Secure sending using rsyslog (Obsolete legacy format)
- Juan Tomás Alonso Nieto (Deactivated)
Analytics
This article describes how to manually configure rsyslog to send events to Devo using an encrypted and authenticated channel. This is the recommended procedure when you want to forward events over the internet, directly to the Devo Cloud.
Install rsyslog-gnutls
In order to use SSL/TLS with rsyslog, you need to install the rsyslog-gnutls package.
If you are running Ubuntu 8.2 stable or later, you can skip this step because you will already have this package. Run rsyslogd -version to check what version of Ubuntu you are running.
| In DEB environments: | In RPM environments: |
apt-get install rsyslog-gnutls | yum install rsyslog-gnutls |
Download and save the certificates
- Go to Administration → Relays → X.509 Certificates in the Devo web application. Download the Certificate, Private key, and Chain CA. Save them all to /etc/rsyslog.d/.
Restrict the access permissions to these files to the syslog user:
cd /etc/rsyslog.d/; chmod 640 ca.crt user.crt user.key; chown :syslog ca.crt user.crt user.key -rw-r----- 1 root syslog 2090 Oct 24 13:02 ca.crt -rw-r----- 1 root syslog 1529 Oct 24 13:18 user.crt -rw-r----- 1 root syslog 1675 Oct 24 13:18 user.key
Create the 49-devo.conf file
Edit the 49-devo.conf file in your /etc/rsyslog.d/ and add the following lines immediately before the final destination rule in the file.
# Enable rsyslog SSL/TLS mode $DefaultNetstreamDriver gtls # Use gtls netstream driver $DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt # Devo CA $DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt # User public key $DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key # User private key $ActionSendStreamDriverMode 1 # Require TLS for the connection $ActionSendStreamDriverAuthMode x509/name $ActionSendStreamDriverPermittedPeer xx.elb.relay.logtrust.net # Devo Cloud (replace xx with eu, us, or es)
Be sure you customize the following parameter values correctly:
Parameter Value $DefaultNetstreamDriverCAFileThis is the Chain CA file you downloaded from the Devo web application. $DefaultNetstreamDriverCertFileThis is the Certificate file you downloaded from the Devo web application. $DefaultNetstreamDriverKeyFileThis is the Private key file you downloaded from the Devo web application. $ ActionSendStreamDriverPermittedPeerThis is the host address for the Devo Cloud for the region you are using. It should be one of:
- us.elb.relay.logtrust.net
- eu.elb.relay.logtrust.net
- es.elb.relay.logtrust.net
Close the file, then restart rsyslog.
/etc/init.d/rsyslog restart
With the configuration activated, rsyslog should begin to forward events to your Devo Cloud.
Test the connection
You can make sure that the events are being forwarded to the Relay by using the logger command to write test messages to the system log.
logger "Hello from machine01" logger "Hello from machine01" logger "Hello from machine01" logger "Hello from machine01" logger "Hello from machine01"
In the Devo web application, go to Data Search. Open the box.unix data table to confirm that these logger events were forwarded and received correctly.
File examples
Here are a couple of sample NN-devo.conf files to illustrate the sending of different log files.
System logs
The following configuration file is set to forward all internal system logs over a secure channel to the Devo Cloud.
$template boxunix,"<%PRI%>%timegenerated% %HOSTNAME% box.unix.%syslogtag%%msg%" #ActionQueue section $ActionQueueType LinkedList $ActionQueueFileName ltboxq1 $ActionResumeRetryCount -1 $ActionQueueSaveOnShutdown on # Enable rsyslog SSL/TLS mode $DefaultNetstreamDriver gtls # use gtls netstream driver $DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt # Devo CA $DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt # User public key $DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key # User private key $ActionSendStreamDriverMode 1 # require TLS for the connection $ActionSendStreamDriverAuthMode x509/name $ActionSendStreamDriverPermittedPeer xx.elb.relay.logtrust.net # Devo cloud *.* @@xx.elb.relay.logtrust.net:443;boxunix
Apache web server logs
This is a configuration file set up to forward events from four Apache logs to the Devo Cloud.
$template apache,"<%PRI%>%timegenerated% %HOSTNAME% %syslogtag% %msg%" # File1 access $InputFileName /var/log/apache2/access.log $InputFileTag web.apache.access-combined.pro.webFoobar.www1: $InputFileStateFile stat-file1-ApacheAccess $InputFileSeverity info $InputFileFacility local7 $InputFilePollInterval 1 $InputFilePersistStateInterval 1 $InputRunFileMonitor # File2 access $InputFileName /var/log/apache2/ssl_access.log $InputFileTag web.apache.access-combined.pro.webFoobar-ssl.www1: $InputFileStateFile stat-file2-ApacheAccess $InputFileSeverity info $InputFileFacility local7 $InputFilePollInterval 1 $InputFilePersistStateInterval 1 $InputRunFileMonitor # File1 Error $InputFileName /var/log/apache2/error.log $InputFileTag web.apache.error.pro.webFoobar.www1: $InputFileStateFile stat-file1-ApacheError $InputFileSeverity info $InputFileFacility local7 $InputFilePollInterval 1 $InputFilePersistStateInterval 1 $InputRunFileMonitor # File2 Error $InputFileName /var/log/apache2/ssl_error.log $InputFileTag web.apache.error.pro.webFoobar-ssl.www1: $InputFileStateFile stat-file2-ApacheError $InputFileSeverity info $InputFileFacility local7 $InputFilePollInterval 1 $InputFilePersistStateInterval 1 $InputRunFileMonitor # Enable rsyslog SSL/TLS mode $DefaultNetstreamDriver gtls # use gtls netstream driver $DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt # Devo CA $DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt # User public key $DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key # User private key $ActionSendStreamDriverMode 1 # require TLS for the connection $ActionSendStreamDriverAuthMode x509/name $ActionSendStreamDriverPermittedPeer xx.elb.relay.logtrust.net # Devo cloud if $syslogtag contains 'web.apache.' and $syslogfacility-text == 'local7' then @@xx.elb.relay.logtrust.net:443;apache :syslogtag, contains, "web.apache." ~