Hi, Are there docs on how to set this up on a per-input and/or per-omfwd basis?
All the docs I can find suggest setting the global DefaultNetstreamDriver* variables, which in my case are not what I want because I need to be able to use different keys/certs/CAs for the input/imtcp vs the omfwd operations. I am running 8.2204.1. Thanks, -derek On Mon, April 25, 2022 3:03 am, Rainer Gerhards via rsyslog wrote: > Yes, it's possible. Worked on that for quite some time last year ;-) > > Rainer > > El lun, 25 abr 2022 a las 7:41, Mariusz Kruk via rsyslog > (<rsyslog@lists.adiscon.com>) escribió: >> >> There were some improvements to TLS handling introduced over several >> versions so you'd have to review the changelog and docs. >> >> But from what I see, the omfwd module supports setting separate TLS >> key/cert/cacert per action since 8.2108. >> >> The imtcp module also supports setting those on a per-input level since >> 8.2108. >> >> So it should work. >> >> It is always a good idea to do a tcpdump and see how the handshake >> progresses and when and where it fails. >> >> MK >> >> On 24.04.2022 00:35, Shane via rsyslog wrote: >> > Hi I am trying to get rsyslog to receive store/forward messages w/ tls >> on >> > both sides. >> > >> > client --->tls---> rsyslog --->tls---> remote.something >> > >> > I got it set up so i could send to the rsyslog server but then i >> couldn't >> > add another ca/cert files. My config was using global and >> defaultnetstream >> > >> > I found on rsyslog.com that prior to 8.2202 it couldn't use tls on two >> > different source/dest. I found the cent 7 repo and got rsyslog-8.2204 >> > installed. Now nothing works. I think i got the config correct but >> the >> > client keeps getting rejected. >> > >> > Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry returned >> > error: The TLS connection was non-properly terminated. [v8.2204.0 try >> > https://www.rsyslog.com/e/2083 ] >> > Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session 0x7f6a04013360 >> from >> > 192.168.5.22 will be closed due to error [v8.2204.0 try >> > https://www.rsyslog.com/e/2089 ] >> > >> > So then i tried going to the ossl module. Now its even worse. My >> config >> > is a mess now too. >> > >> > Does tls on both sides work? >> > Do I need the 8.2202+ version? >> > Do you have an example config? >> > _______________________________________________ >> > rsyslog mailing list >> > https://lists.adiscon.net/mailman/listinfo/rsyslog >> > http://www.rsyslog.com/professional-services/ >> > What's up with rsyslog? Follow https://twitter.com/rgerhards >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST >> if you DON'T LIKE THAT. >> _______________________________________________ >> rsyslog mailing list >> https://lists.adiscon.net/mailman/listinfo/rsyslog >> http://www.rsyslog.com/professional-services/ >> What's up with rsyslog? Follow https://twitter.com/rgerhards >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you >> DON'T LIKE THAT. > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
