GNU/Linux >> Linux の 問題 >  >> Cent OS

SSL/TLS 経由でログを受け入れるように rsyslog サーバーを構成する方法

この投稿の目的は、SSL/TLS 経由でログを送信するように rsyslog サーバーを構成する方法を説明することです。クライアントから rsyslog サーバーに送信されたログは、n/w 経由で暗号化されるため、追加レベルのセキュリティが得られます。

手順のまとめ

<オール>
  • クライアント/サーバー間の信頼を確立する必要があるため、サーバー/クライアントごとに CA 証明書を生成する必要があります。
  • それぞれのクライアント証明書をクライアント ノードにコピーし、サーバー証明書を rsyslog サーバーにコピーします。
  • 認証局サーバーは、rsyslog サーバーまたは別のサーバーにすることができます。
  • tls 経由でログを受け入れるために、さらにいくつかのモジュールを rsyslog サーバー構成ファイルに追加します。
  • ログを tls 経由で送信するために、さらにいくつかのモジュールを rsyslog クライアント構成ファイルに追加します。
  • サーバーとクライアントの両方の構成ファイルで、モジュールの順序が正しいことを確認してください。
  • 要件

    以下のパッケージを含む rsyslog サーバー/クライアント:

    rsyslog-gnutls-5.8.10-10.0.1.el6_6.x86_64
    rsyslog-5.8.10-10.0.1.el6_6.x86_64
    gnutls-utils-2.8.5-19.el6_7.x86_64
    gnutls-2.8.5-19.el6_7.x86_64

    テスト ケース

    1. Rsyslog サーバーまたはその他の CA サーバーで CA 証明書を生成します。

    # certtool --generate-privkey --outfile ca-key.pem
    Generating a 2048 bit RSA private key...
    # certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem     ===>>> generating CA certificate
    Generating a self signed certificate...
    Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
    Country name (2 chars): ind
    Organization name: Myorg
    Organizational unit name: myBU
    Locality name: BLR
    State or province name: KA
    Common name: CAcert
    UID:
    This field should not be used in new certificates.
    E-mail:
    Enter the certificate's serial number in decimal (default: 1482511911):
    
    Activation/Expiration time.
    The certificate will expire in (days): 3650
    
    Extensions.
    Does the certificate belong to an authority? (y/N): y
    Path length constraint (decimal, -1 for no constraint):
    Is this a TLS web client certificate? (y/N):
    Is this also a TLS web server certificate? (y/N):
    Enter the e-mail of the subject of the certificate:
    Will the certificate be used to sign other certificates? (y/N): y
    Will the certificate be used to sign CRLs? (y/N):
    Will the certificate be used to sign code? (y/N):
    Will the certificate be used to sign OCSP requests? (y/N):
    Will the certificate be used for time stamping? (y/N):
    Enter the URI of the CRL distribution point:
    X.509 Certificate Information:
    Version: 3
    Serial Number (hex): 585d5627
    Validity:
    Not Before: Fri Dec 23 16:51:52 UTC 2016
    Not After: Mon Dec 21 16:51:55 UTC 2026
    Subject: C=ind,O=Myorg,OU=myBU,L=BLR,ST=KA,CN=CAcert
    Subject Public Key Algorithm: RSA
    Modulus (bits 2048):
    c0:78:d2:ba:a0:93:7d:81:a3:f7:a5:f4:86:a4:c2:2d
    c6:1c:c1:d2:95:c9:d5:5b:40:f9:15:a2:06:3e:f2:fa
    09:f6:87:fe:36:cf:6f:85:75:ec:a1:f6:98:c7:e1:5d
    7a:de:d5:a5:da:34:c7:5a:b5:f3:f2:80:a5:b8:fe:66
    f3:b0:25:05:74:d3:7e:f0:45:3d:65:0a:f1:1f:5d:14
    01:74:ef:9c:5f:48:b6:4b:b2:62:c5:e5:b0:21:41:92
    86:bb:43:0f:2c:4a:ba:ef:1e:69:85:de:ce:42:3e:55
    2c:1d:f8:82:d8:77:6a:46:ec:ac:73:b7:b3:e8:53:c4
    6e:13:eb:da:27:ba:7d:70:0f:62:d5:04:b7:f7:2e:c9
    57:5d:1e:0d:c2:14:8b:81:ff:9f:63:b8:4e:c9:b6:ae
    ad:8c:e5:eb:c1:77:70:f6:9c:90:0d:f1:9c:16:85:b3
    d8:1d:70:00:82:aa:ea:1b:f4:65:a1:e7:b7:33:4a:07
    46:46:e4:45:d7:3f:72:63:43:00:1b:c2:8a:d5:a2:aa
    13:7f:28:b7:00:50:1d:9b:28:92:60:a7:b1:ba:3c:7b
    58:e7:8b:85:ba:8c:10:da:13:28:56:f2:9c:26:70:7f
    cb:fb:81:4d:05:2d:0f:93:21:20:d7:75:5f:27:86:13
    Exponent (bits 24):
    01:00:01
    Extensions:
    Basic Constraints (critical):
    Certificate Authority (CA): TRUE
    Key Usage (critical):
    Certificate signing.
    Subject Key Identifier (not critical):
    b606f5fa9bcd986ec25d2496c7d3a5c9270cc5f7
    Other Information:
    Public Key Id:
    b606f5fa9bcd986ec25d2496c7d3a5c9270cc5f7
    
