| View previous topic :: View next topic |
| Author |
Message |
nx12
Apprentice
Joined: 14 Jan 2004
Posts: 193
|
 Posted: Wed Oct 06, 2004 7:50 am Post subject: Secure logging to remote syslog-ng server with SSL tunnel |
 |
|
Subj.
Summary.
1.Introduction.
2.Software installation.
3.Creating SSL-certificates.
4.Setting necessary configurations.
5.Starting(restarting) services.
5.Credits.
1.Introduction
I've lost a couple of hours of my precious life to set it up, so I decided to write this little howto. Logging to remote server is always a good idea, you can keep an eye on what's happening on your apache/mysql/something-else server and feel a bit safer or it simply can help you to debug some services on remote box.
2.Software installation.
We will need syslog-ng, openssl lib and stunnel, it's a nice TCL/SSL port wrapper. First I tried to setup tunneling using openssh, but it gave me a lot of headache with keeping connection alive and reconnecting when the syslog server goes offline. Stunnel resolved it all nicely.
Just type on both server and client:
| Code: | | emerge -p syslog-ng openssl stunnel |
and emerge necessary packages.
3.Creating SSL-certificates.
Now we need to create certificates for syslog-server and syslog-clients. Go to some not-public directory directory and do:
Step 1.
| Code: | | openssl req -new -x509 -out cacert.pem -days 1095 -nodes |
If you want you can change -days value to inferior, eg 365.
Openssl will ask you some questions, so answer them, what answers you give doesn't matter. If you want, you can do a man openssl and create default config file. It's really actual if you gonna issue certificates for a lot of clients.
Fine, now we have two files: cacert.pem and privkey.pem.
This will be a server's certificate, syslog clients need only certificate section, so rename cacert to syslog-ng-server.pem and put it in the client's /etc/stunnel/ directory.
Now concatenate cacert.pem and privkey.pem to create a new syslog-ng-server.pem for our server:
| Code: | cat privkey.pem > syslog-ng-server.pem
cat cacert.pem >> syslog-ng-server.pem |
Copy syslog-ng-server.pem to our syslog server's /etc/stunnel/ directory.
Then move the files we created somewhere for backup and generate another key-cert pair:
Step 2.
| Code: | | openssl req -new -x509 -out cacert.pem -days 1095 -nodes |
This time we rename and copy certificate part to the syslog server:
| Code: | | cp cacert.pem /etc/stunnel/syslog-ng-client.pem |
Note that if you have two or more syslog clients, just concatenate their public certificates into one:
| Code: | | cat cacert.pem >> /etc/stunnel/syslog-ng-client.pem |
Good, cat new full certificate for the client side:
| Code: | cat privkey.pem > syslog-ng-client.pem
cat cacert.pem >> syslog-ng-client.pem |
And then put it on the client box in /etc/stunnel/ directory.
Repeat step two for each client, or just write a script for that.
Also, change permissions on certificates, to keep it secure on the server an clients:
| Code: |
chmod 600 /etc/stunnel/*.pem
|
4.Setting necessary configurations.
On the server side open /etc/stunnel/stunnel.conf and add this lines
| Code: | cert = /etc/stunnel/syslog-ng-server.pem
CAfile = /etc/stunnel/syslog-ng-client.pem
verify = 3
[5101]
accept = server IP address:5101
connect = 127.0.0.1:514 |
where 5101 is the tunneling port and server IP address is your syslog-ng server
On the clients open /etc/stunnel/stunnel.conf and add:
| Code: | client = yes
cert = /etc/stunnel/syslog-ng-client.pem
CAfile = /etc/stunnel/syslog-ng-server.pem
verify = 3
[5101]
accept = 127.0.0.1:514
connect = server IP address:5101 |
where server IP address is your syslog-ng server again.
Great. Now we can mess with syslog-ng configs. 
On the server open /etc/syslog-ng/syslog-ng.conf and add:
| Code: |
options { long_hostnames(off);
sync(0);
keep_hostname(yes);
chain_hostnames(no); };
# Just modify your options section accordingly.
source remote_log {tcp(ip("127.0.0.1")
port(514)
max-connections(1));};
destination remote {file("/var/log/remote.log");};
log {source(remote_log); destination(remote);};
#Or put any other destination for the log
|
On the clients add following to /etc/sylog-ng/sylog-ng.conf :
| Code: |
destination remote {tcp("127.0.0.1" port(514));};
log {source(src);destination(remote);};
|
I leave to you how to poke a hole in your firewalls and routers to allow connections from your boxes on the port we've chosen. 
5.Starting(restarting) services.
And now we can test it.
Make sure your firewall allows connections on the port 5101 and then just type
on both server and clients, abd then make syslog-ng re-read its configurations:
| Code: |
killall -s HUP syslog-ng |
Now check if logging works:
| Code: | | tail -f /var/log/remote.log. |
If it doesn't, check your /var/log/messages, stunnel and syslog-ng are both enough verbose to track any configuration error.
Now we can add stunnel to the default level:
| Code: | | rc-update add stunnel default |
5.Credits.
Thanks to stunnel.org, google.com, balabit.com and gentoo.org.
PS I suggest you to check syslog-ng docs how to set up a nice log filtering.
_________________
signature sucks |
|
| Back to top |
|
 |
Chaosite
Guru
Joined: 13 Dec 2003
Posts: 540
Location: Right over here.
|
| Posted: Wed Oct 06, 2004 9:33 am Post subject: Re: Secure logging to remote syslog-ng server with SSL tunne |
|
|
| nx12 wrote: |
Now concatenate cacert.pem and privkey.pem to create a new syslog-ng-server.pem for our server:
| Code: | cat privkey.pem > syslog-ng-server.pem
cat cacert.pem >> syslog-ng-server.pem |
|
I know its nitpicking, but people often forget that cat's job is in fact to concatenate files, not just blast them into standart output. The "correct" (And single step!) way to do this is in fact:
| Code: | | cat privkey.pem cacert.pem > syslog-ng-server.pem |
Otherwise, great HOWTO! Thanks! |
|
| Back to top |
|
|
ministry
n00b
Joined: 29 Sep 2004
Posts: 5
|
| Posted: Wed Dec 08, 2004 7:02 pm Post subject: syslogd |
|
|
Any ideas on how to do the same thing with stunnel and the normal sysklogd and syslogd.
It's just that on my network people don't want to use metalog or syslog-ng. Because syslog is already setup and running and they are use to the syntax.
Thanks..This tutorial does look great! |
|
| Back to top |
|
|
nx12
Apprentice
Joined: 14 Jan 2004
Posts: 193
|
| Posted: Wed Dec 08, 2004 11:11 pm Post subject: |
|
|
AFAIR they support networked logging, so I suppose you can do exactly the same thing with them.
Though I still recommend syslog-ng for log-server, it's filtering capabilities are outstanding.[/b]
_________________
signature sucks |
|
| Back to top |
|
|
whitetux
n00b
Joined: 17 Mar 2004
Posts: 20
|
| Posted: Wed Jul 11, 2007 8:03 pm Post subject: |
|
|
| Great write-up! Looks like I'm getting to it 3 years after written but after googling half of the "inter-web" I finaly find a great write up. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Documentation, Tips & Tricks
