[rsyslog-notify] Forum Thread: Cannot decrypt TLS logs - (Mode 'post')

[noreply at adiscon.com]

User: steppen 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24299#p24299

Message: 
----------
Hi,

I have setup rsyslog a few days ago and averything works greatt in plain
TCP.

I have then tried to setutp TCP/TLS transmission, with no luck.

My server config is :

[code:2mf0sgba]# rsyslog v5 configuration file

# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see
http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####

$ModLoad imuxsock # provides support for local system logging (e.g.
via logger command)
$ModLoad imklog   # provides kernel logging support (previously done by
rklogd)
$ModLoad immark  # provides --MARK-- message capability
$ModLoad imgssapi # provides GSSAPI syslog reception

# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514


# make gtls driver the default
$DefaultNetstreamDriver gtls

# certificate files
$DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/key.pem

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 10514
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated
 

# specify senders you permit to access
#$AllowedSender TCP, 127.0.0.1, 10.111.1.0/24,
*.evoltek.test.com 

#add: define logfiles
## /var/log/secure
$template
Auth_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.secure"
## /var/log/messages
$template
Msg_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.messages"
## /var/log/maillog
$template
Mail_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.maillog"
## /var/log/cron
$template
Cron_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.cron"
## /var/log/spooler
$template
Spool_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.spooler"
## /var/log/boot.log
$template
Boot_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.boot.log"
## emergency messages "*.emerg"
$template
Emerg_log,"/var/log/secure.d/%fromhost%/%$year%-%$month%.emerg"

#### GLOBAL DIRECTIVES ####

# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# File syncing capability is disabled by default. This feature is
usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on

# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf


#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none               
-?Msg_log

# The authpriv file has restricted access.
authpriv.*                                              -?Auth_log

# Log all the mail messages in one place.
mail.*                                                  -?Mail_log

# Log cron stuff
cron.*                                                  -?Cron_log

# Everybody gets emergency messages
*.emerg                                                 -?Emerg_log

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          -?Spool_log

# Save boot messages also to boot.log
local7.*                                                -?Boot_log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE
forwarding
# rule. They belong together, do NOT split them. If you create
multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g.
192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
[/code:2mf0sgba]

And my client config is :
[code:2mf0sgba]
# rsyslog v5 configuration file

$ModLoad imuxsock.so
$ModLoad imklog.so
$ModLoad imtcp


$DefaultNetstreamDriver gtls

$DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/key.pem


$ActionSendStreamDriverAuthMode anon 
$ActionSendStreamDriverMode 1 

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none               
/var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                 
-/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                         
/var/log/spooler

# Save boot messages also to boot.log
local7.*                                               
/var/log/boot.log

*.* @@10.111.1.151:10514
[/code:2mf0sgba]

I am running this test in a OpenVZ environment, with CentOS 6 VEs.

I have been running rsyslog in debug mode and I can't work around this
module error:

2115.948286640:b7279b70: main Q:Reg/w0: worker IDLE, waiting for work.
2116.560037214:b48fcb70: GTLS certificate file:
'/etc/pki/tls/private/cert.pem'
2116.560104315:b48fcb70: GTLS key file: '/etc/pki/tls/private/key.pem'
2116.562766861:b48fcb70: creating tcp listen socket on port 10514
2116.563203203:b48fcb70: Allocating buffer for 200 TCP sessions.
2116.563250342:b48fcb70: caller requested [b:2mf0sgba]object
'nsdpoll_gtls'[/b:2mf0sgba], not found (iRet -3003)
2116.563266459:b48fcb70: tcpsrv could not use epoll() interface,
iRet=-3003, using select()
2116.563284622:b48fcb70: --------<NSDSEL_PTCP> calling select, active fds
(max 9): 8 9