CentOS7下使用TCP over TLS方式安全传输远程主机系统日志
之前有介绍CentOS7下搭建Rsyslog Server记录远程主机系统日志,但由于syslog是UDP 514端口明文传输,基于安全考虑,可以采用TCP over TLS(SSL)方式传输日志 
(图片可放大查看)如上图拓扑所示 192.168.198.130 作为Rsyslog Client 192.168.198.131 作为Rsyslog ServerClient端通过rsyslog TCP over TLS(SSL)方式向Server端发送系统日志配置步骤如下
1、Client端与Server端均需要安装rsyslog-gnutls
CentOS7.6默认的rsyslog版本为
rsyslog-8.24.0-34.el7.x86_64 
(图片可放大查看) 可以通过如下方式安装rsyslog-gnutls组件包
cd /etc/yum.repos.d/
wget http://rpms.adiscon.com/v8-stable/rsyslog.repo
yum install rsyslog-gnutls
(图片可放大查看)
(图片可放大查看)会自动升级rsyslog到v8.2012版本由于rsyslog的yum仓库在国外,建议yum keepcache,将缓存下来的rpm打包上传到其它机器上rpm方式安装rsyslog-gnutls
(图片可放大查看)
(图片可放大查看)
rpm -Uvh libestr-0.1.11-1.el7.x86_64.rpm
rpm -Uvh libfastjson4-0.99.8-1.el7.centos.x86_64.rpm
rpm -Uvh rsyslog-8.2012.0-1.el7.x86_64.rpm
rpm -Uvh rsyslog-gnutls-8.2012.0-1.el7.x86_64.rpm
(图片可放大查看)
2、证书制作
1)、CA签证
certtool --generate-privkey --outfile ca-key.pem
certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem
按向导制作ca.pem
(图片可放大查看)
(图片可放大查看)Tips
若没有certtool命令,需要安装gnutls-utils
(图片可放大查看)
2)、客户端签证
certtool --generate-privkey --outfile key.pem
certtool --generate-request --load-privkey key.pem --outfile request.pem
certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
(图片可放大查看)
(图片可放大查看)
(图片可放大查看)
3)、证书信息校验
certtool --certificate-info --infile cert.pem
(图片可放大查看)
3、证书文件拷贝到服务端及客户端
cp ca.pem cert.pem key.pem /etc/rsyslog.d/
scp ca.pem root@192.168.198.130:/etc/rsyslog.d/
(图片可放大查看)
3、Rsyslog Server端修改配置文件
在如下两个位置加入如下行
1)#$InputTCPServerRun 514这一行后面加入如下行
# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/cert.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/key.pem
$ModLoad imtcp # load TCP listener
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated
$InputTCPServerRun 10514 # start up listener at port 10514
2)$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat这一行后面加入如下行
# This one is the template to generate the log filename dynamically, depending on the client's IP address.
# 根据客户端的IP单独存放主机日志在不同目录,设置远程日志存放路径及文件名格式
$template Remote,"/var/log/syslog/%fromhost-ip%/%fromhost-ip%_%$YEAR%-%$MONTH%-%$DAY%.log"
# Log all messages to the dynamically formed file.
# 排除本地主机IP日志记录,只记录远程主机日志
:fromhost-ip, !isequal, "127.0.0.1" ?Remote
# 注意此规则需要在其它规则之前,否则配置没有意义,远程主机的日志也会记录到Server的日志文件中
# 忽略之前所有的日志,远程主机日志记录完之后不再继续往下记录
& ~
(图片可放大查看)然后重启rsyslog
systemctl restart rsyslog
tail -f /var/log/messages
tail -f /var/log/messages检查有没有报错
(图片可放大查看)
4、 Rsyslog Client端修改配置文件
vi/etc/rsyslog.d/systemlog_to_server_over_tls.conf
加入如下行
# certificate files - just CA for a client
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.pem
# set up the action
$DefaultNetstreamDriver gtls
# use gtls netstream driver
$ActionSendStreamDriverMode 1
# require TLS for the connection
$ActionSendStreamDriverAuthMode anon
# server is NOT authenticated
*.* @@(o)192.168.198.131:10514
# send (all) messages
systemctl restart rsyslog
tail -f /var/log/messages
重启rsyslog,tail -f /var/log/messages检查有没有报错
(图片可放大查看)
6、验证测试
Rsyslog Client端触发系统日志,在Server端/var/log/syslog/下对应目录进行验证如下图所示,可以看到测试OK
(图片可放大查看)
(图片可放大查看)nestat也可以看到Client与Server 10514端口建立了TCP连接
(图片可放大查看)
(图片可放大查看)
本文参考如下链接完成
- 1、rsyslog官方文档 https://www.rsyslog.com/doc/master/tutorials/tls.html https://rsyslog.readthedocs.io/en/latest/tutorials/tls.html
- 2、google搜索的相关文章链接 https://www.thegeekdiary.com/how-to-configure-rsyslog-server-to-accept-logs-via-ssl-tls/ https://www.thegeekdiary.com/how-to-configure-remote-rsyslog-to-accept-tls-and-non-tls-in-centos-rhel/https://www.golinuxcloud.com/secure-remote-logging-rsyslog-tls-certificate/
- 3、日志分离可以参考Rainer Gerhards(rsyslog作者)的视频指导
