点击上方"walkingcloud"关注,并选择"星标"公众号
CentOS7下使用TCP over TLS方式安全传输远程主机系统日志
192.168.198.130 作为Rsyslog Client 192.168.198.131 作为Rsyslog ServerClient端通过rsyslog TCP over TLS(SSL)方式向Server端发送系统日志
1、Client端与Server端均需要安装rsyslog-gnutls
CentOS7.6默认的rsyslog版本为
rsyslog-8.24.0-34.el7.x86_64 可以通过如下方式安装rsyslog-gnutls组件包cd /etc/yum.repos.d/
wget http://rpms.adiscon.com/v8-stable/rsyslog.repo
yum install rsyslog-gnutls
由于rsyslog的yum仓库在国外,建议yum keepcache,将缓存下来的rpm打包上传到其它机器上rpm方式安装rsyslog-gnutlsrpm -Uvh libestr-0.1.11-1.el7.x86_64.rpm
rpm -Uvh libfastjson4-0.99.8-1.el7.centos.x86_64.rpm
rpm -Uvh rsyslog-8.2012.0-1.el7.x86_64.rpm
rpm -Uvh rsyslog-gnutls-8.2012.0-1.el7.x86_64.rpm
2、证书制作
1)、CA签证
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem
Tips
若没有certtool命令,需要安装gnutls-utils
2)、客户端签证
certtool --generate-privkey --outfile key.pem
certtool --generate-request --load-privkey key.pem --outfile request.pem
certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
3)、证书信息校验
certtool --certificate-info --infile cert.pem
3、证书文件拷贝到服务端及客户端
cp ca.pem cert.pem key.pem /etc/rsyslog.d/
scp ca.pem root@192.168.198.130:/etc/rsyslog.d/
3、Rsyslog Server端修改配置文件
1)#$InputTCPServerRun 514这一行后面加入如下行
# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/cert.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/key.pem
$ModLoad imtcp # load TCP listener
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated
$InputTCPServerRun 10514 # start up listener at port 10514
2)$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat这一行后面加入如下行
# This one is the template to generate the log filename dynamically, depending on the client's IP address.
# 根据客户端的IP单独存放主机日志在不同目录,设置远程日志存放路径及文件名格式
$template Remote,"/var/log/syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
# Log all messages to the dynamically formed file.
# 排除本地主机IP日志记录,只记录远程主机日志
:fromhost-ip, !isequal, "127.0.0.1" ?Remote
# 注意此规则需要在其它规则之前,否则配置没有意义,远程主机的日志也会记录到Server的日志文件中
# 忽略之前所有的日志,远程主机日志记录完之后不再继续往下记录
& ~
systemctl restart rsyslog
tail -f /var/log/messages
tail -f /var/log/messages检查有没有报错
4、 Rsyslog Client端修改配置文件
vi/etc/rsyslog.d/systemlog_to_server_over_tls.conf
加入如下行
# certificate files - just CA for a client
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.pem
# set up the action
$DefaultNetstreamDriver gtls
# use gtls netstream driver
$ActionSendStreamDriverMode 1
# require TLS for the connection
$ActionSendStreamDriverAuthMode anon
# server is NOT authenticated
*.* @@(o)192.168.198.131:10514
# send (all) messages
systemctl restart rsyslog
tail -f /var/log/messages
重启rsyslog,tail -f /var/log/messages检查有没有报错
6、验证测试
Rsyslog Client端触发系统日志,在Server端/var/log/syslog/下对应目录进行验证nestat也可以看到Client与Server 10514端口建立了TCP连接
本文参考如下链接完成
-
https://www.rsyslog.com/doc/master/tutorials/tls.html https://rsyslog.readthedocs.io/en/latest/tutorials/tls.html
-
https://www.thegeekdiary.com/how-to-configure-rsyslog-server-to-accept-logs-via-ssl-tls/ https://www.thegeekdiary.com/how-to-configure-remote-rsyslog-to-accept-tls-and-non-tls-in-centos-rhel/https://www.golinuxcloud.com/secure-remote-logging-rsyslog-tls-certificate/
- 3、日志分离可以参考Rainer Gerhards(rsyslog作者)的视频指导
