Configure rSyslog Server for Receiving TLS/SSL Packets
This section describes the steps to configure the rSyslog server if you want to enable TLS logging for audit logs and syslogs from GigaVUE-FM.
Prerequisite: Install the required packages on the rSyslog server:
rsyslog-gnutls-5.8.10-10.0.1.el6_6.x86_64
rsyslog-5.8.10-10.0.1.el6_6.x86_64
gnutls-utils-2.8.5-19.el6_7.x86_64
gnutls-2.8.5-19.el6_7.x86_64
The steps are described in the following table:
|
Steps |
Details |
||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 |
Add the following parameters in /etc/rsyslog.conf in remote server and restart rsyslog services. |
$ModLoad imtcp $InputTCPServerRun 514 $DefaultNetstreamDriver gtls $DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca.pem $DefaultNetstreamDriverCertFile /etc/pki/tls/private/rservtls-cert.pem $DefaultNetstreamDriverKeyFile /etc/pki/tls/private/rservtls-key.pem $ActionSendStreamDriverPermittedPeer <10.115.48.54> ===> Replace with remote server IP/DNS Name $ActionSendStreamDriverMode 1 $ActionSendStreamDriverAuthMode x509/name |
|||||||||
| 2 |
Generate CA key on the remote server. |
fmtaf@fmreg26:/tmp/rsysconf$ certtool --generate-privkey --outfile ca-key.pem Generating a 3072 bit RSA private key... fmtaf@fmreg26:/tmp/rsysconf$ chmod 400 ca-key.pem |
|||||||||
| 3 |
Generate CA per on the remote server |
fmtaf@fmreg26:/tmp/rsysconf$ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem Generating a self signed certificate... Please enter the details of the certificate's distinguished name. Just press enter to ignore a field. Common name: 10.210.22.114 UID: Organizational unit name: Organization name: Locality name: State or province name: Country name (2 chars): Enter the subject's domain component (DC): This field should not be used in new certificates. E-mail: Enter the certificate's serial number in decimal (123) or hex (0xabcd) (default is 0x3fdea4af40da84d2580d59f9770ae288732c3421) value: Activation/Expiration time. The certificate will expire in (days): 3650 Extensions. Does the certificate belong to an authority? (y/N): y Path length constraint (decimal, -1 for no constraint): Is this a TLS web client certificate? (y/N): Will the certificate be used for IPsec IKE operations? (y/N): Is this a TLS web server certificate? (y/N): Enter a dnsName of the subject of the certificate: Enter a URI of the subject of the certificate: Enter the IP address of the subject of the certificate: Enter the e-mail of the subject of the certificate: Will the certificate be used for signing (required for TLS)? (Y/n): Will the certificate be used for data encryption? (y/N): Will the certificate be used to sign OCSP requests? (y/N): Will the certificate be used to sign code? (y/N): Will the certificate be used for time stamping? (y/N): Will the certificate be used for email protection? (y/N): Will the certificate be used to sign other certificates? (Y/n): Y Will the certificate be used to sign CRLs? (y/N): y Enter the URI of the CRL distribution point: X.509 Certificate Information: Version: 3 Serial Number (hex): 3fdea4af40da84d2580d59f9770ae288732c3421 Validity: Not Before: Thu Mar 09 14:41:22 UTC 2023 Not After: Sun Mar 06 14:41:29 UTC 2033 Subject: CN=10.210.22.114 Subject Public Key Algorithm: RSA Algorithm Security Level: High (3072 bits) Modulus (bits 3072): 00:e4:09:d2:d0:b4:eb:a3:49:da:53:3f:34:78:8c:36 46:76:f8:23:43:ab:59:51:b9:28:ff:c7:01:9c:b3:65 