Mailing List Archive

I don't think the ommysql module supports TLS (I'm not absolutly sure)

note that the action() syntax almost always ignores $foo definitions. TLS is the
one exception to that, but not all modules support TLS.

David Lang

On Tue, 16 May 2023, Levi Wilbert via rsyslog wrote:

> Date: Tue, 16 May 2023 12:05:51 -0600
> From: Levi Wilbert via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: Levi Wilbert <voidnosale@gmail.com>
> Subject: [rsyslog] Help w/ ommysql and TLS?
>
> ?Greetings all,
>
> I'm trying to forward syslogs from one of our servers to a new DB server running MariaDB, and running into some issues I was wondering if someone could help with.
>
> I have rsyslog already installed on our logging server (RHEL7.9), and further have installed rsyslog-mysql on this server as well.
>
> I've copied the rsyslog DB setup script over to our DB server (RHEL9.1), and setup permissions for the rsyslog user to access MariaDB from our logging server.
>
> Back on the logging server, I've configured rsyslog to load the ommysql module and passed the server and MariaDB login info to the module. With this setup and a mostly default MariaDB config, rsyslog appears to work ok. However, we'd like to run our MariaDB securely using TLS. When I activate TLS in MariaDB on our DB server, rsyslog is no longer able to connect, and shows the following error:
>
> rsyslogd[26271]: db error (1045): Access denied for user 'rsyslog'@'log-svr.arcc.uwyo.edu' (using password: YES) [v8.24.0-57.el7_9.3]
>
> (log-svr is our logging server, db-svr is our db server)
>
> I've added the DB server's CA certificate to the logging server under /etc/pki/ca-trust/source/anchors/, and run update-ca-trust. I have tested connecting to MariaDB from our logging server w/ mysql, which works fine, yet rsyslog doesn't appear to be able to connect!
>
> I've tried configuring rsyslog on the logging server w/ the following options:
> $DefaultNetstreamDriverCAFile /etc/pki/tls/certs/db-svr_arcc_uwyo_edu_interm.cer
> $DefaultNetStreamDriver gtls
> $ActionSendStreamDriverMode 1 # run driver in TLS-only mode
> $ActionSendStreamDriverAuthMode x509/name
> $ActionSendStreamDriverPermittedPeer db-svr.arcc.uwyo.edu
> action(type="ommysql" server="db-svr.arcc.uwyo.edu" serverport="3306"
> db="Syslog" uid="rsyslog" pwd="<password>")
>
> Can anyone help w/ getting rsyslog to connect w/ TLS to our remote DB server?
>
> Thanks,
>
>
> Levi Wilbert
> HPC & Linux Systems Administrator
> ARCC - Division of Research and Economic Development
> Information Technology Ctr 226
> 1000 E. University Avenue, Laramie, WY 82071-200
>
>
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Actually, a quick glance over the code of ommysql.c and docs for it
suggests that the connection handling might be influenced by a specified
mysql config file (my.cnf or such).

So you should be able to get away with something like (haven't tested
that, it's just something I came up with reading the docs)

action(type="ommysql" [...] MySQLConfig.File="/etc/my.cnf"
MySQLConfig.Section="rsyslog")

and adding to your my.cnf:

[rsyslog]
ssl-mode=REQUIRE
[...]