    Is the above information ok? (Y/N): y
    
    Signing certificate...
    # certtool --generate-privkey --outfile rslclient-key.pem --bits 2048
    Generating a 2048 bit RSA private key...
    # certtool --generate-request --load-privkey rslclient-key.pem --outfile request.pem
    Generating a PKCS #10 certificate request...
    Country name (2 chars): ind
    Organization name: Myorg
    Organizational unit name: Mybu
    Locality name: blr
    State or province name: KA
    Common name: dhcp-blr-kmgm-blk2-4fl-6fl-10-178-22-154.in.oracle.com
    UID:
    Enter a dnsName of the subject of the certificate: dhcp-blr-kmgm-blk2-4fl-6fl-10-178-22-154.in.oracle.com
    Enter a dnsName of the subject of the certificate:
    Enter the IP address of the subject of the certificate:
    Enter the e-mail of the subject of the certificate:
    Enter a challenge password:
    Does the certificate belong to an authority? (y/N): n
    Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N):
    Will the certificate be used for encryption (RSA ciphersuites)? (y/N):
    Is this a TLS web client certificate? (y/N): y
    Is this also a TLS web server certificate? (y/N): y
    # certtool --generate-certificate --load-request request.pem --outfilerslclient-cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem =======>>> generating client key certificate
    
    Generating a signed certificate...
    Enter the certificate's serial number in decimal (default: 1482512116):
    
