[rsyslog] Combining two working rsyslog.conf files

Discussion:

Rory Toma via rsyslog

2018-10-25 21:21:56 UTC

I have two separate files that work just fine. I have not been able to
successfully combine them. No matter what I try, I keep getting tls
errors, because one or the other is using wrong certs. Can anyone help here?

file1:
$DefaultNetstreamDriver gtls

# certificate files
$DefaultNetstreamDriverCAFile /opt/rsyslog/certs/ca.pem
$DefaultNetstreamDriverCertFile /opt/rsyslog/certs/cert.pem
$DefaultNetstreamDriverKeyFile /opt/rsyslog/certs/key.pem

$MaxOpenFiles 100000

module(load="imtcp" MaxSessions="65534" StreamDriver.Mode="1"
StreamDriver.AuthMode="anon") # load TCP listener

$WorkDirectory /export/rsyslog
$ActionQueueType LinkedList
$ActionQueueFileName srvrfwd
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on

ruleset(name="remote"){
*.* @@10.66.13.148:8514
}

$InputTCPServerBindRuleset remote
$InputTCPServerRun 110

file2:
$DefaultNetstreamDriver gtls
$DefaultNetStreamDriverCAFile /opt/rsyslog/certs/relp/ca.pem
$DefaultNetStreamDriverCertFile /opt/rsyslog/certs/relp/cert.pem
$DefaultNetStreamDriverKeyFile /opt/rsyslog/certs/relp/key.pem

$WorkDirectory /export/rsyslog
$ActionQueueType LinkedList
$ActionQueueFileName srvrfws
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on

module(load="imrelp" ruleset="relp")

input(type="imrelp" port="114" tls="on" tls.compression="on"
tls.authmode="fingerprint" )

ruleset(name="relp") {
*.* @@10.66.13.148:8514
}
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Peter Viskup via rsyslog

2018-10-26 08:15:29 UTC

Permalink

Show the final config you are trying to run.

It could be related to $DefaultNetstreamDriver* options which should
be mentioned only once.
https://www.rsyslog.com/doc/v8-stable/rainerscript/global.html?highlight=defaultnetstreamdriver

In case it is needed, you can copy systemd rsyslog.service file and
create new for second instance (both running different certs).
http://rsyslog-users.1305293.n2.nabble.com/Mix-of-GTLS-and-PTCP-listeners-running-same-instance-td7591434.html#a7591445

Peter
On Thu, Oct 25, 2018 at 11:22 PM Rory Toma via rsyslog

Post by Rory Toma via rsyslog
I have two separate files that work just fine. I have not been able to
successfully combine them. No matter what I try, I keep getting tls
errors, because one or the other is using wrong certs. Can anyone help here?
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /opt/rsyslog/certs/ca.pem
$DefaultNetstreamDriverCertFile /opt/rsyslog/certs/cert.pem
$DefaultNetstreamDriverKeyFile /opt/rsyslog/certs/key.pem
$MaxOpenFiles 100000
module(load="imtcp" MaxSessions="65534" StreamDriver.Mode="1"
StreamDriver.AuthMode="anon") # load TCP listener
$WorkDirectory /export/rsyslog
$ActionQueueType LinkedList
$ActionQueueFileName srvrfwd
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
ruleset(name="remote"){
}
$InputTCPServerBindRuleset remote
$InputTCPServerRun 110
$DefaultNetstreamDriver gtls
$DefaultNetStreamDriverCAFile /opt/rsyslog/certs/relp/ca.pem
$DefaultNetStreamDriverCertFile /opt/rsyslog/certs/relp/cert.pem
$DefaultNetStreamDriverKeyFile /opt/rsyslog/certs/relp/key.pem
$WorkDirectory /export/rsyslog
$ActionQueueType LinkedList
$ActionQueueFileName srvrfws
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
module(load="imrelp" ruleset="relp")
input(type="imrelp" port="114" tls="on" tls.compression="on"
tls.authmode="fingerprint" )
ruleset(name="relp") {
}
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

Florian Riedl

2018-10-26 13:40:34 UTC

Permalink

For imtcp you must set the certificates through the $DefaultNetstremDriver
options as you have set them in file 1.

In imrelp you can then set the different certificates in the module
parameters. See:
https://www.rsyslog.com/doc/v8-stable/configuration/modules/imrelp.html?highlight=TLS

If I remember correctly, this stems from the requirement to have different
sets of certificates for both modules, which was not required before imrelp
got TLS support. But, the way it is set in imrelp did not find its way into
imtcp, because this is a) quite some effort to rewrite the code, b) there
is no hard requirement to do that because it works, c) nobody said "I want
it this way and I am willing to sponsor the changes" and d) nobody said
"here I made the changes so it works like this and that, please review and
add my pullrequest".

I hope this helps.

Florian

Am Fr., 26. Okt. 2018 um 10:15 Uhr schrieb Peter Viskup via rsyslog <

Post by Peter Viskup via rsyslog
Show the final config you are trying to run.
It could be related to $DefaultNetstreamDriver* options which should
be mentioned only once.
https://www.rsyslog.com/doc/v8-stable/rainerscript/global.html?highlight=defaultnetstreamdriver
In case it is needed, you can copy systemd rsyslog.service file and
create new for second instance (both running different certs).
http://rsyslog-users.1305293.n2.nabble.com/Mix-of-GTLS-and-PTCP-listeners-running-same-instance-td7591434.html#a7591445
Peter
On Thu, Oct 25, 2018 at 11:22 PM Rory Toma via rsyslog

here?

