I presume that was a typo and it should be "$myhostname" and not "$$myhostname"? Or is there something special about "$$"?
-derek On Thu, May 26, 2022 1:29 pm, David Lang via rsyslog wrote: > sorry, that's what I ment to use (typeing from memory to lay out the idea) > > David Lang > > On Thu, 26 May 2022, John Chivian wrote: > >> Date: Thu, 26 May 2022 12:20:12 -0500 >> From: John Chivian <jchiv...@chivian.com> >> To: rsyslog-users <rsyslog@lists.adiscon.com> >> Cc: David Lang <da...@lang.hm> >> Subject: Re: [rsyslog] problems with tls and rsyslog >> >> There is also the $$myhostname variable that can be used to identify >> “this” host. >> >> >>> On May 26, 2022, at 12:15, David Lang via rsyslog >>> <rsyslog@lists.adiscon.com> wrote: >>> >>> what I like to do is to format the body of the message as json, I >>> create $!msg=$msg and then I create a tree $!trusted and in that I add >>> additional metadata, including $!trusted.relay >>> >>> set $.relay = $!trusted.relay; >>> set $!trusted.relay.last = $.relay; >>> set $!trusted.relay.host = $hostname; >>> set $!trusted.relay.last = $!fromhost-ip; >>> set $!trusted.relay.time = $timegenerated; >>> >>> then in the final aggregator, I have all the info I could want about >>> what relays the log has gone through, when it was proccessed by each >>> relay, etc. >>> >>> I also have the sender add additional metadata here as well (if it's >>> reading from a file , what filename for example) >>> >>> David Lang >>> >>> On Thu, 26 May 2022, Derek Atkins via rsyslog wrote: >>> >>>> Date: Thu, 26 May 2022 13:04:00 -0400 >>>> From: Derek Atkins via rsyslog <rsyslog@lists.adiscon.com> >>>> To: Rainer Gerhards <rgerha...@hq.adiscon.com> >>>> Cc: Derek Atkins <de...@ihtfp.com>, rsyslog-users >>>> <rsyslog@lists.adiscon.com> >>>> Subject: Re: [rsyslog] problems with tls and rsyslog >>>> Hi Rainer. >>>> >>>> Thank you for the reply (even though it's not the answer I was hoping >>>> to >>>> hear). >>>> >>>> So I guess the next question is how (or where) to add an identifier >>>> for an >>>> intermediary. >>>> >>>> Let's say I have a network that looks like this: >>>> >>>> [ Client1 ] --\ >>>> [ Client2 ] ---+- [ Forwarder1 ] -\ >>>> [ Client3 ] --/ \ >>>> +-- [ Aggregator ] >>>> [ Client4 ] --\ / >>>> [ Client5 ] ---+- [ Forwarder2 ] -/ >>>> [ Client6 ] --/ >>>> >>>> >>>> When I see messages at the Aggregator I want to know not only what >>>> Client >>>> it came from, but also what Forwarder it came through. >>>> >>>> Right now on the forwarders I change the message to include the client >>>> IP >>>> and Client hostname (using set $!msg), and then send it using an onfwd >>>> template (note that I have a intermediary variable for fromhost-ip >>>> here): >>>> >>>> type="string" string="%timegenerated% from:%$fromhost-ip% >>>> %syslogseverity-text%%$!msg%\n" >>>> >>>> At the aggregator I also need to know whether a message came from >>>> Forwarder1 or Forwarder2, so I would like to add the Forwarder IP and >>>> hostname to the message that goes up to the aggregator. Right now it >>>> uses >>>> this template for omfile: >>>> >>>> type="string" string="%timegenerated% %msg%\n" >>>> >>>> Will $hostname and $fromhost-ip on the aggregator be the hostname and >>>> ip >>>> of the forwarder? Or the client? >>>> >>>> What would be the best way to include this extra information in my log >>>> entries? >>>> >>>> Thanks, >>>> >>>> -derek >>>> >>>> On Thu, May 26, 2022 12:31 pm, Rainer Gerhards wrote: >>>>> unfortunately, this property is not yet available :-( >>>>> >>>>> Rainer >>>>> >>>>> El jue, 26 may 2022 a las 13:53, Derek Atkins (<de...