    Activation/Expiration time.
    The certificate will expire in (days): 3650
    
    Extensions.
    Do you want to honour the extensions from the request? (y/N):
    Does the certificate belong to an authority? (y/N): n
    Is this a TLS web client certificate? (y/N): y
    Is this also a TLS web server certificate? (y/N): y
    Enter a dnsName of the subject of the certificate: dhcp-blr-kmgm-blk2-4fl-6fl-10-178-22-154.in.oracle.com
    Enter a dnsName of the subject of the certificate:
    Enter the IP address of the subject of the certificate:
    Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N):
    Will the certificate be used for encryption (RSA ciphersuites)? (y/N):
    X.509 Certificate Information:
    Version: 3
    Serial Number (hex): 585d56f4
    Validity:
    Not Before: Fri Dec 23 16:55:18 UTC 2016
    Not After: Mon Dec 21 16:55:20 UTC 2026
    Subject: C=ind,O=Myorg,OU=Mybu,L=blr,ST=KA,CN=dhcp-blr-kmgm-blk2-4fl-6fl-10-178-22-154.in.oracle.com
    Subject Public Key Algorithm: RSA
    Modulus (bits 2048):
    9f:07:cd:0b:46:04:cd:60:be:52:43:86:3e:28:61:0e
    54:6d:4b:bd:a1:31:7d:b3:4b:33:c0:b1:92:54:5d:b5
    b5:67:ba:67:3f:d5:7f:5a:5a:e6:ba:71:dc:c9:4e:a3
    f6:60:14:e1:60:cf:df:c1:c2:46:42:05:54:80:c1:a0
    98:7e:c1:02:3b:8e:1e:0a:da:87:86:12:51:d6:db:91
    3e:df:c5:32:4c:b2:fc:f8:74:fd:f1:91:89:d3:4e:8b
    4a:27:bb:13:73:b3:cf:24:b6:c7:73:ad:47:58:d2:04
    22:1d:af:d0:e3:be:7c:d4:85:67:ff:fd:61:55:c5:48
    9d:0d:ff:aa:f0:78:78:5b:ef:14:12:f0:e4:53:84:cf
    b9:62:1d:20:a2:22:40:ae:9e:15:41:9b:a2:55:f3:6a
    00:fe:66:8e:01:af:31:52:80:54:37:af:14:91:e8:49
    d1:08:2c:24:21:74:cf:11:e3:30:5e:e4:b7:ce:0d:dc
    6a:1a:16:76:8a:0f:bc:c1:37:e3:30:0f:af:29:ca:ff
    ac:eb:ed:dd:72:28:0a:6f:ea:58:35:67:0d:2a:57:ff
    af:54:61:fc:52:8f:53:7c:f9:8d:5d:2c:a9:24:60:2c
    c1:13:59:24:da:df:93:9a:0f:fd:74:b0:db:81:d5:17
    Exponent (bits 24):
    01:00:01
    Extensions:
    Basic Constraints (critical):
    Certificate Authority (CA): FALSE
    Key Purpose (not critical):
    TLS WWW Client.
    TLS WWW Server.
    Subject Alternative Name (not critical):
    DNSname: dhcp-blr-kmgm-blk2-4fl-6fl-10-178-22-154.in.oracle.com
    Subject Key Identifier (not critical):
    34e95fc3db224ce9b4ed05f619359a4c4140826e
    Authority Key Identifier (not critical):
    b606f5fa9bcd986ec25d2496c7d3a5c9270cc5f7
    Other Information:
    Public Key Id:
    34e95fc3db224ce9b4ed05f619359a4c4140826e
    
    Is the above information ok? (Y/N): y
    
    Signing certificate...
    # rm -rf request.pem

    – サーバーの証明書を生成します:

    # certtool --generate-privkey --outfile rslserver-key.pem --bits 2048
    Generating a 2048 bit RSA private key...
    certtool --generate-request --load-privkey rslserver-key.pem --outfile request.pem
    Generating a PKCS #10 certificate request...
    Country name (2 chars): ind
    Organization name: Myorg
    Organizational unit name: Mybu
    Locality name: blr
    State or province name: ka
    Common name: dhcp-blr-kmgm-blk2-4fl-6fl-10-178-23-94.in.oracle.com
    UID:
    Enter a dnsName of the subject of the certificate: dhcp-blr-kmgm-blk2-4fl-6fl-10-178-23-94.in.oracle.com
    Enter a dnsName of the subject of the certificate:
    Enter the IP address of the subject of the certificate:
    Enter the e-mail of the subject of the certificate:
    Enter a challenge password:
    Does the certificate belong to an authority? (y/N): n
    Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N):
    Will the certificate be used for encryption (RSA ciphersuites)? (y/N):
    Is this a TLS web client certificate? (y/N): y
    Is this also a TLS web server certificate? (y/N): y
    Generating server key certificate using request.pem
    # certtool --generate-certificate --load-request request.pem --outfilerslserver-cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
    Generating a signed certificate...
    Enter the certificate's serial number in decimal (default: 1482512336):
    