Post by Rory Toma via rsyslog
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /opt/rsyslog/certs/ca.pem
$DefaultNetstreamDriverCertFile /opt/rsyslog/certs/cert.pem
$DefaultNetstreamDriverKeyFile /opt/rsyslog/certs/key.pem
$MaxOpenFiles 100000
module(load="imtcp" MaxSessions="65534" StreamDriver.Mode="1"
StreamDriver.AuthMode="anon") # load TCP listener
$WorkDirectory /export/rsyslog
$ActionQueueType LinkedList
$ActionQueueFileName srvrfwd
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
ruleset(name="remote"){
}
$InputTCPServerBindRuleset remote
$InputTCPServerRun 110
$DefaultNetstreamDriver gtls
$DefaultNetStreamDriverCAFile /opt/rsyslog/certs/relp/ca.pem
$DefaultNetStreamDriverCertFile /opt/rsyslog/certs/relp/cert.pem
$DefaultNetStreamDriverKeyFile /opt/rsyslog/certs/relp/key.pem
$WorkDirectory /export/rsyslog
$ActionQueueType LinkedList
$ActionQueueFileName srvrfws
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
module(load="imrelp" ruleset="relp")
input(type="imrelp" port="114" tls="on" tls.compression="on"
tls.authmode="fingerprint" )
ruleset(name="relp") {
}
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad

of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.

Rory Toma via rsyslog

2018-10-26 20:16:38 UTC

Permalink

I had tried adding the specific tls.* options for the certs to the relp
config, but it seemed like it insisted on using the ca.pem set up for
the default netstream driver. I did just implement two rsyslog
processes, which is good for now, so this question is a little but
academic - kind of a "You should be able to do this and it bothers me
that I couldn't get it working" 8-)

October 26, 2018 at 6:40 AM
For imtcp you must set the certificates through the $DefaultNetstremDriver
options as you have set them in file 1.
In imrelp you can then set the different certificates in the module
https://www.rsyslog.com/doc/v8-stable/configuration/modules/imrelp.html?highlight=TLS
If I remember correctly, this stems from the requirement to have different
sets of certificates for both modules, which was not required before
imrelp
got TLS support. But, the way it is set in imrelp did not find its way
into
imtcp, because this is a) quite some effort to rewrite the code, b) there
is no hard requirement to do that because it works, c) nobody said "I want
it this way and I am willing to sponsor the changes" and d) nobody said
"here I made the changes so it works like this and that, please review and
add my pullrequest".
I hope this helps.
Florian
Am Fr., 26. Okt. 2018 um 10:15 Uhr schrieb Peter Viskup via rsyslog <
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
if you DON'T LIKE THAT.
October 26, 2018 at 1:15 AM
Show the final config you are trying to run.
It could be related to $DefaultNetstreamDriver* options which should
be mentioned only once.
https://www.rsyslog.com/doc/v8-stable/rainerscript/global.html?highlight=defaultnetstreamdriver
In case it is needed, you can copy systemd rsyslog.service file and
create new for second instance (both running different certs).
http://rsyslog-users.1305293.n2.nabble.com/Mix-of-GTLS-and-PTCP-listeners-running-same-instance-td7591434.html#a7591445
Peter
On Thu, Oct 25, 2018 at 11:22 PM Rory Toma via rsyslog
October 25, 2018 at 2:21 PM
I have two separate files that work just fine. I have not been able to
successfully combine them. No matter what I try, I keep getting tls
errors, because one or the other is using wrong certs. Can anyone help here?
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /opt/rsyslog/certs/ca.pem
$DefaultNetstreamDriverCertFile /opt/rsyslog/certs/cert.pem
$DefaultNetstreamDriverKeyFile /opt/rsyslog/certs/key.pem
$MaxOpenFiles 100000
module(load="imtcp" MaxSessions="65534" StreamDriver.Mode="1"
StreamDriver.AuthMode="anon") # load TCP listener
$WorkDirectory /export/rsyslog
$ActionQueueType LinkedList
$ActionQueueFileName srvrfwd
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
ruleset(name="remote"){
}
$InputTCPServerBindRuleset remote
$InputTCPServerRun 110
$DefaultNetstreamDriver gtls
$DefaultNetStreamDriverCAFile /opt/rsyslog/certs/relp/ca.pem
$DefaultNetStreamDriverCertFile /opt/rsyslog/certs/relp/cert.pem
$DefaultNetStreamDriverKeyFile /opt/rsyslog/certs/relp/key.pem
$WorkDirectory /export/rsyslog
$ActionQueueType LinkedList
$ActionQueueFileName srvrfws
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
module(load="imrelp" ruleset="relp")
input(type="imrelp" port="114" tls="on" tls.compression="on"
tls.authmode="fingerprint" )
ruleset(name="relp") {
}