On 16.05.2023 21:33, David Lang via rsyslog wrote:
> I don't think the ommysql module supports TLS (I'm not absolutly sure)
>
> note that the action() syntax almost always ignores $foo definitions.
> TLS is the one exception to that, but not all modules support TLS.
>
> David Lang
>
> On Tue, 16 May 2023, Levi Wilbert via rsyslog wrote:
>
>> Date: Tue, 16 May 2023 12:05:51 -0600
>> From: Levi Wilbert via rsyslog <rsyslog@lists.adiscon.com>
>> To: rsyslog@lists.adiscon.com
>> Cc: Levi Wilbert <voidnosale@gmail.com>
>> Subject: [rsyslog] Help w/ ommysql and TLS?
>>
>> ?Greetings all,
>>
>> I'm trying to forward syslogs from one of our servers to a new DB
>> server running MariaDB, and running into some issues I was wondering
>> if someone could help with.
>> I have rsyslog already installed on our logging server (RHEL7.9), and
>> further have installed rsyslog-mysql on this server as well.
>>
>> I've copied the rsyslog DB setup script over to our DB server
>> (RHEL9.1), and setup permissions for the rsyslog user to access
>> MariaDB from our logging server.
>>
>> Back on the logging server, I've configured rsyslog to load the
>> ommysql module and passed the server and MariaDB login info to the
>> module. With this setup and a mostly default MariaDB config, rsyslog
>> appears to work ok. However, we'd like to run our MariaDB securely
>> using TLS. When I activate TLS in MariaDB on our DB server, rsyslog
>> is no longer able to connect, and shows the following error:
>>
>> rsyslogd[26271]: db error (1045): Access denied for user
>> 'rsyslog'@'log-svr.arcc.uwyo.edu' (using password: YES)
>> [v8.24.0-57.el7_9.3]
>>
>> (log-svr is our logging server, db-svr is our db server)
>>
>> I've added the DB server's CA certificate to the logging server under
>> /etc/pki/ca-trust/source/anchors/, and run update-ca-trust. I have
>> tested connecting to MariaDB from our logging server w/ mysql, which
>> works fine, yet rsyslog doesn't appear to be able to connect!
>>
>> I've tried configuring rsyslog on the logging server w/ the following
>> options:
>> $DefaultNetstreamDriverCAFile
>> /etc/pki/tls/certs/db-svr_arcc_uwyo_edu_interm.cer
>> $DefaultNetStreamDriver gtls
>> $ActionSendStreamDriverMode 1     # run driver in TLS-only mode
>> $ActionSendStreamDriverAuthMode x509/name
>> $ActionSendStreamDriverPermittedPeer db-svr.arcc.uwyo.edu
>> action(type="ommysql" server="db-svr.arcc.uwyo.edu" serverport="3306"
>>       db="Syslog" uid="rsyslog" pwd="<password>")
>>
>> Can anyone help w/ getting rsyslog to connect w/ TLS to our remote DB
>> server?
>>
>> Thanks,
>>
>>
>> Levi Wilbert
>> HPC & Linux Systems Administrator
>> ARCC - Division of Research and Economic Development
>> Information Technology Ctr 226
>> 1000 E. University Avenue, Laramie, WY 82071-200
>>
>>
>>
>> _______________________________________________
>> rsyslog mailing list
>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> http://www.rsyslog.com/professional-services/
>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Thanks, this helped me get on the right path.

The logging server I'm updating has an Rsyslog config written in the old
Rsyslog format, which was throwing me through a loop when I was looking
through the docs and only seeing the newer current format. I cleared out
the old config and used the new styling with the options you mentioned.
My /etc/rsyslog.d/70-my-config.conf:
# certificate files
$DefaultNetstreamDriverCAFile
/etc/pki/tls/certs/db-server_arcc_uwyo_edu_interm.cer

# make gtls driver the default
$DefaultNetStreamDriver gtls

$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer db-server.arcc.uwyo.edu

# Send syslogs to MariaDB on arcc-db1
action(type="ommysql" server="db-server.arcc.uwyo.edu" serverport="3306"
db="Syslog" uid="rsyslog" pwd="<password>"
MySQLConfig.File="/etc/my.cnf.d/mariadb-client-tls.cnf"
MySQLConfig.Section="client-mariadb")


...then in my /etc/my.cnf.d/mariadb-client-tls.cnf I did this:

[client-mariadb]
ssl
ssl-verify-server-cert
ssl_ca = /etc/pki/tls/certs/db-server_arcc_uwyo_edu_interm.cer

Restarted rsyslog, and it seems to be working!