02:fc:4f:f1:9d:a7:5e:f7:60:f7:e7:90:58:4d:3c:86 85:ac:f7:d6:dd:85:3f:ef:55:88:2d:4b:f5:ec:ba:f2 76:01:04:e4:83:5d:40:c8:57:87:f5:06:40:0d:be:30 a4:2a:2f:8f:e9:6a:9e:4a:2a:53:e4:40:ef:ec:f6:a9 17:cd:e5:58:41:fd:9a:82:2b:7c:b3:33:64:b3:5d:74 31:e0:9a:47:b6:b5:42:bc:9f:89:82:50:08:36:b2:ca e8:c6:3a:ac:ad:47:d3:4f:f7:a6:6e:e1:33:bc:b8:d1 32:10:f3:cb:29:ef:28:cd:9b:40:57:c3:4e:45:f9:fe 33:eb:5f:6f:72:db:52:2f:e7:99:eb:61:ea:66:ee:e9 c2:79:c9:d0:cd:fc:18:7a:01:98:39:4e:f0:12:97:d1 c7:68:ba:cd:08:b1:30:cb:22:17:0b:c5:a2:f7:55:7d 37:5f:21:d1:10:d9:1d:2b:cf:d6:c8:a0:d7:e0:64:57 9a:f6:7a:57:17:ef:bb:4f:16:5e:4c:17:f1:cd:53:cc da:b1:8e:32:3c:eb:1e:6b:83:20:c5:a7:5a:24:8f:96 b3:03:04:b0:16:8a:95:44:1c:7b:42:70:2f:30:87:23 8d:13:69:a9:b2:ed:8f:4f:11:f1:42:b9:11:a6:35:35 ef:30:b7:5c:82:d9:b3:90:91:65:20:cf:e4:46:3d:3a 05:d6:72:85:26:42:e7:ea:a1:8b:94:81:ab:9e:ed:83 79:f7:7f:8a:07:8c:0f:17:b0:6c:7d:78:a5:16:9d:cc 5f:48:0c:b1:40:3c:bf:94:4d:f7:a4:b4:e5:d0:bd:62 4b:ba:a6:2e:57:0f:87:50:f1:98:79:1e:ac:d2:47:b0 e0:3b:41:a2:0e:cd:2a:8e:15:34:cf:ad:a6:c6:1b:27 4d Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): TRUE Key Usage (critical): Digital signature. Certificate signing. CRL signing. Subject Key Identifier (not critical): c61e0b508686f9701616f57f1e49e3448b06f98d Other Information: Public Key ID: sha1:c61e0b508686f9701616f57f1e49e3448b06f98d sha256:e01a89569cfb732403af0e5e2c0bd9606f69fa7b66c3a8beea69970569eb51fd Public Key PIN: pin-sha256:4BqJVpz7cyQDrw5eLAvZYG9p+ntmw6i+6mmXBWnrUf0= Is the above information ok? (y/N): y Signing certificate... fmtaf@fmreg26:/tmp/rsysconf$ |
|||||||||
| 4 |
Generate remote server tls key |
fmtaf@fmreg26:/tmp/rsysconf$ certtool --generate-privkey --outfile rservtls-key.pem --bits 2048 ** Note: You may use '--sec-param Medium' instead of '--bits 2048' Generating a 2048 bit RSA private key... fmtaf@fmreg26:/tmp/rsysconf$
|
|||||||||
| 5 |
Generate remote server tls pem |
fmtaf@fmreg26:/tmp/rsysconf$ certtool --generate-request --load-privkey rservtls-key.pem --outfile request.pem Generating a PKCS #10 certificate request... Common name: 10.210.22.114 Organizational unit name: Organization name: Locality name: State or province name: Country name (2 chars): Enter the subject's domain component (DC): UID: Enter a dnsName of the subject of the certificate: Enter a URI of the subject of the certificate: Enter the IP address of the subject of the certificate: Enter the e-mail of the subject of the certificate: Enter a challenge password: Does the certificate belong to an authority? (y/N): Will the certificate be used for signing (DHE ciphersuites)? (Y/n): Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): Will the certificate be used to sign code? (y/N): Will the certificate be used for time stamping? (y/N): Will the certificate be used for email protection? (y/N): Will the certificate be used for IPsec IKE operations? (y/N): Will the certificate be used to sign OCSP requests? (y/N): Is this a TLS web client certificate? (y/N): Is this a TLS web server certificate? (y/N): fmtaf@fmreg26:/tmp/rsysconf$
|
|||||||||
| 6 |
Generate remote server tls cert |
