Weblog entry #1 for openjaf
See all weblog entries made by openjaf.
#1
RSyslog RELP and Stunnel
Posted by openjaf on Sun 7 Feb 2010 at 03:41
This will show you a secure, guaranteed client logging server setup using RSyslog with RELP (Reliable Event Logging Protocol) and Stunnel.
Background:
I have used references (listed below) from the RSyslog site (REF1) and Stunnel site (REF2) and put them together in this quick and easy setup for getting it all to work together. Make sure you do this exactly, do not mix "localhost" with "127.0.0.1" or it will not work.
Here are the main portions we will be working with:
-RSyslog using the RELP protocol provides the means of guaranteeing delivery of system log messages (REF3).
-RSyslog using RELP does not at this time support encryption (REF4), we will add this with Stunnel. Stunnel has many more options for authentication then we will be using here. Please explore the Stunnel faq (REF5) for more information. As it stands this configuration will allow any number of clients to connect to the server, and in uncontrolled environments is not good. It will be left as an exercise to the reader to enforce a limit, so read the Stunnel faq (REF5) for a better understanding how.
-Using the power of RSyslog templates we will separate all log-files out on a client by client, and day by day basis for anyone that reports to the server (REF6).
The chain of communication looks like this:
client_rsyslog_send(127.0.0.1:60514)
<-client-> client_accept_from(127.0.0.1:60514)|client_connect_to(<server_address>:60000)
<-network->
server_accept_from(:60000)|server_connect_to(127.0.0.1:60001)
<-server->
server_rsyslog_listen(127.0.0.1:60001)
###################
## Setup Stunnel ##
###################
## Stunnel4 - Client Setup
Install Stunnel4
%aptitude install stunnel4
Edit the '/etc/default/stunnel4' to start the service on system startup
ENABLED=1
Edit the "/etc/stunnel/stunnel.conf", Make the following changes:
- Comment the line 'cert = xxxxx'
- Remove comment for 'client = yes'
- Comment out the '[pop3s]', '[ssmtp]', and '[imaps]' sections.
- Add the following section, substitute your server address:
# Will accept connections to ports on local
# host and forward them to server
[rsyslog]
accept = 127.0.0.1:60514
# Server the stunnel client will connect to
connect = <server-address>:60000
Restart the Stunnel service:
%/etc/init.d/stunnel4 restart
Check the configuration was successful:
%netstat -aln
This should list 127.0.0.1:60514
## Stunnel - Server Setup
Install Stunnel
%aptitude install stunnel4
Edit the '/etc/default/stunnel4' to start the service on system startup
ENABLED=1
Edit the "/etc/stunnel/stunnel.conf", Make the following changes:
- Comment out the '[pop3s]', '[ssmtp]', and '[imaps]' sections.
- Change 'cert=/etc/stunnel/mail.pem' to 'cert=/etc/stunnel/stunnel.pem'
- Add the following
# Will accept external connections and forward them to the localhost
[ssyslog]
accept = 60000
connect = 127.0.0.1:60001
See the Stunnel faq (mentioned above) for a more detailed explanation of this file. For this EXAMPLE the following will suffice.
Execute the following to create the '/etc/stunnel/stunnel.pem' file:
openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout /etc/stunnel/stunnel.pem
Restart the Stunnel service:
%/etc/init.d/stunnel4 restart
Check the configuration was successful:
%netstat -aln
This should list 0.0.0.0:60001, and 0.0.0.0:60000
#######################
### Setup RSyslog ###
#######################
## RSyslog - Client Configuration
To get RELP support we need to add the backports repository for lenny
In "/etc/apt/sources.list", add the following:
deb http://www.backports.org/debian lenny-backports main
Update apt:
%aptitude update
Install rsyslog-relp
%aptitude install rsyslog-relp
In "/etc/rsyslog.conf" add the following lines in the "MODULES" section:
# Load the relp module
$ModLoad omrelp
In "/etc/rsyslog.conf" add the following lines in the "RULES" section:
# Dump all messages to the remote logging server through the localport
*.* :omrelp:127.0.0.1:60514
Restart the RSyslog service
/etc/init.d/rsyslog restart
## RSyslog - Server Configuration
To get RELP support we need to add the backports repository for lenny
In "/etc/apt/sources.list", add the following:
deb http://www.backports.org/debian lenny-backports main
Update apt:
%aptitude update
Install rsyslog-relp
%aptitude install rsyslog-relp
In "/etc/rsyslog.conf" add the following lines in the "MODULES" section:
#Setup the Relp server config
$ModLoad imrelp.so
$InputRELPServerRun 60001
In "/etc/rsyslog.conf" add the following lines in the "RULES" section:
# Receive Logs from the clients
# put them in respective directories in a long format.
$template HostAudit, "/var/log/rsyslog/%HOSTNAME%_%$MONTH%_%$DAY%_%$YEAR%-audit_log"'
*.* ?HostAudit"
Restart the RSyslog service
/etc/init.d/rsyslog restart
To test the setup on the client send a log message:
%logger testing the stunnel-rsyslogrelp setup
On the server in '/var/log/rsyslog/' should be a file with your server name and the current date. Tail it with 'tail -f <file_name>' and watch the log messages populate.
