Support Logging setup Rsyslog configuration (TLS)

Rsyslog TLS Configuration

You can securely send your logs to Loggly using TLS encryption. This guide shows you how to set it up for rsyslog and is tested on Ubuntu 12.04. For distributions based on Red Hat, please use rpm or yum in place of apt-get. Please see here for information on Rsyslog manual configuration.

Rsyslog TLS Configuration Setup

1. Install rsyslog-gnutls package

Install rsyslog-gnutls package.

sudo apt-get install rsyslog-gnutls

2. Install the necessary security certificates

Create a ca.d directory if one does not exist and download the necessary certificates

mkdir -pv /etc/rsyslog.d/keys/ca.d
cd /etc/rsyslog.d/keys/ca.d/
curl -O https://logdog.loggly.com/media/logs-01.loggly.com_sha12.crt

3. Update Configuration file

Open up the configuration file (22-loggly.conf) and update the content by replacing the configuration given below.

vim /etc/rsyslog.d/22-loggly.conf

If you are using version 7.x or lower, paste in this configuration:

##########################################################
### RsyslogTemplate for Loggly ###
##########################################################

$template LogglyFormat,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [TOKEN@41058 tag=\"RsyslogTLS\"] %msg%\n"

# Setup disk assisted queues
$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1     # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g       # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on     # save messages to disk on shutdown
$ActionQueueType LinkedList       # run asynchronously
$ActionResumeRetryCount -1        # infinite retries if host is down

#RsyslogGnuTLS
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/logs-01.loggly.com_sha12.crt
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.loggly.com
*.* @@logs-01.loggly.com:6514;LogglyFormat

#################END CONFIG FILE#########################

If you are using version 8.x, paste in this configuration:

# Setup disk assisted queues
$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1     # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g       # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on     # save messages to disk on shutdown
$ActionQueueType LinkedList       # run asynchronously
$ActionResumeRetryCount -1        # infinite retries if host is down

#RsyslogGnuTLS
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/logs-01.loggly.com_sha12.crt

template(name="LogglyFormat" type="string"
string="<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [TOKEN@41058 tag=\"RsyslogTLS\"] %msg%\n"
)

# Send messages to Loggly over TCP using the template.
action(type="omfwd" protocol="tcp" target="logs-01.loggly.com" port="6514" template="LogglyFormat" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" StreamDriverPermittedPeers="*.loggly.com")

Replace:

• TOKEN: your customer token from the source setup page

Open your /etc/rsyslog.conf and modify the $MaxMessageSize with

$MaxMessageSize 64k

If $MaxMessageSize is not present then add it in your configuration. For this to work perfectly, add it in the top of the configuration file.

4. Restart Rsyslog

Restart Rsyslog so the changes take effect.

sudo service rsyslog restart

5. Verify Events

Search Loggly for events with the tag as RsyslogTLS over the past hour. It may take few minutes to index the event. If if doesn’t work, see the troubleshooting section below.

tag:RsyslogTLS

 

Advanced Rsyslog TLS Configuration Options

• Rsyslog Automatic Logging Setup – configuring rsyslog by using a script.
• Rsyslog Manual Configuration – if automatic doesn’t work.
• Syslog-ng TLS Configuration – sending syslog-ng logs using TLS Encryption.
• NXLog TLS Configuration – – sending logs using TLS Encryption.
• Scrub Sensitive Data – scrub private or secure data before it leaves your network
• The default maximum supported message size is 2KB. Use $MaxMessageSize parameter in /etc/rsyslog.conf file to handle more than 2KB message size.
• Search or post your own rsyslog TLS configuration questions in the community forum.

Troubleshooting Your Rsyslog TLS Configuration

• If wget isn’t available or isn’t working try using curl -O https://logdog.loggly.com/media/loggly.com.crt
• Wait a few minutes in case indexing needs to catch up
• Make sure you restarted rsyslog
• Syslog over TLS uses port 6514, so check that you’ve updated your rsyslog configuration
• Make sure port 6514 outbound is open on your firewall and network settings
• Verify your operating system has support for TLS 1.1 or 1.2. Older OSes like CentOS 5 do not have support, but CentOS 6 and higher do.
• If you get an error saying “rsyslogd:not permitted to talk to peer, certificate invalid: signer not found” then make sure you concatenated the loggly certificate
• Troubleshooting Rsyslog if the files are being written but not being sent to Loggly
• Search or post your own Rsyslog TLS questions in the community forum.