【实战】配置Rsyslog使用TCP&TLS协议加密传输日志

1 配置Rsyslog使用TCP/TLS协议加密传输日志

2 测试环境信息

操作系统:CentOS Linux release 7.9.2009 (Core)

Rsyslog Server: 10.10.0.102

Rsyslog Client: 10.10.0.100

CentOS Linux release 7.9.2009 (Core)默认安装rsyslog版本为8.24.0-55.el7

安装rsyslog-gnutls组件会升级rsyslog的版本。

3 安装rsyslog-gnutls组件

3.1 配置rsyslog-gnutls组件yum源

会升级rsyslog的版本,请注意!

1
2
3
]$ cd /etc/yum.repos.d/
]$ wget http://rpms.adiscon.com/v8-stable/rsyslog.repo
]$ yum install rsyslog-gnutls

4 创建自签证书

certtool命令非系统自带命令,需要进行安装。

1
]$ yum install -y gnutls-utils

4.1 创建自签CA证书

4.1.1 创建CA私钥

1
2
]$ certtool --generate-privkey --outfile ca-key.pem
Generating a 2048 bit RSA private key...

4.1.2 创建CA证书

1
2
3
4
5
6
]$ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem

]$ ll
total 12
-rw-------. 1 root root 5816 Mar  2 03:13 ca-key.pem
-rw-r--r--. 1 root root 1285 Mar  2 03:19 ca.pem

4.2 创建客户端证书

rsyslog server服务器上进行创建,创建完成后,复制到rsyslog client服务器

4.2.1 创建单独客户端私钥

1
2
]$ certtool --generate-privkey --outfile key.pem
Generating a 2048 bit RSA private key...

4.2.2 生成单独客户端请求证书

不要将其与CA的私钥混淆 - 这个是不同的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
]$ certtool --generate-request --load-privkey key.pem --outfile request.pem
Generating a PKCS #10 certificate request...
Common name: rsyslog-client
Organizational unit name: eccom
Organization name: eccom
Locality name: gd
State or province name: gd
Country name (2 chars): cn
Enter the subject's domain component (DC): 
UID: 
Enter a dnsName of the subject of the certificate: 
Enter a URI of the subject of the certificate: 
Enter the IP address of the subject of the certificate: 
Enter the e-mail of the subject of the certificate: 
Enter a challenge password: 
Does the certificate belong to an authority? (y/N): 
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (Y/n): 
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): 
Will the certificate be used to sign code? (y/N): 
Will the certificate be used for time stamping? (y/N): 
Will the certificate be used for IPsec IKE operations? (y/N): 
Will the certificate be used to sign OCSP requests? (y/N): 
Is this a TLS web client certificate? (y/N): 
Is this a TLS web server certificate? (y/N): 
] $ ll
total 12
-rw-------. 1 root root 5816 Mar  2 03:13 ca-key.pem
-rw-r--r--. 1 root root 1285 Mar  2 03:19 ca.pem
-rw-------. 1 root root 5816 Mar  2 03:21 key.pem
-rw-------. 1 root root 2428 Mar  2 03:27 request.pem

4.2.3 对请求证书进行签名(验证、授权)并生成客户端证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
]$ certtool --generate-certificate --load-request request.pem --outfile cert.pem  --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
Generating a signed certificate...
Enter the certificate's serial number in decimal (default: 7205865592876789725): 

Activation/Expiration time.
The certificate will expire in (days): 1800

Extensions.
Do you want to honour the extensions from the request? (y/N): 
Does the certificate belong to an authority? (y/N): 
Path length constraint (decimal, -1 for no constraint): 
Is this a TLS web client certificate? (y/N): 
Will the certificate be used for IPsec IKE operations? (y/N): 
Is this a TLS web server certificate? (y/N): 
Enter a dnsName of the subject of the certificate: 
Enter a URI of the subject of the certificate: 
Enter the IP address of the subject of the certificate: 
Enter the e-mail of the subject of the certificate: 
Will the certificate be used to sign OCSP requests? (y/N): 
Will the certificate be used to sign code? (y/N): 
Will the certificate be used for time stamping? (y/N): 
Will the certificate be used to sign other certificates? (y/N): 
Will the certificate be used to sign CRLs? (y/N): 
X.509 Certificate Information:
Is the above information ok? (y/N): y

