Thanks, this helped me get on the right path. The logging server I'm updating has an Rsyslog config written in the old Rsyslog format, which was throwing me through a loop when I was looking through the docs and only seeing the newer current format. I cleared out the old config and used the new styling with the options you mentioned. My /etc/rsyslog.d/70-my-config.conf: # certificate files $DefaultNetstreamDriverCAFile /etc/pki/tls/certs/db-server_arcc_uwyo_edu_interm.cer
# make gtls driver the default $DefaultNetStreamDriver gtls $ActionSendStreamDriverMode 1 # run driver in TLS-only mode $ActionSendStreamDriverAuthMode x509/name $ActionSendStreamDriverPermittedPeer db-server.arcc.uwyo.edu # Send syslogs to MariaDB on arcc-db1 action(type="ommysql" server="db-server.arcc.uwyo.edu" serverport="3306" db="Syslog" uid="rsyslog" pwd="<password>" MySQLConfig.File="/etc/my.cnf.d/mariadb-client-tls.cnf" MySQLConfig.Section="client-mariadb") ...then in my /etc/my.cnf.d/mariadb-client-tls.cnf I did this: [client-mariadb] ssl ssl-verify-server-cert ssl_ca = /etc/pki/tls/certs/db-server_arcc_uwyo_edu_interm.cer Restarted rsyslog, and it seems to be working! Thanks, Levi Wilbert http://SoundCloud.com/IO_Madness On May 17, 2023, at 12:23 AM, Mariusz Kruk via rsyslog < rsyslog@lists.adiscon.com> wrote: Actually, a quick glance over the code of ommysql.c and docs for it suggests that the connection handling might be influenced by a specified mysql config file (my.cnf or such). So you should be able to get away with something like (haven't tested that, it's just something I came up with reading the docs) action(type="ommysql" [...] MySQLConfig.File="/etc/my.cnf" MySQLConfig.Section="rsyslog") and adding to your my.cnf: [rsyslog] ssl-mode=REQUIRE [...] On 16.05.2023 21:33, David Lang via rsyslog wrote: I don't think the ommysql module supports TLS (I'm not absolutly sure) note that the action() syntax almost always ignores $foo definitions. TLS is the one exception to that, but not all modules support TLS. David Lang On Tue, 16 May 2023, Levi Wilbert via rsyslog wrote: Date: Tue, 16 May 2023 12:05:51 -0600 From: Levi Wilbert via rsyslog <rsyslog@lists.adiscon.com> To: rsyslog@lists.adiscon.com Cc: Levi Wilbert <voidnos...@gmail.com> Subject: [rsyslog] Help w/ ommysql and TLS? Greetings all, I'm trying to forward syslogs from one of our servers to a new DB server running MariaDB, and running into some issues I was wondering if someone could help with. I have rsyslog already installed on our logging server (RHEL7.9), and further have installed rsyslog-mysql on this server as well. I've copied the rsyslog DB setup script over to our DB server (RHEL9.1), and setup permissions for the rsyslog user to access MariaDB from our logging server. Back on the logging server, I've configured rsyslog to load the ommysql module and passed the server and MariaDB login info to the module. With this setup and a mostly default MariaDB config, rsyslog appears to work ok. However, we'd like to run our MariaDB securely using TLS. When I activate TLS in MariaDB on our DB server, rsyslog is no longer able to connect, and shows the following error: rsyslogd[26271]: db error (1045): Access denied for user 'rsyslog'@' log-svr.arcc.uwyo.edu' (using password: YES) [v8.24.0-57.el7_9.3] (log-svr is our logging server, db-svr is our db server) I've added the DB server's CA certificate to the logging server under /etc/pki/ca-trust/source/anchors/, and run update-ca-trust. I have tested connecting to MariaDB from our logging server w/ mysql, which works fine, yet rsyslog doesn't appear to be able to connect! I've tried configuring rsyslog on the logging server w/ the following options: $DefaultNetstreamDriverCAFile /etc/pki/tls/certs/db-svr_arcc_uwyo_edu_interm.cer $DefaultNetStreamDriver gtls $ActionSendStreamDriverMode 1 # run driver in TLS-only mode $ActionSendStreamDriverAuthMode x509/name $ActionSendStreamDriverPermittedPeer db-svr.arcc.uwyo.edu action(type="ommysql" server="db-svr.arcc.uwyo.edu" serverport="3306" db="Syslog" uid="rsyslog" pwd="<password>") Can anyone help w/ getting rsyslog to connect w/ TLS to our remote DB server? Thanks, Levi Wilbert HPC & Linux Systems Administrator ARCC - Division of Research and Economic Development Information Technology Ctr 226 1000 E. University Avenue, Laramie, WY 82071-200 _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