REFERENCES:
(REF1) http://www.rsyslog.com
(REF2) http://www.stunnel.org
(REF3) http://www.rsyslog.com/doc-imrelp.html
(REF4) http://www.rsyslog.com/doc-rsyslog_tls.html
(REF5) http://www.stunnel.org/faq/certs.html
(REF6) http://www.rsyslog.com/doc-rsyslog_conf_templates.html
Background:
I have used references (listed below) from the RSyslog site (REF1) and Stunnel site (REF2) and put them together in this quick and easy setup for getting it all to work together. Make sure you do this exactly, do not mix "localhost" with "127.0.0.1" or it will not work.
Here are the main portions we will be working with:
-RSyslog using the RELP protocol provides the means of guaranteeing delivery of system log messages (REF3).
-RSyslog using RELP does not at this time support encryption (REF4), we will add this with Stunnel. Stunnel has many more options for authentication then we will be using here. Please explore the Stunnel faq (REF5) for more information. As it stands this configuration will allow any number of clients to connect to the server, and in uncontrolled environments is not good. It will be left as an exercise to the reader to enforce a limit, so read the Stunnel faq (REF5) for a better understanding how.
-Using the power of RSyslog templates we will separate all log-files out on a client by client, and day by day basis for anyone that reports to the server (REF6).
The chain of communication looks like this:
client_rsyslog_send(127.0.0.1:60514)
<-client-> client_accept_from(127.0.0.1:60514)|client_connect_to(<server_address>:60000)
<-network->
server_accept_from(:60000)|server_connect_to(127.0.0.1:60001)
<-server->
server_rsyslog_listen(127.0.0.1:60001)
###################
## Setup Stunnel ##
###################
## Stunnel4 - Client Setup
Install Stunnel4
%aptitude install stunnel4
Edit the '/etc/default/stunnel4' to start the service on system startup
ENABLED=1
Edit the "/etc/stunnel/stunnel.conf", Make the following changes:
- Comment the line 'cert = xxxxx'
- Remove comment for 'client = yes'
- Comment out the '[pop3s]', '[ssmtp]', and '[imaps]' sections.
- Add the following section, substitute your server address:
# Will accept connections to ports on local
# host and forward them to server
[rsyslog]
accept = 127.0.0.1:60514
# Server the stunnel client will connect to
connect = <server-address>:60000
Restart the Stunnel service:
%/etc/init.d/stunnel4 restart
Check the configuration was successful:
%netstat -aln
This should list 127.0.0.1:60514
## Stunnel - Server Setup
Install Stunnel
%aptitude install stunnel4
Edit the '/etc/default/stunnel4' to start the service on system startup
ENABLED=1
Edit the "/etc/stunnel/stunnel.conf", Make the following changes:
- Comment out the '[pop3s]', '[ssmtp]', and '[imaps]' sections.
- Change 'cert=/etc/stunnel/mail.pem' to 'cert=/etc/stunnel/stunnel.pem'
- Add the following
# Will accept external connections and forward them to the localhost
[ssyslog]
accept = 60000
connect = 127.0.0.1:60001
See the Stunnel faq (mentioned above) for a more detailed explanation of this file. For this EXAMPLE the following will suffice.
Execute the following to create the '/etc/stunnel/stunnel.pem' file:
openssl req -new -x509 -days 365 -nodes -out stunnel.pem -keyout /etc/stunnel/stunnel.pem
Restart the Stunnel service:
%/etc/init.d/stunnel4 restart
Check the configuration was successful:
%netstat -aln
This should list 0.0.0.0:60001, and 0.0.0.0:60000
#######################
### Setup RSyslog ###
#######################
## RSyslog - Client Configuration
To get RELP support we need to add the backports repository for lenny
In "/etc/apt/sources.list", add the following:
deb http://www.backports.org/debian lenny-backports main
Update apt:
%aptitude update
Install rsyslog-relp
%aptitude install rsyslog-relp
In "/etc/rsyslog.conf" add the following lines in the "MODULES" section:
# Load the relp module
$ModLoad omrelp
In "/etc/rsyslog.conf" add the following lines in the "RULES" section:
# Dump all messages to the remote logging server through the localport
*.* :omrelp:127.0.0.1:60514
Restart the RSyslog service
/etc/init.d/rsyslog restart
## RSyslog - Server Configuration
To get RELP support we need to add the backports repository for lenny
In "/etc/apt/sources.list", add the following:
deb http://www.backports.org/debian lenny-backports main
Update apt:
%aptitude update
Install rsyslog-relp
%aptitude install rsyslog-relp
In "/etc/rsyslog.conf" add the following lines in the "MODULES" section:
#Setup the Relp server config
$ModLoad imrelp.so
$InputRELPServerRun 60001
In "/etc/rsyslog.conf" add the following lines in the "RULES" section:
# Receive Logs from the clients
# put them in respective directories in a long format.
$template HostAudit, "/var/log/rsyslog/%HOSTNAME%_%$MONTH%_%$DAY%_%$YEAR%-audit_log"'
*.* ?HostAudit"
Restart the RSyslog service
/etc/init.d/rsyslog restart
To test the setup on the client send a log message:
%logger testing the stunnel-rsyslogrelp setup
On the server in '/var/log/rsyslog/' should be a file with your server name and the current date. Tail it with 'tail -f <file_name>' and watch the log messages populate.
REFERENCES:
(REF1) http://www.rsyslog.com
(REF2) http://www.stunnel.org
(REF3) http://www.rsyslog.com/doc-imrelp.html
(REF4) http://www.rsyslog.com/doc-rsyslog_tls.html
(REF5) http://www.stunnel.org/faq/certs.html
(REF6) http://www.rsyslog.com/doc-rsyslog_conf_templates.html