Rsyslog TLS Configuration

You can securely send your logs to Loggly using TLS encryption. This guide shows you how to set it up for rsyslog and is tested on Ubuntu 12.04. For distributions based on Red Hat, please use rpm or yum in place of apt-get. Please see here for information on Rsyslog manual configuration.

Rsyslog TLS Configuration Setup

  1. Install rsyslog-gnutls package
  2. Determine the version of rsyslog you are using

    rsyslogd -v

    Install rsyslog-gnutls package if you have rsyslog version 7.x or lower.

    sudo apt-get install rsyslog-gnutls
    

  3. Install the necessary security certificates
  4. Create a ca.d directory if one does not exist and download the necessary certificates

    mkdir -pv /etc/rsyslog.d/keys/ca.d
    cd /etc/rsyslog.d/keys/ca.d/
    curl -O https://logdog.loggly.com/media/logs-01.loggly.com_sha12.crt
    

  5. Update Configuration file
  6. Open up the configuration file (22-loggly.conf) and update the content by replacing the configuration given below.

    vim /etc/rsyslog.d/22-loggly.conf
    

    If you are using version 6.x or lower, paste in this configuration:

    ##########################################################
    ### RsyslogTemplate for Loggly ###
    ##########################################################
    
    $template LogglyFormat,"<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [TOKEN@41058 tag=\"RsyslogTLS\"] %msg%\n"
    
    # Setup disk assisted queues
    $WorkDirectory /var/spool/rsyslog # where to place spool files
    $ActionQueueFileName fwdRule1     # unique name prefix for spool files
    $ActionQueueMaxDiskSpace 1g       # 1gb space limit (use as much as possible)
    $ActionQueueSaveOnShutdown on     # save messages to disk on shutdown
    $ActionQueueType LinkedList       # run asynchronously
    $ActionResumeRetryCount -1        # infinite retries if host is down
    
    #RsyslogGnuTLS
    $DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/logs-01.loggly.com_sha12.crt
    $ActionSendStreamDriver gtls
    $ActionSendStreamDriverMode 1
    $ActionSendStreamDriverAuthMode x509/name
    $ActionSendStreamDriverPermittedPeer *.loggly.com
    *.* @@logs-01.loggly.com:6514;LogglyFormat
    
    #################END CONFIG FILE#########################
    

    If you are using version 7.x or higher, paste in this configuration:

    # Setup disk assisted queues
    $WorkDirectory /var/spool/rsyslog # where to place spool files
    $ActionQueueFileName fwdRule1     # unique name prefix for spool files
    $ActionQueueMaxDiskSpace 1g       # 1gb space limit (use as much as possible)
    $ActionQueueSaveOnShutdown on     # save messages to disk on shutdown
    $ActionQueueType LinkedList       # run asynchronously
    $ActionResumeRetryCount -1        # infinite retries if host is down
    
    #RsyslogGnuTLS
    $DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/logs-01.loggly.com_sha12.crt
    
    template(name="LogglyFormat" type="string"
    string="<%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [TOKEN@41058 tag=\"RsyslogTLS\"] %msg%\n"
    )
    
    # Send messages to Loggly over TCP using the template.
    action(type="omfwd" protocol="tcp" target="logs-01.loggly.com" port="6514" template="LogglyFormat" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="x509/name" StreamDriverPermittedPeers="*.loggly.com")
    

    Replace:

    Open your /etc/rsyslog.conf and modify the $MaxMessageSize with

    $MaxMessageSize 64k

    If $MaxMessageSize is not present then add it in your configuration. For this to work perfectly, add it in the top of the configuration file.

  7. Restart Rsyslog
  8. Restart Rsyslog so the changes take effect.

    sudo service rsyslog restart
    

  9. Verify Events
  10. Search Loggly for events with the tag as RsyslogTLS over the past hour. It may take few minutes to index the event. If if doesn’t work, see the troubleshooting section below.

    tag:RsyslogTLS
    

    rsyslog-tls

Advanced Rsyslog TLS Configuration Options

Troubleshooting Your Rsyslog TLS Configuration

  • If wget isn’t available or isn’t working try using curl -O https://logdog.loggly.com/media/loggly.com.crt
  • Wait a few minutes in case indexing needs to catch up
  • Make sure you restarted rsyslog
  • Syslog over TLS uses port 6514, so check that you’ve updated your rsyslog configuration
  • Make sure port 6514 outbound is open on your firewall and network settings
  • Verify your operating system has support for TLS 1.1 or 1.2. Older OSes like CentOS 5 do not have support, but CentOS 6 and higher do.
  • If you get an error saying “rsyslogd:not permitted to talk to peer, certificate invalid: signer not found” then make sure you concatenated the loggly certificate
  • Troubleshooting Rsyslog if the files are being written but not being sent to Loggly
  • Search or post your own Rsyslog TLS questions in the community forum.
Thanks for the feedback! We'll use it to improve our support documentation.


Top