This article describes how to manually configure rsyslog to send events to Devo using an encrypted and authenticated channel. This is the recommended procedure when you want to forward events over the internet, directly to the Devo Cloud.

Install rsyslog-gnutls

In order to use SSL/TLS with rsyslog, you need to install the rsyslog-gnutls package.

If you are running Ubuntu 8.2 stable or later, you can skip this step because you will already have this package. Run rsyslogd -version to check what version of Ubuntu you are running.

In DEB environments:	In RPM environments:
apt-get install rsyslog-gnutls	yum install rsyslog-gnutls

Download and save the certificates

Go to Administration → Relays → X.509 Certificates in the Devo web application. Download the Certificate, Private key, and Chain CA. Save them all to /etc/rsyslog.d/.

Restrict the access permissions to these files to the syslog user:

cd /etc/rsyslog.d/; chmod 640 ca.crt user.crt user.key; chown :syslog ca.crt user.crt user.key

-rw-r----- 1 root syslog 2090 Oct 24 13:02 ca.crt
-rw-r----- 1 root syslog 1529 Oct 24 13:18 user.crt
-rw-r----- 1 root syslog 1675 Oct 24 13:18 user.key

Create the 49-devo.conf file

Edit the 49-devo.conf file in your /etc/rsyslog.d/ and add the following lines immediately before the final destination rule in the file.

# Enable rsyslog SSL/TLS mode
$DefaultNetstreamDriver gtls                                  # Use gtls netstream driver
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt           # Devo CA
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt       # User public key
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key        # User private key
$ActionSendStreamDriverMode 1                                 # Require TLS for the connection
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer xx.elb.relay.logtrust.net     # Devo Cloud (replace xx with eu, us, or es)

Be sure you customize the following parameter values correctly:

Parameter	Value
`$DefaultNetstreamDriverCAFile`	This is the Chain CA file you downloaded from the Devo web application.
`$DefaultNetstreamDriverCertFile`	This is the Certificate file you downloaded from the Devo web application.
`$DefaultNetstreamDriverKeyFile`	This is the Private key file you downloaded from the Devo web application.
$`ActionSendStreamDriverPermittedPeer`	This is the host address for the Devo Cloud for the region you are using. It should be one of: us.elb.relay.logtrust.net eu.elb.relay.logtrust.net es.elb.relay.logtrust.net

Close the file, then restart rsyslog.
```
/etc/init.d/rsyslog restart
```
With the configuration activated, rsyslog should begin to forward events to your Devo Cloud.

Test the connection

You can make sure that the events are being forwarded to the Relay by using the logger command to write test messages to the system log.

logger "Hello from machine01"
logger "Hello from machine01"
logger "Hello from machine01"
logger "Hello from machine01"
logger "Hello from machine01"

In the Devo web application, go to Data Search. Open the box.unix data table to confirm that these logger events were forwarded and received correctly.

File examples

Here are a couple of sample NN-devo.conf files to illustrate the sending of different log files.

System logs

The following configuration file is set to forward all internal system logs over a secure channel to the Devo Cloud.

/etc/rsyslog.d/49-logtrust.conf

$template boxunix,"<%PRI%>%timegenerated% %HOSTNAME% box.unix.%syslogtag%%msg%"

#ActionQueue section
$ActionQueueType                LinkedList
$ActionQueueFileName            ltboxq1
$ActionResumeRetryCount         -1
$ActionQueueSaveOnShutdown      on

# Enable rsyslog SSL/TLS mode
$DefaultNetstreamDriver gtls                            # use gtls netstream driver
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt     # Devo CA
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt # User public key
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key  # User private key
$ActionSendStreamDriverMode 1                           # require TLS for the connection
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer xx.elb.relay.logtrust.net  # Devo cloud

*.*    @@xx.elb.relay.logtrust.net:443;boxunix

Apache web server logs

This is a configuration file set up to forward events from four Apache logs to the Devo Cloud.

/etc/rsyslog.d/45-apache.conf file monitoring example

$template apache,"<%PRI%>%timegenerated% %HOSTNAME% %syslogtag% %msg%"

# File1 access
$InputFileName /var/log/apache2/access.log
$InputFileTag web.apache.access-combined.pro.webFoobar.www1:
$InputFileStateFile stat-file1-ApacheAccess
$InputFileSeverity info
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor

# File2 access
$InputFileName /var/log/apache2/ssl_access.log
$InputFileTag web.apache.access-combined.pro.webFoobar-ssl.www1:
$InputFileStateFile stat-file2-ApacheAccess
$InputFileSeverity info
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor

# File1 Error
$InputFileName /var/log/apache2/error.log
$InputFileTag web.apache.error.pro.webFoobar.www1:  
$InputFileStateFile stat-file1-ApacheError
$InputFileSeverity info
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor

# File2 Error
$InputFileName /var/log/apache2/ssl_error.log
$InputFileTag web.apache.error.pro.webFoobar-ssl.www1:  
$InputFileStateFile stat-file2-ApacheError
$InputFileSeverity info
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor

# Enable rsyslog SSL/TLS mode
$DefaultNetstreamDriver gtls                                 # use gtls netstream driver
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt          # Devo CA
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt      # User public key
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key       # User private key
$ActionSendStreamDriverMode 1                                # require TLS for the connection
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer xx.elb.relay.logtrust.net    # Devo cloud

if $syslogtag contains 'web.apache.' and $syslogfacility-text == 'local7' then @@xx.elb.relay.logtrust.net:443;apache
:syslogtag, contains, "web.apache." ~

Related articles

Browser not supported