Hi,
Perhaps you can create a debug log with filters applied to remove not
interesting content:
global(
debug.whitelist="on"
debug.files=["nsd_ossl.c", "tcpsrv.c", "nsdsel_ossl.c",
"nsdpoll_ptcp.c", " nsd_gtls.c.c", " nsdsel_gtls.c.c"]
)
We need to see actual debug output from the tls code to tell more about
the problem.
Best regards,
Andre Lorbach
> -----Ursprüngliche Nachricht-----
> Von: rsyslog <rsyslog-boun...@lists.adiscon.com> Im Auftrag von Abhinav
> Bhatia via rsyslog
> Gesendet: Montag, 20. Juni 2022 19:59
> An: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Abhinav Bhatia <nitks.abhi...@gmail.com>
> Betreff: Re: [rsyslog] Issue with rsyslogd with TLS version
8.2204.0.master
>
> Yes, the TLS session gets established but , if we add the debug to the
config ,
> shared earlier, it does not even start the TCP handshake .
>
> On Mon, Jun 20, 2022 at 1:22 PM Mariusz Kruk via rsyslog <
> rsyslog@lists.adiscon.com> wrote:
>
> > This time you included debug log from rsyslogd creating the merged
> > config, not the actual config itself.
> >
> > Anyway, the PCAP is interesting.
> >
> > Because it shows two separate TLS-based connections which are
> > negotiated, then there is some data pushed through the encrypted
> > channel but the connections are not finished.
> >
> > I assume these are not the first connections because the pre-shared
> > key has already been established and the sessions are now established
> > in a "quick way" (without verifying certs again).
> >
> > So it does seem as if the TLS connection as such was being established
> > indeed.
> >
> > On 20.06.2022 18:08, Abhinav Bhatia via rsyslog wrote:
> > > Sorry, below are the attached files, effective config from client
> > > side
> > and
> > > wireshark of the working scenario.
> > >
> > > On Mon, Jun 20, 2022 at 11:41 AM Mariusz Kruk via rsyslog <
> > > rsyslog@lists.adiscon.com> wrote:
> > >
> > >> OK. Now we're getting somewhere ;-)
> > >>
> > >> So you're trying to do TLS-enabled forwarding between "client"
> > >> rsyslogd and "server" rsyslogd.
> > >>
> > >> Unfortunately, you didn't post the whole config from the client -
> > >> the config relies on some included files which are not attached.
> > >>
> > >> You can get the resulting config as rsyslog sees it by calling
> > >>
> > >> rsyslogd -N1 -o /tmp/rsyslogd_effective.conf
> > >>
> > >> It seems you forgot the wireshark snapshot as well.
> > >>
> > >> On 20.06.2022 17:34, Abhinav Bhatia via rsyslog wrote:
> > >>> Yes. But what functionality with TLS is or is not working? Input?
> > Output?
> > >>>
> > >>>
> > >>> *I have a client running rsyslogd , sending syslogs to server. I
> > >>> am
> > using
> > >>> syslog() to send syslogs.When I run version 8.2108 with TLS , I
> > >>> see the messages sent from client on wireshark (snapshot attched).
> > >>> But If I
> > >> enable
> > >>> debug I do not see anything on Wireshark going out from client
> > >>> side, *
> > >>>
> > >>> What's your config?
> > >>> *Attached are the configs from cleint and server.*
> > >>>
> > >>> What are the symptoms of "not working"? Does your side terminate
> > >>> the
> > TLS
> > >>> connection with some error? Does the other side terminate it?
> > >>> *I think the client does not start the connection. *
> > >>>
> > >>> Does it work again if you downgrade the rsyslog back to 8.2108?
> > >>> *Yes If I downgrade to 8.2108 , rsyslogd with TLS is working (NO
> > >>> Debug
> > >>> enabled)*
> > >>>
> > >>> On Mon, Jun 20, 2022 at 11:06 AM Mariusz Kruk via rsyslog <
> > >>> rsyslog@lists.adiscon.com> wrote:
> > >>>
> > >>>> Yes. But what functionality with TLS is or is not working? Input?
> > >> Output?
> > >>>> What's your config?
> > >>>>
> > >>>> What are the symptoms of "not working"? Does your side terminate
> > >>>> the
> > TLS
> > >>>> connection with some error? Does the other side terminate it?
> > >>>>
> > >>>> Did you try tcpdumping the TLS connection?
> > >>>>
> > >>>> Does it work again if you downgrade the rsyslog back to 8.2108?
