How to setup local Syslog server in TLS mode

Khushi JainKhushi Jain
2 min read

This is a guide on how to setup a local syslog server on a Linux machine

1. Update the packages list and install the latest version of rsyslog.

sudo apt update

sudo apt install rsyslog

  1. Create certificates and private key for both syslog server and client - and change subjectAltName and CN to desired values
openssl genrsa -out ca.key 2048

openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca-crt.pem

openssl req -newkey rsa:2048 -nodes -keyout syslog-key.pem -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*.localhost.com" -out syslog.csr

openssl x509 -req -extfile <(printf "subjectAltName=DNS:localhost,DNS:www.localhost.com") -days 365 -in syslog.csr -CA ca-cert.pem -CAkey ca.key -CAcreateserial -out syslog-cert.pem
  1. Change permissions of the file
chmod 777 *.pem

We need to provide ca-crt.pem, syslog-key.pem and syslog-cert.pem to syslog configuration.
ca-crt.pem is required to be configured as syslog server will then trust connections with this certificate

  1. Open the rsyslog.conf file and add the following lines.
sudo vi /etc/rsyslog.conf

Configure the path of certificates correctly below

# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################
global(   DefaultNetstreamDriver="gtls"   DefaultNetstreamDriverCAFile="/home/User/ca-crt.pem"   DefaultNetstreamDriverCertFile="/home/User/syslog-cert.pem"
DefaultNetstreamDriverKeyFile="/home/User/syslog-key.pem" )

module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp" StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.AuthMode="anon")
input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
  1. Install the below driver
sudo apt install rsyslog-gnutls
  1. Restart Syslog Server
sudo service rsyslog restart
  1. You can check the logs under
tail -f /var/log/syslog
0
Subscribe to my newsletter

Read articles from Khushi Jain directly inside your inbox. Subscribe to the newsletter, and don't miss out.

syslogrsyslogsetup

Written by

Khushi Jain
Khushi Jain

I am a software engineer at Elastic working on going big on OTel.