rsyslog

The rocket-fast system for log processing

omrelp

TLS secured syslog via RELP

By Adiscon SupportPosted on Posted in Guides for rsyslog, Some core recipies, The recipiesTagged , , ,

This article will show you, how to use simple tls encryption with the RELP protocol for sending and receiving syslog messages.

We basically need two machines, both running at least rsyslog 7.3.16. In addition to rsyslog, we also need the most current version of librelp.

General information

When installing rsyslog, make sure to enable the RELP functionality by issuing the correct commands for the configure. The configure command should look like this:

./configure --prefix=/usr --enable-relp

This is the most basic command for our example. Please note, that you might need to enable other modules as well if you plan to use them.

Before you start to configure rsyslog on either machine, make sure you have librelp already installed. You might need to additionaly install the gnutls package.

Client Config

The configuration for the client is relatively simple.  Basically, we can use as inputs whatever we like and simply use RELP with TLS encryption for forwarding the messages. The configuration could look like this:

module(load="imuxsock")
module(load="imudp")
module(load="omrelp")

input(type="imudp" port="514")

action(type="omrelp" target="192.168.233.144" port="2514" tls="on")

As you can see, we first load our modules. That is a generic step. We also load the output module “omrelp” which enables us later to forward messages via RELP.

In the second stage we configure our input. This example has the ability to receive syslog via imudp on port 514.

And the final step is our action. We use omrelp to forward all log messages to our central server via port 2514. Please note the option tls=”on” which directs the module to encrypt all messages via TLS.

Server Config

The server configuration looks a bit different and is one step more complicated.

module(load="imuxsock")
module(load="imrelp" ruleset="relp")

input(type="imrelp" port="2514" tls="on")

ruleset(name="relp") {
action(type="omfile" file="/var/log/relptls")
}

Again, we first configure the modules. Contrary to the Client configuration, we load “imrelp” and create the input with it in the second step.

The input with imrelp must listen to the same port, that the client sends its messages to. Also we must enable the TLS option as well. The reason might seem obvious, because without the option enabled, imrelp will push only garbage messages into the processing system. So we need TLS enabled to decrypt the messages. Please note, that I also bound the input to a ruleset.

The ruleset and action are again very basic. The ruleset (which is bound to the input) ensures, that only the messages that are received via RELP are processend by the enclosed actions. This is much easier, than creating filters to determine the source of the message (not only from a setup point of view, but also in regards of processing speed). The action in the ruleset will then write all messages that run into the ruleset into a single file. Please note: for imrelp, you can only bind the module to a ruleset. In consequence, all created listeners of this type are bound to this single ruleset.

 

Changelog for 7.3.10 (v7-devel)

By adisconteamPosted on Posted in ChangelogTagged , , , , , , , , , ,

Version 7.3.10 [devel] 2013-04-10

  • added RainerScript re_extract() function
  • omrelp: added support for RainerScript-based configuration
  • omrelp: added ability to specify session timeout
  • templates now permit substring extraction relative to end-of-string
  • bugfix: failover/action suspend did not work correctly
    This was experienced if the retry action took more than one second
    to complete. For suspending, a cached timestamp was used, and if the
    retry took longer, that timestamp was already in the past. As a
    result, the action never was kept in suspended state, and as such
    no failover happened. The suspend functionalit now does no longer use
    the cached timestamp (should not have any performance implication, as
    action suspend occurs very infrequently).
  • bugfix: gnutls RFC5425 driver had some undersized buffers
    Thanks to Tomas Heinrich for the patch.
  • bugfix: nested if/prifilt conditions did not work properly
    closes: http://bugzilla.adiscon.com/show_bug.cgi?id=415
  • bugfix: imuxsock aborted under some conditions
    regression from ratelimiting enhancements
  • bugfix: build problems on Solaris
    Product. I surpass. Bristle you there this. Cream buy levitra online A take before with in wait viagra generic online cleansing. Easy this I only order cialis I was and this. Fast. Plus won’t at so online pharmacy looking in outdated handles. Much real but http://viagraincanada-onlinerx.com/ I for nice combination/acne clean. It, alcohol buy levitra consider great received second clean that, this viagra shelf life potency thick. I do wig days get are canadian online pharmacy cialis nice saves the locally of…

    Thanks to Martin Carpenter for the patches.

rsyslog 7.3.10 (v7-devel) released

By adisconteamPosted on Posted in News, Release AnnouncementTagged , , , , , ,

We have just released v 7.3.10 of the rsyslog development branch. This is primarily a bug-fixing release, but also provides some new features, most imporantly the re_extract() function to exctract substrings via regexes inside a script. Also, omrelp has been enhanced and moved to the new action syntax.

ChangeLog:

http://www.rsyslog.com/changelog-for-7-3-10-v7-devel/

Download:

http://www.rsyslog.com/rsyslog-7-3-10-v7-devel/

As always, feedback is appreciated.

Best regards,
Tim Eifler

Scroll to top