Securing your SysLog Server with TLS (SSL) in CentOS 6 / RHEL 6

As a follow up to our syslog sever documentation, we wanted to also document how to enable encryption on the syslog stream since private information, including credentials, could be getting passed from client to server in the logs. In this document, we will be using self-signed certificates, including a self-generated CA certificate.

Configure the Server

1) We will begin by creating a new self-signed CA certificate. As of this post, the requirement for new SSL is 2048bit. Anything 1024bit or less is considered to be obsolete. Once you run the second command, you will be prompted for some basic information about your company.

openssl genrsa 2048 > ca-key.pem
openssl req -new -x509 -nodes -days 3600 -key ca-key.pem -out ca-cert.pem

2) Next, we will create a sets of keys. This is done in three steps. First we create the request, remove the password, then sign it with our CA certificate from step 1.

openssl req -newkey rsa:2048 -days 3600 -nodes -keyout server-key.pem -out server-req.pem
openssl rsa -in server-key.pem -out server-key.pem
openssl x509 -req -in server-req.pem -days 3600 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

3) Copy all pem files to /etc/ssl/certs

4) Open the rsyslog configuration and add in the lines below. Order is important.

$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-cert.pem
$DefaultNetstreamDriverCertFile /etc/ssl/certs/server-cert.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/certs/server-key.pem

$ModLoad imtcp

$InputTCPServerStreamDriverMode 1
$InputTCPServerStreamDriverAuthMode anon
$InputTCPServerRun 5822

5) Save and restart rsyslog

service rsyslog restart

Configure the Client

1) Upload the ca-cert.pem file only to the /etc/ssl/certs directory on each client.

2) You will need to make sure the rsyslog-gnutls package is installed in order to use TLS

yum install rsyslog-gnutls

3) Edit the /etc/rsyslog.conf configuration file and add the following lines

$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-cert.pem
$DefaultNetstreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode anon

4) Save and restart rsyslog. Your connection between client and syslog server is now secured!

service rsyslog restart


Leave a Reply