@ihtfp.com>) >>>>> escribió: >>>>>> >>>>>> Thanks Rainer, >>>>>> >>>>>> This is working smashingly! >>>>>> >>>>>> The next issue I'm trying to solve is how do I add the client >>>>>> certificate >>>>>> information into the log message? I'd like to add e.g. the client >>>>>> certificate subject (or subjectAltName) into my log template >>>>>> (similar to >>>>>> how you can add the client hostname or fromhost-ip). >>>>>> >>>>>> Again, I am having issues searching, as any combination of "rsyslog" >>>>>> and >>>>>> "certificate" seems to bring up documentation on "how to configure >>>>>> TLS" >>>>>> which, obviously, I already know how to do... >>>>>> >>>>>> Any help or guidance would be appreciated. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> -derek >>>>>> >>>>>> On Tue, May 17, 2022 4:12 pm, Rainer Gerhards wrote: >>>>>>> https://www.rsyslog.com/doc/v8-stable/configuration/modules/imtcp.html >>>>>>> >>>>>>> https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html >>>>>>> >>>>>>> HTH >>>>>>> Rainer >>>>>>> >>>>>>> Sent from phone, thus brief. >>>>>>> >>>>>>> Derek Atkins <de...@ihtfp.com> schrieb am Di., 17. Mai 2022, 22:01: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> Are there docs on how to set this up on a per-input and/or >>>>>>>> per-omfwd >>>>>>>> basis? >>>>>>>> >>>>>>>> All the docs I can find suggest setting the global >>>>>>>> DefaultNetstreamDriver* >>>>>>>> variables, which in my case are not what I want because I need to >>>>>>>> be >>>>>>>> able >>>>>>>> to use different keys/certs/CAs for the input/imtcp vs the omfwd >>>>>>>> operations. >>>>>>>> >>>>>>>> I am running 8.2204.1. >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> -derek >>>>>>>> >>>>>>>> On Mon, April 25, 2022 3:03 am, Rainer Gerhards via rsyslog wrote: >>>>>>>>> Yes, it's possible. Worked on that for quite some time last year >>>>>> ;-) >>>>>>>>> >>>>>>>>> Rainer >>>>>>>>> >>>>>>>>> El lun, 25 abr 2022 a las 7:41, Mariusz Kruk via rsyslog >>>>>>>>> (<rsyslog@lists.adiscon.com>) escribió: >>>>>>>>>> >>>>>>>>>> There were some improvements to TLS handling introduced over >>>>>> several >>>>>>>>>> versions so you'd have to review the changelog and docs. >>>>>>>>>> >>>>>>>>>> But from what I see, the omfwd module supports setting separate >>>>>> TLS >>>>>>>>>> key/cert/cacert per action since 8.2108. >>>>>>>>>> >>>>>>>>>> The imtcp module also supports setting those on a per-input >>>>>>>>>> level >>>>>>>> since >>>>>>>>>> 8.2108. >>>>>>>>>> >>>>>>>>>> So it should work. >>>>>>>>>> >>>>>>>>>> It is always a good idea to do a tcpdump and see how the >>>>>>>>>> handshake >>>>>>>>>> progresses and when and where it fails. >>>>>>>>>> >>>>>>>>>> MK >>>>>>>>>> >>>>>>>>>> On 24.04.2022 00:35, Shane via rsyslog wrote: >>>>>>>>>>> Hi I am trying to get rsyslog to receive store/forward messages >>>>>> w/ >>>>>>>> tls >>>>>>>>>> on >>>>>>>>>>> both sides. >>>>>>>>>>> >>>>>>>>>>> client --->tls---> rsyslog --->tls---> remote.something >>>>>>>>>>> >>>>>>>>>>> I got it set up so i could send to the rsyslog server but then >>>>>>>>>>> i >>>>>>>>>> couldn't >>>>>>>>>>> add another ca/cert files. My config was using global and >>>>>>>>>> defaultnetstream >>>>>>>>>>> >>>>>>>>>>> I found on rsyslog.com that prior to 8.2202 it couldn't use tls >>>>>> on >>>>>>>> two >>>>>>>>>>> different source/dest. I found the cent 7 repo and got >>>>>>>> rsyslog-8.2204 >>>>>>>>>>> installed. Now nothing works. I think i got the config >>>>>>>>>>> correct >>>>>>>> but >>>>>>>>>> the >>>>>>>>>>> client keeps getting rejected. >>>>>>>>>>> >>>>>>>>>>> Apr 23 17:13:39 rlog rsyslogd[11417]: GnuTLS handshake retry >>>>>>>> returned >>>>>>>>>>> error: The TLS connection was non-properly terminated. >>>>>> [v8.2204.0 >>>>>>>> try >>>>>>>>>>> https://www.rsyslog.com/e/2083 ] >>>>>>>>>>> Apr 23 17:13:39 rlog rsyslogd[11417]: netstream session >>>>>>>> 0x7f6a04013360 >>>>>>>>>> from >>>>>>>>>>> 192.168.5.22 will be closed due to error [v8.2204.0 try >>>>>>>>>>> https://www.rsyslog.com/e/2089 ] >>>>>>>>>>> >>>>>>>>>>> So then i tried going to the ossl module. Now its even worse. >>>>>> My >>>>>>>>>> config >>>>>>>>>>> is a mess now too. >>>>>>>>>>> >>>>>>>>>>> Does tls on both sides work? >>>>>>>>>>> Do I need the 8.2202+ version? >>>>>>>>>>> Do you have an example config? >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> rsyslog mailing list >>>>>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>>>>>>> http://www.rsyslog.com/professional-services/ >>>>>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by >>>>>> a >>>>>>>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO >>>>>>>>>> NOT >>>>>>>> POST >>>>>>>>>> if you DON'T LIKE THAT. >>>>>>>>>> _______________________________________________ >>>>>>>>>> rsyslog mailing list >>>>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>>>>>> http://www.rsyslog.com/professional-services/ >>>>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by >>>>>>>>>> a >>>>>>>> myriad >>>>>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST >>>>>>>>>> if >>>>>>>> you >>>>>>>>>> DON'T LIKE THAT. >>>>>>>>> _______________________________________________ >>>>>>>>> rsyslog mailing list >>>>>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog >>>>>>>>> http://www.rsyslog.com/professional-services/ >>>>>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>>>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>>>>>> myriad >>>>>>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST >>>>>>>>> if >>>>>> you >>>>>>>>> DON'T LIKE THAT. >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Derek Atkins 617-623-3745 >>>>>>>> de...@ihtfp.com www.ihtfp.com >>>>>>>> Computer and Internet Security Consultant >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Derek Atkins 617-623-3745 >>>>>> de...@ihtfp.com www.ihtfp.com >>>>>> Computer and Internet Security Consultant >>>>>> >>>>> >>>> >>>> >>>> -- >>>> Derek Atkins 617-623-3745 >>>> de...@ihtfp.com www.ihtfp.com >>>> Computer and Internet Security Consultant >>>> >>>> _______________________________________________ >>>> rsyslog mailing list >>>> https://lists.adiscon.net/mailman/listinfo/rsyslog >>>> http://www.rsyslog.com/professional-services/ >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST >>>> if you DON'T LIKE THAT. >>> _______________________________________________ >>> rsyslog mailing list >>> https://lists.adiscon.net/mailman/listinfo/rsyslog >>> http://www.rsyslog.com/professional-services/ >>> What's up with rsyslog? Follow https://twitter.com/rgerhards >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a >>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST >>> if you DON'T LIKE THAT. >> >> > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. -- Derek Atkins 617-623-3745 de...@ihtfp.com www.ihtfp.com Computer and Internet Security Consultant _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