    Activation/Expiration time.
    The certificate will expire in (days): 3650
    
    Extensions.
    Do you want to honour the extensions from the request? (y/N):
    Does the certificate belong to an authority? (y/N): n
    Is this a TLS web client certificate? (y/N): y
    Is this also a TLS web server certificate? (y/N): y
    Enter a dnsName of the subject of the certificate: dhcp-blr-kmgm-blk2-4fl-6fl-10-178-23-94.in.oracle.com
    Enter a dnsName of the subject of the certificate:
    Enter the IP address of the subject of the certificate:
    Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N):
    Will the certificate be used for encryption (RSA ciphersuites)? (y/N):
    X.509 Certificate Information:
    Version: 3
    Serial Number (hex): 585d57d0
    Validity:
    Not Before: Fri Dec 23 16:58:57 UTC 2016
    Not After: Mon Dec 21 16:59:00 UTC 2026
    Subject: C=ind,O=Myorg,OU=Mybu,L=blr,ST=ka,CN=dhcp-blr-kmgm-blk2-4fl-6fl-10-178-23-94.in.oracle.com
    Subject Public Key Algorithm: RSA
    Modulus (bits 2048):
    ac:2d:46:c2:41:7b:16:a6:80:7f:9f:46:2c:64:02:2d
    61:f9:9d:dc:21:c6:fb:97:b0:cc:cb:00:ec:af:20:a3
    09:8f:d2:6d:5c:56:46:1d:ff:bf:d6:e1:ce:70:08:04
    67:6c:b0:bf:2f:02:c5:b7:03:0d:d5:c6:15:5c:af:5c
    b3:1f:98:5b:80:09:60:8c:f2:4f:80:cf:9c:f2:bc:a3
    81:46:b0:49:e3:ac:73:79:26:30:b6:41:b5:5a:19:3a
    a4:a6:c7:3f:9b:7e:b9:ea:70:ea:21:87:38:68:f1:aa
    01:0b:93:73:72:09:cf:7a:96:59:90:37:e5:ea:3b:c8
    fa:f0:8b:ab:1a:f9:7b:9c:ee:c4:fc:92:0d:fe:01:ec
    5d:3e:a8:dc:35:26:05:8d:d8:f2:94:0d:01:76:2a:64
    d1:67:9d:ab:44:4c:a8:24:d6:d7:5a:70:76:f4:da:04
    ff:40:0c:1a:5e:49:a2:65:69:94:88:08:71:70:1f:c9
    a3:a0:b0:99:61:39:7a:a0:2a:b7:e8:ca:28:fd:52:89
    f5:a2:32:ff:b8:38:12:39:2f:9a:2b:0d:16:33:91:1d
    4f:49:78:1b:51:43:b0:d7:6d:bd:2e:84:73:d3:33:9a
    3a:82:98:38:06:ed:e8:56:c6:41:2a:69:89:9e:26:b3
    Exponent (bits 24):
    01:00:01
    Extensions:
    Basic Constraints (critical):
    Certificate Authority (CA): FALSE
    Key Purpose (not critical):
    TLS WWW Client.
    TLS WWW Server.
    Subject Alternative Name (not critical):
    DNSname: dhcp-blr-kmgm-blk2-4fl-6fl-10-178-23-94.in.oracle.com
    Subject Key Identifier (not critical):
    f7f986ecdd10bf2646cd74f7e20e3d9b0f746765
    Authority Key Identifier (not critical):
    b606f5fa9bcd986ec25d2496c7d3a5c9270cc5f7
    Other Information:
    Public Key Id:
    f7f986ecdd10bf2646cd74f7e20e3d9b0f746765
    
    Is the above information ok? (Y/N): y
    
    Signing certificate...

