Is it possible to have rsyslog log to multiple servers with different TLS configurations? We're currently logging to a local syslog server using the following:
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/pki/rsyslog/ca.pem
$DefaultNetstreamDriverCertFile /etc/pki/rsyslog/local-cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/rsyslog/local-key.pem
$ActionSendStreamDriverAuthMode anon
$ActionSendStreamDriverMode 1
*.* @@10.50.59.241:6514
We're now in the process of setting up logging to a third party and want to use TLS there as well. They state that we should set up rsyslog like this:
$DefaultNetstreamDriverCAFile /path/to/their/ca.crt
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.theirhost.theirdomain
*.* @@theirhost.theirdomain:6514
I figure that I can simply combine the CA's into a single file and set DefaultNetstreamDriverCAFile to that. But if I simply add the remaining second set of options to the bottom of my rsyslog.conf then the permitted peer causes a conflict with the first host. So is there any way to configure rsyslog (we're currently using 7.4.8) to use vastly different TLS setups to two different targets?
Well after a bunch of head-banging I figured this out on my own. First off, there's a bug in some versions of rsyslog that will prevent this from working (you'll never see a connection established to one or more of the target servers) so make sure you're using version 7.6 or later of rsyslog.
Make sure your CA file has any CA's needed for all targets listed in it. Order isn't important. Then your conf file should look something like this:
$DefaultNetstreamDriverCAFile /etc/pki/rsyslog/ca.pem
*.* action(type="omfwd"
protocol="tcp"
Target="10.50.59.241"
Port="6514"
StreamDriverMode="1"
StreamDriver="gtls"
StreamDriverAuthMode="anon"
)
*.* action(type="omfwd"
Protocol="tcp"
Target="some.other.host.com"
Port="6514"
StreamDriverMode="1"
StreamDriver="gtls"
StreamDriverAuthMode="x509/name"
StreamDriverPermittedPeers="*.some.other.host.com"
)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With