Friday, 15 August 2008

syslog-ng and stunnel part 2

Now we need to create the ssl certificates for the two machines (2 and 3) in order to create the tunnel.

machine 3 certificate (server)
openssl req -new -x509 -out cacert.pem -days 1095 -nodes
scp cacert.pem root@machine2:/etc/stunnel/syslog-ng-server.pem
cat privkey.pem cacert.pem > /etc/stunnel/syslog-ng-server.pem

Keep the privkey.pem cacert.pem on an other directory and lets create the machine 2 certificates (client)
openssl req -new -x509 -out cacert.pem -days 1095 -nodes
cat privkey.pem cacert.pem > /etc/stunnel/syslog-ng-client.pem
scp syslog-ng-client.pem root@machine2:/etc/stunnel

and now the configs on each /etc/stunnel/stunnel.conf

machine2 (client):
client = yes
cert = /etc/stunnel/syslog-ng-client.pem
CAfile = /etc/stunnel/syslog-ng-server.pem
verify = 3
[5140]
accept = 127.0.0.1:514
connect = machine3-IP:5140

machine3 (server):
cert = /etc/stunnel/syslog-ng-server.pem
CAfile = /etc/stunnel/syslog-ng-client.pem
verify = 3
[5140]
accept = machine3-IP:5140
connect = 127.0.0.1:514

Now that both stunnel and syslog-ng is ready you can start them:
root@machine3:/# stunnel
root@machine3:/# service syslog-ng start

root@machine2:/# stunnel
root@machine2:/# service syslog-ng start

and hopefully all will be well (unless you have iptables blocking the damn thing! :P)

You can check out that the tunnel is up by doing:
netstat -putan | grep 5140

netstat -putan | grep 514

Finally remember to put the "stunnel" command to the rc.d of each machine so the channel can be initiated every time the machines boot up BEFORE syslog-ng.

thanks for playing :)

syslog-ng and stunnel part 1

OK... lets connect now machine 1, 2 and 3

1=main server

2=secondary server

3=log server

on the machine 1 we have a syslog sending data though UDP to machine 2 and since they are VMGuest to VMHost the packets dont touch wire so we are kinda ok... on the 2 to 3 path though we are going to use syslog-ng and stunnel since our logs DO touch wire.

after installing syslog-ng in both machines (2 and 3) we change the configuration files to:

machine 2 syslog-ng.conf:
options {
sync (0);
time_reopen (10);
log_fifo_size (4096);
create_dirs (yes);
perm (0640);
dir_perm (0750);
long_hostnames (off);
use_dns (yes);
dns_cache_hosts(/etc/hosts);
use_fqdn (yes);
keep_hostname (yes);
stats_freq(86400);
};

source s_sys {
unix-stream ("/dev/log");
file("/proc/kmsg" log_prefix("kernel: "));
udp();
internal();
};

filter f_default    { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); };
filter f_auth       { facility(auth); };
filter f_mail       { facility(mail); };
filter f_boot       { facility(local7); };
filter f_cron       { facility(cron); };
filter f_emerg      { level(emerg); };

destination d_default { file("/var/log/messages"); };
destination d_auth    { file("/var/log/secure"); };
destination d_mail    { file("/var/log/maillog"); };
destination d_boot    { file("/var/log/boot.log"); };
destination d_cron    { file("/var/log/cron"); };
destination d_cons    { file("/dev/console"); };
destination d_user    { usertty("*"); };
destination d_loghost {tcp("127.0.0.1" port(514));};

log { source(s_sys); filter(f_default); destination(d_default); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };
log { source(s_sys); filter(f_emerg); destination(d_cons); destination(d_user); };
log { source(s_sys); destination(d_loghost); };

this is pretty much it and ready to roll

before we roll we need to setup machine 3 and most of all stunnel on machines 2 and 3

machine 3 syslog-ng.conf:
options {
sync (0);
time_reopen (10);
log_fifo_size (4096);
create_dirs (yes);
perm (0640);
dir_perm (0750);
long_hostnames (off);
use_dns (yes);
dns_cache_hosts(/etc/hosts);
use_fqdn (yes);
keep_hostname (yes);
stats_freq(86400);
};

source s_sys {
unix-stream ("/dev/log");
file("/proc/kmsg" log_prefix("kernel: "));
tcp (ip ("127.0.0.1") port(514) max-connections (1));
internal();
};

filter f_default    { level(info..emerg) and not (facility(mail) or facility(authpriv) or facility(cron)); };
filter f_auth       { facility(auth); };
filter f_mail       { facility(mail); };
filter f_boot       { facility(local7); };
filter f_cron       { facility(cron); };
filter f_emerg      { level(emerg); };

destination d_default { file("/var/log/messages"); };
destination d_auth    { file("/var/log/secure"); };
destination d_mail    { file("/var/log/maillog"); };
destination d_boot    { file("/var/log/boot.log"); };
destination d_cron    { file("/var/log/cron"); };
destination d_cons    { file("/dev/console"); };
destination d_user    { usertty("*"); };

log { source(s_sys); filter(f_default); destination(d_default); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };
log { source(s_sys); filter(f_emerg); destination(d_cons); destination(d_user); };

now we are done with configuring syslog-ng

before we start it we need to hook up the stunnel so the encrypted channel is set up

move on to part 2