    2. ca.pem、rsl-client* 証明書をクライアントにコピーし、サーバー証明書を rsyslog-server にコピーします

    # rsync -aP rslserver-* [email protected]:/etc/pki/tls/private/
    # rsync -aP ca.pem [email protected]:/etc/pki/tls/private/
    # ls -l /etc/pki/tls/private/
    total 12
    -rw-r--r-- 1 root root 1233 Dec 23 19:58 ca.pem
    -rw-r--r-- 1 root root 1452 Dec 23 20:06 rslclient-cert.pem
    -rw------- 1 root root 1679 Dec 23 19:59 rslclient-key.pem
    # ls -l /etc/pki/tls/private/
    total 12
    -rw-r--r-- 1 root root 1233 Dec 23 20:09 ca.pem
    -rw-r--r-- 1 root root 1448 Dec 23 20:09 rslserver-cert.pem
    -rw------- 1 root root 1675 Dec 23 20:09 rslserver-key.pem

    Rsyslog 構成

    1. rsyslog-client/rsyslog-server に両方のパッケージをインストールします。

    rsyslog-gnutls-5.8.10-10.0.1.el6_6.x86_64
    rsyslog-5.8.10-10.0.1.el6_6.x86_64
    gnutls-utils-2.8.5-19.el6_7.x86_64
    gnutls-2.8.5-19.el6_7.x86_64

    2. RSYSLOG サーバー構成:
    – 以下のモジュール/構成を /etc/rsyslog.conf に追加します。 .

    注意 :imtcp モジュールの前にドライバーをロードする必要があるため、モジュールは以下の順序である必要があります。

    $DefaultNetstreamDriver gtls
    
    $DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca.pem
    $DefaultNetstreamDriverCertFile /etc/pki/tls/private/rslserver-cert.pem
    $DefaultNetstreamDriverKeyFile /etc/pki/tls/private/rslserver-key.pem
    
    $ModLoad imtcp
    
    $InputTCPServerStreamDriverAuthMode anon
    $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
    
    $ActionSendStreamDriverAuthMode x509/name
    $ActionSendStreamDriverPermittedPeer dhcp-blr-kmgm-blk2-4fl-6fl-10-178-22-154.in.oracle.com
    $ActionSendStreamDriverMode 1 # run driver in TLS-only mode
    
    $InputTCPServerRun 514
    
    # Increase the amount of open files rsyslog is allowed, which includes open tcp sockets
    # This is important if there are many clients.
    # http://www.rsyslog.com/doc/rsconf1_maxopenfiles.html
    $MaxOpenFiles 2048

    例:

    # cat /etc/rsyslog.conf
    # rsyslog v5 configuration file
    
    # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
    # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
    
    #### MODULES ####
    
    $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
    $ModLoad imklog # provides kernel logging support (previously done by rklogd)
    #$ModLoad immark # provides --MARK-- message capability
    
    # Provides UDP syslog reception
    #$ModLoad imudp
    #$UDPServerRun 514
    
    # Provides TCP syslog reception
    
    #### GLOBAL DIRECTIVES ####
    
    # Use default timestamp format
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
    
    # File syncing capability is disabled by default. This feature is usually not required,
    # not useful and an extreme performance hit
    #$ActionFileEnableSync on
    
    # Include all config files in /etc/rsyslog.d/
    $IncludeConfig /etc/rsyslog.d/*.conf
    
    $DefaultNetstreamDriver gtls
    
    $DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca.pem
    $DefaultNetstreamDriverCertFile /etc/pki/tls/private/rslserver-cert.pem
    $DefaultNetstreamDriverKeyFile /etc/pki/tls/private/rslserver-key.pem
    
    $ModLoad imtcp
    
    $InputTCPServerStreamDriverAuthMode anon
    $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
    
    $ActionSendStreamDriverAuthMode x509/name
    $ActionSendStreamDriverPermittedPeer dhcp-blr-kmgm-blk2-4fl-6fl-10-178-22-154.in.oracle.com ======>>>> mention your rsyslog peer name or pattern ( *. )
    $ActionSendStreamDriverMode 1 # run driver in TLS-only mode
    
