Hi Rainer.
Thank you for the reply (even though it's not the answer I was hoping to
hear).
So I guess the next question is how (or where) to add an identifier for an
intermediary.
Let's say I have a network that looks like this:
[ Client1 ] --\
[ Client2 ] ---+- [ Forwarder1 ] -\
[ Client3 ] --/ \
+-- [ Aggregator ]
[ Client4 ] --\ /
[ Client5 ] ---+- [ Forwarder2 ] -/
[ Client6 ] --/
When I see messages at the Aggregator I want to know not only what Client
it came from, but also what Forwarder it came through.
Right now on the forwarders I change the message to include the client IP
and Client hostname (using set $!msg), and then send it using an onfwd
template (note that I have a intermediary variable for fromhost-ip here):
type="string" string="%timegenerated% from:%$fromhost-ip%
%syslogseverity-text%%$!msg%\n"
At the aggregator I also need to know whether a message came from
Forwarder1 or Forwarder2, so I would like to add the Forwarder IP and
hostname to the message that goes up to the aggregator. Right now it uses
this template for omfile:
type="string" string="%timegenerated% %msg%\n"
Will $hostname and $fromhost-ip on the aggregator be the hostname and ip
of the forwarder? Or the client?
What would be the best way to include this extra information in my log
entries?
Thanks,
-derek
On Thu, May 26, 2022 12:31 pm, Rainer Gerhards wrote:
> unfortunately, this property is not yet available :-(
>
> Rainer
>
> El jue, 26 may 2022 a las 13:53, Derek Atkins (<de...@ihtfp.com>)
> escribió:
>>
>> Thanks Rainer,
>>
>> This is working smashingly!
>>
>> The next issue I'm trying to solve is how do I add the client
>> certificate
>> information into the log message? I'd like to add e.g. the client
>> certificate subject (or subjectAltName) into my log template (similar to
>> how you can add the client hostname or fromhost-ip).
>>
>> Again, I am having issues searching, as any combination of "rsyslog" and
>> "certificate" seems to bring up documentation on "how to configure TLS"
>> which, obviously, I already know how to do...
>>
>> Any help or guidance would be appreciated.
>>
>> Thanks,
>>
>> -derek
>>
>> On Tue, May 17, 2022 4:12 pm, Rainer Gerhards wrote:
>> > https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html
>> >
>> > https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
>> >
>> > HTH
>> > Rainer
>> >
>> > Sent from phone, thus brief.
>> >
>> > Derek Atkins <de...@ihtfp.com> schrieb am Di., 17. Mai 2022, 22:01:
>> >
>> >> Hi,
>> >>
>> >> Are there docs on how to set this up on a per-input and/or per-omfwd
>> >> basis?
>> >>
>> >> All the docs I can find suggest setting the global
>> >> DefaultNetstreamDriver*
>> >> variables, which in my case are not what I want because I need to be
>> >> able
>> >> to use different keys/certs/CAs for the input/imtcp vs the omfwd
>> >> operations.
>> >>
>> >> I am running 8.2204.1.
>> >>
>> >> Thanks,
>> >>
>> >> -derek
>> >>
>> >> On Mon, April 25, 2022 3:03 am, Rainer Gerhards via rsyslog wrote:
>> >> > Yes, it's possible. Worked on that for quite some time last year
>> ;-)
>> >> >
>> >> > Rainer
>> >> >
>> >> > El lun, 25 abr 2022 a las 7:41, Mariusz Kruk via rsyslog
>> >> > (<rsyslog@lists.adiscon.com>) escribió:
>> >> >>
>> >> >> There were some improvements to TLS handling introduced over
>> several
>> >> >> versions so you'd have to review the changelog and docs.
>> >> >>
>> >> >> But from what I see, the omfwd module supports setting separate
>> TLS
>> >> >> key/cert/cacert per action since 8.2108.
>> >> >>
>> >> >> The imtcp module also supports setting those on a per-input level
>> >> since
>> >> >> 8.2108.
>> >> >>
>> >> >> So it should work.
>> >> >>
>> >> >> It is always a good idea to do a tcpdump and see how the handshake
>> >> >> progresses and when and where it fails.
>> >> >>
>> >> >> MK
>> >> >>
>> >> >> On 24.04.2022 00:35, Shane via rsyslog wrote:
>> >> >> > Hi I am trying to get rsyslog to receive store/forward messages
>> w/
>> >> tls
>> >> >> on
>> >> >> > both sides.
>> >> >> >
>> >> >> > client --->tls---> rsyslog --->tls---> remote.something
>> >> >> >
>> >> >> > I got it set up so i could send to the rsyslog server but then i
>> >> >> couldn't
>> >> >> > add another ca/cert files. My config was using global and
>> >> >> defaultnetstream
>> >> >> >
>> >> >> > I found on rsyslog.com that prior to 8.2202 it couldn't use tls
>> on
>> >> two
>> >> >> > different source/dest. I found the cent 7 repo and got
>> >> rsyslog-8.2204
>> >> >> > installed. Now nothing works. I think i got the config correct
>> >> but
>> >> >> the
>> >> >> > client keeps getting rejected.
>> >> >> >
>> >> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry
>> >> returned
>> >> >> > error: The TLS connection was non-properly terminated.
>> [v8.2204.0
>> >> try
>> >> >> > https://www.rsyslog.com/e/2083 ]
>> >> >> > Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session
>> >> 0x7f6a04013360
>> >> >> from
>> >> >> > 192.168.5.22 will be closed due to error [v8.2204.0 try
>> >> >> > https://www.rsyslog.com/e/2089 ]
>> >> >> >
>> >> >> > So then i tried going to the ossl module. Now its even worse.
>> My
>> >> >> config
>> >> >> > is a mess now too.
>> >> >> >
>> >> >> > Does tls on both sides work?
>> >> >> > Do I need the 8.2202+ version?
>> >> >> > Do you have an example config?
>> >> >> > _______________________________________________
>> >> >> > rsyslog mailing list
>> >> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> >> >> > http://www.rsyslog.com/professional-services/
>> >> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by
>> a
>> >> >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
>> >> POST
>> >> >> if you DON'T LIKE THAT.
>> >> >> _______________________________________________
>> >> >> rsyslog mailing list
>> >> >> https://lists.adiscon.net/mailman/listinfo/rsyslog
>> >> >> http://www.rsyslog.com/professional-services/
>> >> >> What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >> >> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> >> myriad
>> >> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>> >> you
>> >> >> DON'T LIKE THAT.
>> >> > _______________________________________________
>> >> > rsyslog mailing list
>> >> > https://lists.adiscon.net/mailman/listinfo/rsyslog
>> >> > http://www.rsyslog.com/professional-services/
>> >> > What's up with rsyslog? Follow https://twitter.com/rgerhards
>> >> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> >> myriad
>> >> > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
>> you
>> >> > DON'T LIKE THAT.
>> >>
>> >>
>> >> --
>> >> Derek Atkins 617-623-3745
>> >> de...@ihtfp.com www.ihtfp.com
>> >> Computer and Internet Security Consultant
>> >>
>> >>
>> >
>>
>>
>> --
>> Derek Atkins 617-623-3745
>> de...@ihtfp.com www.ihtfp.com
>> Computer and Internet Security Consultant
>>
>
--
Derek Atkins 617-623-3745
de...@ihtfp.com www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