fmtaf@fmreg26:/tmp/rsysconf$ certtool --generate-certificate --load-request request.pem --outfile rservtls-cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem Generating a signed certificate... Enter the certificate's serial number in decimal (123) or hex (0xabcd) (default is 0x5df5369b91556a947c9f33ba41defd7ad6cdaf23) value: Activation/Expiration time. The certificate will expire in (days): 1000 Extensions. Do you want to honour all the extensions from the request? (y/N): Does the certificate belong to an authority? (y/N): Is this a TLS web client certificate? (y/N): y Will the certificate be used for IPsec IKE operations? (y/N): Is this a TLS web server certificate? (y/N): y Enter a dnsName of the subject of the certificate: 10.210.22.114. <Remote server IP /DNS NAme> Enter an additional dnsName of the subject of the certificate: Enter a URI of the subject of the certificate: Enter the IP address of the subject of the certificate: Will the certificate be used for signing (DHE ciphersuites)? (Y/n): Will the certificate be used for encryption (RSA ciphersuites)? (Y/n): Will the certificate be used for data encryption? (y/N): Will the certificate be used to sign OCSP requests? (y/N): Will the certificate be used to sign code? (y/N): Will the certificate be used for time stamping? (y/N): Will the certificate be used for email protection? (y/N): X.509 Certificate Information: Version: 3 Serial Number (hex): 5df5369b91556a947c9f33ba41defd7ad6cdaf23 Validity: Not Before: Thu Mar 09 15:03:54 UTC 2023 Not After: Wed Dec 03 15:03:57 UTC 2025 Subject: CN=10.210.22.114 Subject Public Key Algorithm: RSA Algorithm Security Level: Medium (2048 bits) Modulus (bits 2048): 00:a7:f3:c9:05:27:f3:bc:d9:81:e4:67:9e:7c:44:2f d3:c8:8f:66:21:cd:d3:e3:2b:91:b9:36:bf:2b:bf:b4 cf:2e:37:31:a0:ed:a9:8d:a2:e2:e5:f9:7a:c3:10:2c 08:7e:ea:66:7e:d6:48:5a:c0:4b:2e:5e:94:c8:19:61 12:66:53:f0:df:cd:cc:e9:40:f3:9a:ed:96:e5:3b:ba a6:19:df:ef:6f:d9:f2:62:64:9a:80:5f:6b:4c:bc:6b 85:fb:70:c9:8d:d7:ff:40:32:4b:c2:92:82:e1:e3:ae 51:e5:fa:70:1f:cd:3f:d2:da:f7:6b:c7:9b:20:df:d8 54:9a:2e:88:4e:9f:f1:17:bd:63:e4:ee:f1:2d:73:86 c8:7f:a8:e7:13:7f:20:5b:e7:47:52:ec:f5:55:ee:d3 13:63:93:bf:d8:2e:43:d8:17:a8:9f:c3:3f:5b:5d:c9 20:58:a5:26:fe:c4:8d:75:cf:d6:d8:7b:72:f1:ca:60 fb:b6:11:0e:c1:da:62:e9:28:dc:ed:43:18:66:13:2e 6e:54:a4:f8:72:82:4f:43:f6:9a:72:b9:ec:c4:15:cc 65:9a:8d:78:e3:ab:99:c5:da:d4:28:40:e7:b0:53:b3 a1:8d:71:2d:8d:0d:3c:cb:59:2e:de:6f:1d:ac:96:fd 95 Exponent (bits 24): 01:00:01 Extensions: Basic Constraints (critical): Certificate Authority (CA): FALSE Key Purpose (not critical): TLS WWW Client. TLS WWW Server. Subject Alternative Name (not critical): DNSname: 10.210.22.114 Key Usage (critical): Digital signature. Key encipherment. Subject Key Identifier (not critical): 068d2ac695b2b89eb631e8abc9441c9054c6b5e2 Authority Key Identifier (not critical): c61e0b508686f9701616f57f1e49e3448b06f98d Other Information: Public Key ID: sha1:068d2ac695b2b89eb631e8abc9441c9054c6b5e2 sha256:f81482f583c4e6a464ffcc2c05ddfdb00ef9b7255eb6d344006b116ebe28cd29 Public Key PIN: pin-sha256:+BSC9YPE5qRk/8wsBd39sA75tyVettNEAGsRbr4ozSk= Is the above information ok? (y/N): y Signing certificate... fmtaf@fmreg26:/tmp/rsysconf$
|
|||||||||
| 7 |
Copy the following three files generated in the remote server to GigaVUE-FM at path /etc/pki/tls/private.
|
# rsync -aP rslserver-* root@<GigaVUE-FM IP address>:/etc/pki/tls/private/# rsync -aP ca.pem root@<GigaVUE-FM IP address>:/etc/pki/tls/private/
|
|||||||||
| 8 |
Run the command in GigaVUE-FM to enable IP rules. |
# sudo iptables -A INPUT -p tcp --dport 514 -j ACCEPT |
|||||||||
| 9 |
Run the fmctl command. Verify that tls logging is configured by running the sudo TCPdump command at the remote server. |
# fmctl logging 10.115.48.54:514 tls |