    $InputTCPServerRun 514
    
    # Increase the amount of open files rsyslog is allowed, which includes open tcp sockets
    # This is important if there are many clients.
    # http://www.rsyslog.com/doc/rsconf1_maxopenfiles.html
    $MaxOpenFiles 2048
    
    #### RULES ####
    
    # Log all kernel messages to the console.
    # Logging much else clutters up the screen.
    #kern.* /dev/console
    
    # Log anything (except mail) of level info or higher.
    # Don't log private authentication messages!
    *.info;mail.none;authpriv.none;cron.none /var/log/messages
    
    # The authpriv file has restricted access.
    authpriv.* /var/log/secure
    
    # Log all the mail messages in one place.
    mail.* -/var/log/maillog
    
    # Log cron stuff
    cron.* /var/log/cron
    
    # Everybody gets emergency messages
    *.emerg *
    
    # Save news errors of level crit and higher in a special file.
    uucp,news.crit /var/log/spooler
    
    # Save boot messages also to boot.log
    local7.* /var/log/boot.log
    
    # ### begin forwarding rule ###
    # The statement between the begin ... end define a SINGLE forwarding
    # rule. They belong together, do NOT split them. If you create multiple
    # forwarding rules, duplicate the whole block!
    # Remote Logging (we use TCP for reliable delivery)
    #
    # An on-disk queue is created for this action. If the remote host is
    # down, messages are spooled to disk and sent when it is up again.
    #$WorkDirectory /var/lib/rsyslog # where to place spool files
    #$ActionQueueFileName fwdRule1 # unique name prefix for spool files
    #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
    #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
    #$ActionQueueType LinkedList # run asynchronously
    #$ActionResumeRetryCount -1 # infinite retries if host is down
    # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
    #*.* @@remote-host:514
    # ### end of the forwarding rule ###

    rsyslog クライアント構成

    以下のディレクティブがあることを確認してください。

    $DefaultNetstreamDriver gtls
    
    $DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca.pem
    $DefaultNetstreamDriverCertFile /etc/pki/tls/private/rslclient-cert.pem
    $DefaultNetstreamDriverKeyFile /etc/pki/tls/private/rslclient-key.pem
    
    $ActionSendStreamDriverPermittedPeer dhcp-blr-kmgm-blk2-4fl-6fl-10-178-23-94.in.oracle.com =======>>> that should be your rsyslog server
    $ActionSendStreamDriverMode 1 # run driver in TLS-only mode
    $ActionSendStreamDriverAuthMode x509/name

    例:

    # cat /etc/rsyslog.conf
    # rsyslog v5 configuration file
    
    # For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
    # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
    
    #### MODULES ####
    
    $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
    $ModLoad imklog # provides kernel logging support (previously done by rklogd)
    #$ModLoad immark # provides --MARK-- message capability
    
    # Provides UDP syslog reception
    #$ModLoad imudp
    #$UDPServerRun 514
    
    # Provides TCP syslog reception
    #$ModLoad imtcp
    #$InputTCPServerRun 514
    
    #### GLOBAL DIRECTIVES ####
    
    # Use default timestamp format
    $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
    
    # File syncing capability is disabled by default. This feature is usually not required,
    # not useful and an extreme performance hit
    #$ActionFileEnableSync on
    
    # Include all config files in /etc/rsyslog.d/
    $IncludeConfig /etc/rsyslog.d/*.conf
    
    $DefaultNetstreamDriver gtls
    
    $DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca.pem
    $DefaultNetstreamDriverCertFile /etc/pki/tls/private/rslclient-cert.pem
    $DefaultNetstreamDriverKeyFile /etc/pki/tls/private/rslclient-key.pem
    
    $ActionSendStreamDriverPermittedPeer dhcp-blr-kmgm-blk2-4fl-6fl-10-178-23-94.in.oracle.com
    $ActionSendStreamDriverMode 1 # run driver in TLS-only mode
    $ActionSendStreamDriverAuthMode x509/name
    
