I realized I need some more detail here. We are listening for incoming connections using the imptcp module. In the module configuration I found 'NotifyOnConnectionOpen' and 'NotifyOnConnectionClose' which appear to do what we need for incoming connections, however I get an error that NotifyOnConnectionOpen is not recognized (not getting the same error for the Close):
rsyslogd: error during parsing file /etc/rsyslog.d/60-ei-cc.conf, on or before line 27: parameter 'NotifyOnConnectionOpen' not known -- typo in config file? [v8.2112.0 try https://www.rsyslog.com/e/2207 So if we can get this working the question only remains for connections initiated by rsyslog to forward logs. For this we use omfwd actions, but this does not appear to have the same kind of NotifyXXX configuration. ________________________________ From: Christiaan Schade Sent: Friday, January 19, 2024 12:43 PM To: rsyslog@lists.adiscon.com <rsyslog@lists.adiscon.com> Subject: Logging rsyslog's own incoming and outgoing TLS connections for CommonCriteria compliance Hello, For CommonCriteria compliance I need to get logs from rsyslog about the TLS connections it makes and receives. I've been unable to find any useful documentation as any search including rsyslog and tls is just flooding with articles on how to configure rsyslog to make/accept TLS connections. The only log I have been able to produce is if rsyslog is unable to connect to a remote syslog server in order to forward a message, but I also need logs on successful connections, and on connections made to the rsyslog server. Any points/direction is appreciated. If rsyslog is unable to produce this type of logs is there anything I can do system-level to monitor these connections and log them? Thank you in advance, Chris WARNING - CONFIDENTIAL INFORMATION: ________________________________ This message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Forescout email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails (“spam”). If you have any concerns about this process, please contact us priv...@forescout.com. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