Signing certificate...
[root@splunk-sh02 ssl]# ll
total 28
-rw-------. 1 root root 5816 Mar  2 03:13 ca-key.pem
-rw-r--r--. 1 root root 1285 Mar  2 03:19 ca.pem
-rw-r--r--. 1 root root 1342 Mar  2 03:41 cert.pem
-rw-------. 1 root root 5816 Mar  2 03:21 key.pem
-rw-------. 1 root root 2428 Mar  2 03:27 request.pem

4.2.4 证书校验

1
]$ certtool --certificate-info --infile cert.pem

5 证书分发

1
2
3
4
5
6
7
8
9
10
11
12
13
# 删除request.pem证书
] $ rm -rf request.pem
# 将key.pem和cert.pem重命名
] $ mv cert.pem machine-cert.pem
] $ mv key.pem machine-key.pem
] $ ll
total 24
-rw-------. 1 root root 5823 Feb 25 18:06 ca-key.pem
-rw-r--r--. 1 root root 1281 Feb 25 18:08 ca.pem
-rw-r--r--. 1 root root 1322 Feb 25 18:09 machine-cert.pem
-rw-------. 1 root root 5813 Feb 25 18:08 machine-key.pem
# 将ca.pem证书复制到rsyslog client服务器上/etc/rsyslog.d/目录中
]$ scp ca.pem root@10.10.0.100:/etc/rsyslog.d

6 Rsyslog Server配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock 
# provides support for local system logging (e.g. via logger command)
$ModLoad imjournal 
# provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
# *.info;mail.none;authpriv.none;cron.none                /var/log/messages
# 上述配置内容可以注释掉,当rsyslog client发送日志到rsyslog Server同时会保存在template和/var/log/messages
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
# Log cron stuff
cron.*                                                  /var/log/cron
# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler
# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514

#####################################################################################################################################
###########################################################华丽的分割线################################################################
#####################################################tcp/tsl加密添加以下内容###########################################################
$ModLoad imuxsock # local messages
$ModLoad imtcp # TCP listener
# make gtls driver the default
# 默认为GTLS驱动程序
$DefaultNetstreamDriver gtls
# certificate files
# CA 密钥
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.pem
# 客户端证书
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/machine-cert.pem
# 客户端私钥
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/machine-key.pem
# 驱动程序认证模式
$InputTCPServerStreamDriverAuthMode anon
# 在tls模式下运行驱动程序
$InputTCPServerStreamDriverMode 1
# 在1514端口启动监听器,接收发送到tcp/1514端口上的数据
$InputTCPServerRun 1514
## 数据保存策略			
$template Remote,"/var/log/syslog/%fromhost-ip%/%$YEAR%-%$MONTH%-%$DAY%.log"
:fromhost-ip, !isequal, "127.0.0.1" ?Remote
& ~
# 注意此规则需要在其它规则之前,否则配置没有意义,远程主机的日志也会记录到Server的日志文件中
# 忽略之前所有的日志,远程主机日志记录完之后不再继续往下记录
# ### end of the forwarding rule ###

6.1 坑

将rsyslog tcp 数据接收端口设置为1514时候,重启rsyslog报tcp socket: Permission denied权限问题,需要关闭selinux。

1
2
Feb 25 17:50:32 linux-syslogserver rsyslogd[2042]: Error while binding tcp socket: Permission denied [v8.2302.0]
Feb 25 17:50:32 linux-syslogserver rsyslogd[2042]: Error while binding tcp socket: Permission denied [v8.2302.0]

临时关闭:setenforce 0

永久关闭,需要重启:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
] $ vi /etc/selinux/config
] $ cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
# SELINUX=enforcing
# 设置为disabled
SELINUX=disabled

# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

disable-selinux

7 Rsyslog Client配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark  # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure
# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog
# Log cron stuff
cron.*                                                  /var/log/cron
# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler
# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514

#####################################################################################################################################
#######################################################华丽的分割线####################################################################
####################################################tcp/tsl加密添加以下内容############################################################
# make gtls driver the default
$DefaultNetstreamDriver gtls

# certificate files
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.pem

$ActionSendStreamDriverAuthMode anon
$ActionSendStreamDriverMode 1
*.* @@10.10.0.102:1514
# ### end of the forwarding rule ###