    #$ActionSendStreamDriverAuthMode x509/name
    #$ActionSendStreamDriverPermittedPeer *
    #$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
    
    #### RULES ####
    
    # Log all kernel messages to the console.
    # Logging much else clutters up the screen.
    #kern.* /dev/console
    
    # Log anything (except mail) of level info or higher.
    # Don't log private authentication messages!
    *.info;mail.none;authpriv.none;cron.none /var/log/messages
    
    # The authpriv file has restricted access.
    authpriv.* /var/log/secure
    
    # Log all the mail messages in one place.
    mail.* -/var/log/maillog
    
    # Log cron stuff
    cron.* /var/log/cron
    
    # Everybody gets emergency messages
    *.emerg *
    
    # Save news errors of level crit and higher in a special file.
    uucp,news.crit /var/log/spooler
    
    # Save boot messages also to boot.log
    local7.* /var/log/boot.log
    
    # ### begin forwarding rule ###
    # The statement between the begin ... end define a SINGLE forwarding
    # rule. They belong together, do NOT split them. If you create multiple
    # forwarding rules, duplicate the whole block!
    # Remote Logging (we use TCP for reliable delivery)
    #
    # An on-disk queue is created for this action. If the remote host is
    # down, messages are spooled to disk and sent when it is up again.
    #$WorkDirectory /var/lib/rsyslog # where to place spool files
    #$ActionQueueFileName fwdRule1 # unique name prefix for spool files
    #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
    #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
    #$ActionQueueType LinkedList # run asynchronously
    #$ActionResumeRetryCount -1 # infinite retries if host is down
    # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
    *.* @@10.178.23.94:514 ========>>>>>> server:port
    :msg, contains, "kernel" @@10.178.23.94:514
    # ### end of the forwarding rule ###

    最後のステップ :クライアント/サーバーの両方でサービスを再起動してください。

    service rsyslog restart
    Shutting down system logger: [ OK ]
    Starting system logger: [ OK ]

    期待される成果:

    # tailf /var/log/messages
    Dec 23 22:36:20 server2 kernel: IPv6: eth2: IPv6 duplicate address 2606:b400:c11:68:a00:27ff:fedd:bb31 detected! ========>>>> client messages here
    Dec 23 22:38:54 server2 kernel: IPv6: eth1: IPv6 duplicate address 2606:b400:c11:68:a00:27ff:feb6:a80e detected!
    Dec 23 22:38:54 server1 kernel: IPv6: eth1: IPv6 duplicate address 2606:b400:c11:68:a00:27ff:feb6:a80e detected!
    Dec 23 22:38:55 server1 kernel: IPv6: eth2: IPv6 duplicate address 2606:b400:c11:68:a00:27ff:fedd:bb31 detected!
    Dec 23 22:41:28 server2 kernel: IPv6: eth1: IPv6 duplicate address 2606:b400:c11:68:a00:27ff:feb6:a80e detected!
    Dec 23 22:41:28 server1 kernel: IPv6: eth1: IPv6 duplicate address 2606:b400:c11:68:a00:27ff:feb6:a80e detected!
    Dec 23 22:41:29 server1 kernel: IPv6: eth2: IPv6 duplicate address 2606:b400:c11:68:a00:27ff:fedd:bb31 detected!
    Dec 23 22:44:44 server2 kernel: IPv6: eth1: IPv6 duplicate address 2606:b400:c11:68:a00:27ff:feb6:a80e detected!
    Dec 23 22:44:44 server1 kernel: IPv6: eth1: IPv6 duplicate address 2606:b400:c11:68:a00:27ff:feb6:a80e detected!
    Dec 23 22:44:44 server1 kernel: IPv6: eth2: IPv6 duplicate address 2606:b400:c11:68:a00:27ff:fedd:bb31 detected!
    Dec 23 22:45:12 server1 kernel: Kernel logging (proc) stopped. =====>>> client messages got logged to the rsyslogserver
    Dec 23 22:45:12 server1 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="6340" x-info="http://www.rsyslog.com"] exiting on signal 15.
    Dec 23 22:45:12 server1 kernel: imklog 5.8.10, log source = /proc/kmsg started.
    Dec 23 22:45:12 server1 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="6679" x-info="http://www.rsyslog.com"] start
    # tcpdump -nnvvvS -s 0 -U -w /tmp/sniff.rsyslog dst 10.178.23.94 and dst port 514
    tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
    ^C133 packets captured
    133 packets received by filter
    0 packets dropped by kernel
    3211 packets dropped by interface

