RSyslog with stunnel

From Proxmox VE

Contents 1 RSyslog with stunnel 2 Background 3 Stunnel4 - Client Setup 4 Stunnel - Server Setup 5 RSyslog - Client Configuration 6 RSyslog - Server Configuration 7 References

RSyslog with stunnel

This will show you a secure, guaranteed client logging server setup using RSyslog with RELP (Reliable Event Logging Protocol) and Stunnel.

Background

References (listed below) from the RSyslog site and Stunnel site have been put together in this quick and easy setup for getting it all to work together. Make sure you do this exactly, do not mix "localhost" with "127.0.0.1" or it will not work.

Here are the main portions we will be working with:

• RSyslog using the RELP protocol provides the means of guaranteeing delivery of system log messages (REF3).

• RSyslog using RELP does not at this time support encryption (REF4), we will add this with Stunnel. Stunnel has many more options for authentication then we will be using here. Please explore the Stunnel faq (REF5) for more information. As it stands this configuration will allow any number of clients to connect to the server, and in uncontrolled environments is not good. It will be left as an exercise to the reader to enforce a limit, so read the Stunnel faq (REF5) for a better understanding how.

• Using the power of RSyslog templates we will separate all log-files out on a client by client, and day by day basis for anyone that reports to the server (REF6).

The chain of communication looks like this:

client_rsyslog_send(127.0.0.1:60514) 
<-client-> client_accept_from(127.0.0.1:60514)|client_connect_to(<server_address>:60000) 
<-network-> 
server_accept_from(:60000)|server_connect_to(127.0.0.1:60001) 
<-server-> 
server_rsyslog_listen(127.0.0.1:60001)

Stunnel4 - Client Setup

Install Stunnel4

%aptitude install stunnel4 

Edit the /etc/default/stunnel4 to start the service on system startup

ENABLED=1 

Edit the /etc/stunnel/stunnel.conf, Make the following changes:

• Comment the line cert = xxxxx
• Remove comment for client = yes
• Comment out the [pop3s], [ssmtp], and [imaps] sections.
• Add the following section, substitute your server address:

# Will accept connections to ports on local 
# host and forward them to server 
[rsyslog] 
accept = 127.0.0.1:60514 
# Server the stunnel client will connect to 
connect = <server-address>:60000 

Restart the Stunnel service:

%/etc/init.d/stunnel4 restart 

Check the configuration was successful:

%netstat -aln 

This should list 127.0.0.1:60514

Stunnel - Server Setup

Install Stunnel

%aptitude install stunnel4 

Edit the /etc/default/stunnel4 to start the service on system startup

ENABLED=1 

Edit the /etc/stunnel/stunnel.conf, Make the following changes:

• Comment out the [pop3s], [ssmtp], and [imaps] sections.
• Change cert=/etc/stunnel/mail.pem to cert=/etc/stunnel/stunnel.pem
• Add the following

# Will accept external connections and forward them to the localhost 
[ssyslog] 
accept = 60000 
connect = 127.0.0.1:60001 

See the Stunnel faq (mentioned above) for a more detailed explanation of this file. For this EXAMPLE the following will suffice. Execute the following to create the /etc/stunnel/stunnel.pem file:

openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout /etc/stunnel/stunnel.pem 

Restart the Stunnel service:

%/etc/init.d/stunnel4 restart 

Check the configuration was successful:

%netstat -aln 

This should list 0.0.0.0:60001, and 0.0.0.0:60000

RSyslog - Client Configuration

To get RELP support we need to add the backports repository for lenny In /etc/apt/sources.list, add the following:

deb http://www.backports.org/debian lenny-backports main 

Update apt:

%aptitude update 

Install rsyslog-relp

%aptitude install rsyslog-relp 

In /etc/rsyslog.conf add the following lines in the MODULES section:

# Load the relp module 
$ModLoad omrelp 

In /etc/rsyslog.conf add the following lines in the RULES section:

# Dump all messages to the remote logging server through the localport 
*.* :omrelp:127.0.0.1:60514 

Restart the RSyslog service

/etc/init.d/rsyslog restart

RSyslog - Server Configuration

To get RELP support we need to add the backports repository for lenny In /etc/apt/sources.list, add the following:

deb http://www.backports.org/debian lenny-backports main 

Update apt:

%aptitude update 

Install rsyslog-relp

%aptitude install rsyslog-relp 

In /etc/rsyslog.conf add the following lines in the MODULES section:

#Setup the Relp server config 
$ModLoad imrelp.so 
$InputRELPServerRun 60001 

In /etc/rsyslog.conf add the following lines in the RULES section:

# Receive Logs from the clients 
# put them in respective directories in a long format. 
$template HostAudit, "/var/log/rsyslog/%HOSTNAME%_%$MONTH%_%$DAY%_%$YEAR%-audit_log" 
*.* ?HostAudit"

Restart the RSyslog service

/etc/init.d/rsyslog restart 

To test the setup on the client send a log message:

%logger testing the stunnel-rsyslogrelp setup 

On the server in /var/log/rsyslog/ should be a file with your server name and the current date. Tail it with tail -f <file_name> and watch the log messages populate.

References

RSyslog | stunnel v3, v4 | certs