> > >>>>
> > >>>> On 20.06.2022 16:59, Abhinav Bhatia wrote:
> > >>>>> Hi Mariusz,
> > >>>>>
> > >>>>> Thank you for quick reply,
> > >>>>>
> > >>>>> *Version*
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> *No TLS*
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> *TLS with Debug enabled*
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> *TLS with debug disabled*
> > >>>>>
> > >>>>> 8.2108.0
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> Working
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> Not Working
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> Working
> > >>>>>
> > >>>>> 8.2204.0
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> Working
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> Not Working
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>>> Not Working
> > >>>>>
> > >>>>> Logs I shared with you were of version 8.2108.0 , TLS with Debug
> > >> enabled.
> > >>>>>
> > >>>>> Thank you,
> > >>>>>
> > >>>>>
> > >>>>> On Mon, Jun 20, 2022 at 10:38 AM Mariusz Kruk via rsyslog
> > >>>>> <rsyslog@lists.adiscon.com> wrote:
> > >>>>>
> > >>>>> OK. But _what_ is working or not working? Because quick
glance
> > >>>>> over the
> > >>>>> the debug file you attached doesn't show anything
TLS-related.
> > >>>>>
> > >>>>> Or even any other input module other than imuxsock or
imklog.
> > So
> > >>>>> maybe
> > >>>>> it's that your omfwd action is supposed to be TLS-enabled.
> > >>>>> But
> > we
> > >>>>> don't
> > >>>>> see any streamdriver config in this debug.
> > >>>>>
> > >>>>> On 20.06.2022 16:27, Abhinav Bhatia via rsyslog wrote:
> > >>>>> > Hi ,
> > >>>>> >
> > >>>>> > I was using rsyslogd (version 8.2108.0.master) with TLS
which
> > >>>>> was working
> > >>>>> > fine. Then I upgraded to 8.2204.0.master and syslog with
> > >>>>> TLS
> > >>>> stopped
> > >>>>> > working, over UDP works fine.
> > >>>>> >
> > >>>>> > Along with rsyslod I upgraded the curl 7.79.0-DEV to
> > 7.83.1-DEV
> > >>>>> , and
> > >>>>> > Nettle from 3.1.1 to 3.7.1.
> > >>>>> >
> > >>>>> > To debug the issue I enabled the logs with version
> > >>>>> 8.2108.0
> > via
> > >>>>> > rsyslog.conf. Issue is when I enable logs I do not see
> > >>>>> any
> > TLS
> > >>>>> data sent to
> > >>>>> > the server (attached logs). however if I do not enable
> > >>>>> debug
> > in
> > >>>>> conf file
> > >>>>> > it works fine.
> > >>>>> >
> > >>>>> > Below are the lines added for debugging is syslog.conf:
> > >>>>> >
> > >>>>> > $DebugFile /var/log/rsyslog.debug
> > >>>>> > $DebugLevel 2
> > >>>>> >
> > >>>>> > Thank you !
> > >>>>> >
> > >>>>> > _______________________________________________
> > >>>>> > rsyslog mailing list
> > >>>>> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > >>>>> > http://www.rsyslog.com/professional-services/
> > >>>>> > What's up with rsyslog? Follow
https://twitter.com/rgerhards
> > >>>>> > NOTE WELL: This is a PUBLIC mailing list, posts are
> > >>>>> ARCHIVED
> > by
> > >>>>> a myriad of sites beyond our control. PLEASE UNSUBSCRIBE
and
> DO
> > >>>>> NOT POST if you DON'T LIKE THAT.
> > >>>>> _______________________________________________
> > >>>>> rsyslog mailing list
> > >>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> > >>>>> http://www.rsyslog.com/professional-services/
> > >>>>> What's up with rsyslog? Follow
https://twitter.com/rgerhards
> > >>>>> NOTE WELL: This is a PUBLIC mailing list, posts are
> > >>>>> ARCHIVED
> > by a
> > >>>>> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and
> > >>>>> DO
> > NOT
> > >>>>> POST if you DON'T LIKE THAT.
> > >>>>>
> > >>>> _______________________________________________
> > >>>> rsyslog mailing list
> > >>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> > >>>> http://www.rsyslog.com/professional-services/
> > >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > >>>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > myriad
> > >>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST
> > >>>> if you DON'T LIKE THAT.
> > >>>>
> > >>>> _______________________________________________
> > >>>> rsyslog mailing list
> > >>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> > >>>> http://www.rsyslog.com/professional-services/
> > >>>> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > >>>> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > >> myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> > >> POST
> > if
> > >> you DON'T LIKE THAT.
> > >> _______________________________________________
> > >> rsyslog mailing list
> > >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> > >> http://www.rsyslog.com/professional-services/
> > >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if
> > >> you DON'T LIKE THAT.
> > >>
> > >>
> > >> _______________________________________________
> > >> rsyslog mailing list
> > >> https://lists.adiscon.net/mailman/listinfo/rsyslog
> > >> http://www.rsyslog.com/professional-services/
> > >> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > >> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> > myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT
> POST
> > if you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> > DON'T LIKE THAT.
> >
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL:
> This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites
beyond
> our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