    トラブルシューティング

    rsyslog サーバーからのエラーに基づく:

    1. メッセージが通常のテキストではなく暗号化されている場合は、モジュールの順序を確認する必要があります。これは、gtls ドライバーが imtcp ポートの後にロードされたために発生しました。

    Dec 23 19:34:36 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="3344" x-info="http://www.rsyslog.com"] start
    Dec 23 19:34:41 #026#003#002#000V#001#000#000R#003#002X].�i�)�#005t�#037F�{ot �f�\���Y��L�#013�#000#000$#0003#000E#0009#000�#000#026#0002#000D#0008#000�#000#023#000f#000/#000A#0005#000�
    Dec 23 19:34:42 #026#003#002#000V#001#000#000R#003#002X].��#0158��9��n���Mz�S���W"co��#015#000#000$#0003#000E#0009#000�#000#026#0002#000D#0008#000�#000#023#000f#000/#000A#0005#000�

    2. モジュールが見つかりません:

    Dec 23 20:09:39  rsyslogd-2067: could not load module '/lib64/rsyslog/lmnsd_gtls.so', dlsym: x^D: undefined symbol: modInit

    A) 証明書を確認し、再発行するか、サーバーにコピーします。

    3. このパラメーター「$ActionSendStreamDriverAuthMode x509/name」を確認します

    Dec 23 19:53:20 rsyslogd-2088: error: peer name not authorized - not permitted to talk to it. Names: (null) [try http://www.rsyslog.com/e/2088 ]
    Dec 23 19:53:20 rsyslogd-2089: netstream session 0x7fb45c01c0e0 will be closed due to error
    [try http://www.rsyslog.com/e/2089 ]

    基本的な構成エラー:

    Dec 23 19:32:50  rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="3262" x-info="http://www.rsyslog.com"] start
    Dec 23 19:32:50 rsyslogd-3003: invalid or yet-unknown config file command - have you forgotten to load a module? [try http://www.rsyslog.com/e/3003 ]
    Dec 23 19:32:50 rsyslogd: the last error occured in /etc/rsyslog.conf, line 36:"$InputTCPServerStreamDriverAuthMode x509/name"
    Dec 23 19:32:50  rsyslogd-3003: invalid or yet-unknown config file command - have you forgotten to load a module? [try http://www.rsyslog.com/e/3003 ]
    Dec 23 19:32:50  rsyslogd: the last error occured in /etc/rsyslog.conf, line 37:"$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode"


    Cent OS
    1. Fedora14でTLSセッションを受け入れるようにPureFTPdを設定する方法

    2. Fedora18でTLSセッションを受け入れるようにPureFTPdを設定する方法

    3. SSL / TLS暗号化接続でVSFTPDを構成する方法は?

    1. Ubuntu20.04でSSL/TLSを使用してFTPサーバー(vsftpd)をインストールおよび構成する方法

    2. DebianLennyでTLSセッションを受け入れるようにPureFTPdを設定する方法

    3. CentOS/RHEL 6,7 で監査ログをリモート Rsyslog サーバーに送信する方法

    1. CentOS6.2でTLSセッションを受け入れるようにPureFTPdを構成する方法

    2. SSL証明書を使用してポート8443でPleskホスト名を保護する方法

    3. CentOS/UbuntuでSSL/TLS(FTPS)を使用するようにvsftpdを構成する方法