I'm now trying rsyslog, I'm trying to receive logs from an external system (barracuda: https://campus.barracuda.com/product/essentials/doc/85494328/syslog-integration/ but someone else manages this system) using rsyslog over TLS.
Actual behavior:
I configured in/etc/rsyslog.conf to be able to receive logs over TLS, however I continue to receive them encrypted
Of course, I previously created the certificates and added them to the corresponding directory, I made sure to restart the service and check permissions.
My configuration in /etc/rsyslog.conf:
module(load="imuxsock")
module(load="immark")
module(load="imudp")
input(type="imudp" port="514")
module(load="imklog" permitnonkernelfacility="on")
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
$DefaultNetstreamDriver gtls
#certificate
$DefaultNetstreamDriverCAFile /etc/pki/tls/private/ca.pem
$DefaultNetstreamDriverCertFile /etc/pki/tls/private/cert.pem
$DefaultNetstreamDriverKeyFile /etc/pki/tls/private/key.pem
$ModLoad imtcp
$InputTCPServerStreamDriverAuthMode anon
$InputTCPServerStreamDriverMode 1
$InputTCPServerRun 6514
I checked that the port is listening:
user@hostname:$ sudo lsof -i :6514
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
rsyslogd 38073 syslog 8u IPv4 1323597 0t0 TCP *:syslog-tls (LISTEN)
rsyslogd 38073 syslog 9u IPv6 1323598 0t0 TCP *:syslog-tls (LISTEN)
rsyslogd 38073 syslog 13u IPv4 1323908 0t0 TCP 192.168.1.102:syslog-tls->encrypt-barracuda.com:42480 (ESTABLISHED)
But, when I open the file /var/log/syslog, the logs I receive are encrypted :((
Thank you a lot, and I hope somebody can help me :(
- Environment:
rsyslog version: 8.2112.
platform: Ubuntu 22.04.1 LTS