8 验证日志接收

验证脚本,循环一万次产生syslog日志,转发到syslog-server。

1
2
3
4
5
6
7
8
9
10
[rsyslog@other-server pem]$ cat logger.sh 
#!/bin/bash  
number=0

while [[ $number -le 10000 ]]; do  
echo $number
sleep 0.05
`logger "$number rsyslog tcp ssl test"`
((a++))
done

端口链接状态

check-port

使用tcpdump抓包查看:tcpdump -i ens33 -vv tcp port 10514

syslog 数据发送情况确认

9 使用Splunk生成的证书

9.1 使用splunk生成证书

会在当前目录下生成myKey.key和myCert.pem文件
/opt/splunk/bin/splunk cmd openssl req -x509
-newkey rsa:4096
-keyout myKey.key
-out myCert.pem
-sha256
-days 365
-batch
-nodes
-subj “/C=CN/ST=guangdong/L=shenzhen/O=Eccom/OU=IT/CN=linux-syslogserver.eccom.com.cn”

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@splunk-master ~]# /opt/splunk/bin/splunk cmd openssl req -x509 \
-newkey rsa:4096 \
-keyout myKey.key \
-out myCert.pem \
-sha256 \
-days 365 \
-batch \
-nodes \
-subj "/C=CN/ST=guangdong/L=shenzhen/O=Eccom/OU=IT/CN=linux-syslogserver.eccom.com.cn"
Generating a RSA private key
......................................................................................................................................................................++++
writing new private key to 'myKey.key'
-----
[root@linux-syslogserver tls]# ll
total 8
-rw-------. 1 root root 2220 Apr 17 08:17 myCert.pem
-rw-------. 1 root root 3272 Apr 17 08:17 myKey.key
参数 示例 含义
C CN 国家(Country Name)
ST guangdong 州或省(State or Province Name)
L shenzhen 地区或市(Locality Name)
O Eccom 组织(Organization Name)
OU IT 部门(Organization Unit Name)
CN linux-syslogserver 证书使用者的通用名称(Common Name)

9.2 rsyslog service配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# TCP/SSL Test
$ModLoad imuxsock # local messages
$ModLoad imtcp # TCP listener

# make gtls driver the default
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /opt/tls/myCert.pem
$DefaultNetstreamDriverCertFile /opt/tls/myCert.pem
$DefaultNetstreamDriverKeyFile /opt/tls/myKey.key

$InputTCPServerStreamDriverAuthMode anon
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerRun 1514 # start up listener at port 1514

$template Remote,"/var/log/syslog/%fromhost-ip%/%$YEAR%-%$MONTH%-%$DAY%.log"
:fromhost-ip, !isequal, "127.0.0.1" ?Remote
& ~

9.3 rsyslog client配置

1
2
3
4
5
6
7
8
$DefaultNetstreamDriver gtls

# certificate files
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/myCert.pem

$ActionSendStreamDriverAuthMode anon
$ActionSendStreamDriverMode 1
*.* @@10.10.0.102:1514

参考链接:
CentOS7下使用TCP over TLS方式安全传输远程主机系统日志 - 腾讯云开发者社区-腾讯云 (tencent.com)

Generating the machine certificate — rsyslog 8.18.0.master documentation

Encrypting Syslog Traffic with TLS (SSL) short version — rsyslog 8.18.0.master documentation

rsyslog如何收集远程日志但不写入本地messages? - 知乎 (zhihu.com)

[linux怎么关闭selinux-linux运维-PHP中文网](https://www.php.cn/linux-491272.html#:~:text=关闭方法:1、临时关闭,只需执行“setenforce 0”命令即可。 2、永久关闭,需要执行“vi,%2Fetc%2Fselinux%2Fconfig”命令打开config文件,将“SELINUX”项的值改为“disabled”,保存文件并退出即可。 本教程操作环境:linux5.9.8系统、Dell G3电脑。)

How to run rsyslog as a non-root user in CentOS/RHEL 7 – The Geek Diary

RSyslog Documentation - rsyslog

Linux > 日志分析 > rsyslog > syslog > TCP&TLS
#日志分析 #日常笔记 #rsyslog #syslog
【实战】配置Rsyslog使用TCP&TLS协议加密传输日志
https://hesc.info/d95a6d48bb2b/
作者
需要哈气的纸飞机
发布于
2023年3月3日
许可协议