can you do a debug log on the server side, make sure TLS is enabled and run rsyslog through the startup phase? I would assume that we see useful information.
quick doc: https://www.rsyslog.com/doc/master/troubleshooting/howtodebug.html Rainer El jue, 26 may 2022 a las 8:18, Grzegorz Zalewski via rsyslog (<rsyslog@lists.adiscon.com>) escribió: > > Hi > > When I turn off TLS work fine :/ > > I does`t see any errors on server logs > > -----Original Message----- > From: Rainer Gerhards <rgerha...@hq.adiscon.com> > Sent: Wednesday, May 25, 2022 6:39 PM > To: rsyslog-users <rsyslog@lists.adiscon.com> > Cc: Grzegorz Zalewski <grzegorz.zalew...@inteco.pl> > Subject: Re: [rsyslog] Rsyslog bad external log encoding ?????? > > [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests > for sensitive information. > > This looks like the server is not using TLS. Any rsyslog error messages in > the server log? > > Rainer > > El mié, 25 may 2022 a las 15:02, Grzegorz Zalewski via rsyslog > (<rsyslog@lists.adiscon.com>) escribió: > > > > Hi > > My version of rsyslogd on log sever: > > rsyslogd 8.2106.0 (aka 2021.06) compiled with: > > PLATFORM: x86_64-suse-linux-gnu > > PLATFORM (lsb_release -d): > > FEATURE_REGEXP: Yes > > GSSAPI Kerberos 5 support: Yes > > FEATURE_DEBUG (debug build, slow code): No > > 32bit Atomic operations supported: Yes > > 64bit Atomic operations supported: Yes > > memory allocator: system default > > Runtime Instrumentation (slow code): No > > uuid support: Yes > > systemd support: Yes > > Config file: /etc/rsyslog.conf > > PID file: /var/run/rsyslogd.pid > > Number of Bits in RainerScript integers: 64 > > > > # ######### Receiving Messages from Remote Hosts ##########. > > ########### Encrypting Syslog Traffic with TLS ########## # -- TLS > > Syslog Server:. > > ## make gtls driver the default > > $DefaultNetstreamDriver gtls > > # > > ## certificate files > > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_server.pem > > $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/server.pem > > $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/server.pem > > > > $ModLoad imtcp # load TCP listener > > # > > $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode > > #$InputTCPServerStreamDriverAuthMode anon # client is NOT > > authenticated $InputTCPServerStreamDriverAuthMode x509/name > > $InputTCPServerStreamDriverPermittedPeer *.domain.com > > $InputTCPServerRun 514 # start up listener at port 10514 # > > #$EscapeControlCharactersOnReceive off #$Escape8BitCharactersOnReceive > > off > > > > $template RemoteServer, "/var/log/%HOSTNAME%/%SYSLOGFACILITY-TEXT%.log" > > *.* ?RemoteServer > > > > Client conf: > > # certificate files - just CA for a client > > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_client.pem > > > > # set up the action > > $DefaultNetstreamDriver gtls # use gtls netstream driver > > $ActionSendStreamDriverMode 1 # require TLS for the connection > > $ActionSendStreamDriverAuthMode x509/name > > > > #$ActionSendStreamDriverAuthMode anon # server is NOT authenticated > > > > # Only send log to SERVER.EXAMPLE.COM host > > $ActionSendStreamDriverPermittedPeer server.domain.com > > *.* @@(o) server.domain.com:514 # send (all) messages > > > > What have in log on server: > > 2022-05-25T14:44:32.782021+02:00 client.domain.com > > #010#005#005#003#010#010#006#001#010#013#010#006#006#003#002#001#002#003#000#026#000#000#000#027#000#000#000##000#000.#001#000#001#000#000#000#000#034#000#032#000#000#027server. > > domain.coml#000#034#000#002@ > > 2022-05-25T14:44:32.887714+02:00 client.domain.com > > #026#003#001#000.#001#000#000.#003#003·...愜#030J#026#004..#037)#021n.#030..#021..rw..F..#000#0002.,̩... > > 2022-05-25T14:44:32.887714+02:00 client.domain.com > > .+...#011.0̨.#024./.#023#000...#0005#000...#000/#000...#0009#000...#00 > > 03#001#000#000.#000#005#000#005#001#000#000#000#000 > > 2022-05-25T14:44:32.887714+02:00 client.domain.com > > #000#026#000#024#000#027#000#030#000#031#000#035#000#036#001#000#001#0 > > 01#001#002#001#003#001#004#000#013#000#002#001#000#000#015#000"#000 > > #004#001#010#011#010#004#004#003#010#007#00 > > 5#001#010 > > > > Before 15 may working fine. > > I don’t have any idea what is wrong > > > > _______________________________________________ > > rsyslog mailing list > > https://lists.adiscon.net/mailman/listinfo/rsyslog > > http://www.rsyslog.com/professional-services/ > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > > LIKE THAT. > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
