Hi Rsysloggers! I have an Rsyslog server to which I am forwarding logs from several machines, currently using UDP via omfwd. The problem with this is that it's insecure and I'm falling victim to spam messages being sent to my Rsyslog server.
To combat this, I'd like to restrict log forwarding via imdtls and omdtls using client certificate authentication but am not having any luck setting it up. Since the Ubuntu 24.04 Rsyslog package is too old to include DTLS I rolled my own .deb package from the nightly Git sources back in February. Below is what I've done so far & the issues I'm seeing. I'd appreciate any help people on this list can provide. TIA🙂 1. Created a CA PK & cert using the instructions from https://www.rsyslog.com/doc/tutorials/tls_cert_ca.html 2. Created server key & cert: openssl req -newkey rsa:2048 -nodes -days 365000 \ -keyout server-key.pem \ -out server-req.pem openssl x509 -req -days 365000 -set_serial 01 \ -in server-req.pem \ -out server-cert.pem \ -CA ca-cert.pem \ -CAkey ca-key.pem 1. Create client key & cert: openssl req -newkey rsa:2048 -nodes -days 365000 \ -keyout client-key.pem \ -out client-req.pem openssl x509 -req -days 365000 -set_serial 01 \ -in client-req.pem \ -out client-cert.pem \ -CA ca-cert.pem \ -CAkey ca-key.pem 2. Copy certs to client & server machines. 3. Configure server: module(load="imdtls") input(type="imdtls" port="4433" tls.cacert="/usr/local/share/ca-certificates/rsyslog/ca-cert.pem" tls.mycert="/usr/local/share/ca-certificates/rsyslog/server-cert.pem" tls.myprivkey="/usr/local/share/ca-certificates/rsyslog/server-key.pem" tls.authmode="certvalid" ruleset="writeRemoteData") 4. Configure client: module(load="omdtls") action(type="omdtls" target="my-server-address.domain" port="4433" tls.cacert="/usr/local/share/ca-certificates/rsyslog/ca-cert.pem" tls.mycert="/usr/local/share/ca-certificates/rsyslog/client-cert.pem" tls.myprivkey="/usr/local/share/ca-certificates/rsyslog/client-key.pem" tls.authmode="certvalid") When I start the server (the one running imdtls) I see the following errors logged: Apr 07 01:41:30 influxdb-do-monitoring-test rsyslogd[10526]: [origin software="rsyslogd" swVersion="8.2504.0.master" x-pid="10526" x-info="https://www.rsyslog.com";] start Apr 07 01:41:30 influxdb-do-monitoring-test systemd[1]: Started rsyslog.service - System Logging Service. Apr 07 01:41:38 influxdb-do-monitoring-test rsyslogd[10526]: rsyslogd: SSL_ERROR_UNKNOWN Error in 'DTLSHandleSessions': 'error:00000000:lib(0)::reason(0)(0)' with ret=1, errno=0(Success), sslapi='SSL_accept' [v8.2504.0.master] Apr 07 01:41:38 influxdb-do-monitoring-test rsyslogd[10526]: rsyslogd: net_ossl:remote '(null)' OpenSSL Error Stack: error:0A000418:SSL routines::tlsv1 alert unknown ca [v8.2504.0.master] Regards, Ralph Confidentiality and Privilege Notice: This e-mail is intended only to be read or used by the addressee. It is confidential and may contain legally privileged information. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone, and you should destroy this message and kindly notify the sender by reply e-mail. Confidentiality and legal privilege are not waived or lost by reason of mistaken delivery to you. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