Thanks,



Levi Wilbert
http://SoundCloud.com/IO_Madness

On May 17, 2023, at 12:23 AM, Mariusz Kruk via rsyslog <
rsyslog@lists.adiscon.com> wrote:

?Actually, a quick glance over the code of ommysql.c and docs for it
suggests that the connection handling might be influenced by a specified
mysql config file (my.cnf or such).

So you should be able to get away with something like (haven't tested that,
it's just something I came up with reading the docs)

action(type="ommysql" [...] MySQLConfig.File="/etc/my.cnf"
MySQLConfig.Section="rsyslog")

and adding to your my.cnf:

[rsyslog]
ssl-mode=REQUIRE
[...]


On 16.05.2023 21:33, David Lang via rsyslog wrote:

I don't think the ommysql module supports TLS (I'm not absolutly sure)


note that the action() syntax almost always ignores $foo definitions. TLS
is the one exception to that, but not all modules support TLS.


David Lang


On Tue, 16 May 2023, Levi Wilbert via rsyslog wrote:


Date: Tue, 16 May 2023 12:05:51 -0600

From: Levi Wilbert via rsyslog <rsyslog@lists.adiscon.com>

To: rsyslog@lists.adiscon.com

Cc: Levi Wilbert <voidnosale@gmail.com>

Subject: [rsyslog] Help w/ ommysql and TLS?


?Greetings all,


I'm trying to forward syslogs from one of our servers to a new DB server
running MariaDB, and running into some issues I was wondering if someone
could help with.

I have rsyslog already installed on our logging server (RHEL7.9), and
further have installed rsyslog-mysql on this server as well.


I've copied the rsyslog DB setup script over to our DB server (RHEL9.1),
and setup permissions for the rsyslog user to access MariaDB from our
logging server.


Back on the logging server, I've configured rsyslog to load the ommysql
module and passed the server and MariaDB login info to the module. With
this setup and a mostly default MariaDB config, rsyslog appears to work ok.
However, we'd like to run our MariaDB securely using TLS. When I activate
TLS in MariaDB on our DB server, rsyslog is no longer able to connect, and
shows the following error:


rsyslogd[26271]: db error (1045): Access denied for user 'rsyslog'@'
log-svr.arcc.uwyo.edu' (using password: YES) [v8.24.0-57.el7_9.3]


(log-svr is our logging server, db-svr is our db server)


I've added the DB server's CA certificate to the logging server under
/etc/pki/ca-trust/source/anchors/, and run update-ca-trust. I have tested
connecting to MariaDB from our logging server w/ mysql, which works fine,
yet rsyslog doesn't appear to be able to connect!


I've tried configuring rsyslog on the logging server w/ the following
options:

$DefaultNetstreamDriverCAFile
/etc/pki/tls/certs/db-svr_arcc_uwyo_edu_interm.cer

$DefaultNetStreamDriver gtls

$ActionSendStreamDriverMode 1 # run driver in TLS-only mode

$ActionSendStreamDriverAuthMode x509/name

$ActionSendStreamDriverPermittedPeer db-svr.arcc.uwyo.edu

action(type="ommysql" server="db-svr.arcc.uwyo.edu" serverport="3306"

db="Syslog" uid="rsyslog" pwd="<password>")


Can anyone help w/ getting rsyslog to connect w/ TLS to our remote DB
server?


Thanks,



Levi Wilbert

HPC & Linux Systems Administrator

ARCC - Division of Research and Economic Development

Information Technology Ctr 226

1000 E. University Avenue, Laramie, WY 82071-200




_______________________________________________

rsyslog mailing list

https://lists.adiscon.net/mailman/listinfo/rsyslog

http://www.rsyslog.com/professional-services/

What's up with rsyslog? Follow https://twitter.com/rgerhards

NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.

_______________________________________________

rsyslog mailing list

https://lists.adiscon.net/mailman/listinfo/rsyslog

http://www.rsyslog.com/professional-services/

What's up with rsyslog? Follow https://twitter.com/rgerhards

NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.