TLS connection was non-properly terminated.
>>>>>>> [v8.2204.0
>>>>>>> >> try
>>>>>>> >> >> > https://www.rsyslog.com/e/2083 ]
>>>>>>> >> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session
>>>>>>> >> 0x7f6a04013360
>>>>>>> >> >> from
>>>>>>> >> >> > 192.168.5.22 will be closed due to error [v8.2204.0 try
>>>>>>> >> >> > https://www.rsyslog.com/e/2089 ]
>>>>>>> >> >> >
>>>>>>> >> >> > So then i tried going to the ossl module.  Now its even
>>>>>>> worse.
>>>>>>> My
>>>>>>> >> >> config
>>>>>>> >> >> > is a mess now too.
>>>>>>> >> >> >
>>>>>>> >> >> > Does tls on both sides work?
>>>>>>> >> >> > Do I need the 8.2202+ version?
>>>>>>> >> >> > Do you have an example config?
>>>>>>> >> >> > _______________________________________________
>>>>>>> >> >> > rsyslog mailing list
>>>>>>> >> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>> >> >> > http://www.rsyslog.com/professional-services/
>>>>>>> >> >> > What's up with rsyslog? Follow
>>>>>>> https://twitter.com/rgerhards
>>>>>>> >> >> > NOTE WELL: This is a PUBLIC mailing list, posts are
>>>>>>> ARCHIVED
>>>>>>> by
>>>>>>> a
>>>>>>> >> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO
>>>>>>> NOT
>>>>>>> >> POST
>>>>>>> >> >> if you DON'T LIKE THAT.
>>>>>>> >> >> _______________________________________________
>>>>>>> >> >> rsyslog mailing list
>>>>>>> >> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>> >> >> http://www.rsyslog.com/professional-services/
>>>>>>> >> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>>> >> >> NOTE WELL: This is a PUBLIC mailing list, posts are
>>>>>>> ARCHIVED by
>>>>>>> a
>>>>>>> >> myriad
>>>>>>> >> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>>>>>>> POST
>>>>>>> if
>>>>>>> >> you
>>>>>>> >> >> DON'T LIKE THAT.
>>>>>>> >> > _______________________________________________
>>>>>>> >> > rsyslog mailing list
>>>>>>> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>>>> >> > http://www.rsyslog.com/professional-services/
>>>>>>> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>>>> >> > NOTE WELL: This is a PUBLIC mailing list, posts are
>>>>>>> ARCHIVED by a
>>>>>>> >> myriad
>>>>>>> >> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>>>>>>> POST
>>>>>>> if
>>>>>>> you
>>>>>>> >> > DON'T LIKE THAT.
>>>>>>> >>
>>>>>>> >>
>>>>>>> >> --
>>>>>>> >>        Derek Atkins 617-623-3745
>>>>>>> >>        derek@ihtfp.com www.ihtfp.com
>>>>>>> >>        Computer and Internet Security Consultant
>>>>>>> >>
>>>>>>> >>
>>>>>>> >
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>        Derek Atkins                 617-623-3745
>>>>>>>        derek@ihtfp.com             www.ihtfp.com
>>>>>>>        Computer and Internet Security Consultant
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>       Derek Atkins                 617-623-3745
>>>>>       derek@ihtfp.com             www.ihtfp.com
>>>>>       Computer and Internet Security Consultant
>>>>>
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com/professional-services/
>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>>>> myriad
>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>>>>> you
>>>>> DON'T LIKE THAT.
>>>
>>>
>>> --
>>>       Derek Atkins                 617-623-3745
>>>       derek@ihtfp.com             www.ihtfp.com
>>>       Computer and Internet Security Consultant
>>>
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>>> POST if you DON'T LIKE THAT.
>> --
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.