Friday, 15 August 2008

syslog-ng and stunnel part 2

Now we need to create the ssl certificates for the two machines (2 and 3) in order to create the tunnel.

machine 3 certificate (server)
openssl req -new -x509 -out cacert.pem -days 1095 -nodes
scp cacert.pem root@machine2:/etc/stunnel/syslog-ng-server.pem
cat privkey.pem cacert.pem > /etc/stunnel/syslog-ng-server.pem

Keep the privkey.pem cacert.pem on an other directory and lets create the machine 2 certificates (client)
openssl req -new -x509 -out cacert.pem -days 1095 -nodes
cat privkey.pem cacert.pem > /etc/stunnel/syslog-ng-client.pem
scp syslog-ng-client.pem root@machine2:/etc/stunnel

and now the configs on each /etc/stunnel/stunnel.conf

machine2 (client):
client = yes
cert = /etc/stunnel/syslog-ng-client.pem
CAfile = /etc/stunnel/syslog-ng-server.pem
verify = 3
[5140]
accept = 127.0.0.1:514
connect = machine3-IP:5140

machine3 (server):
cert = /etc/stunnel/syslog-ng-server.pem
CAfile = /etc/stunnel/syslog-ng-client.pem
verify = 3
[5140]
accept = machine3-IP:5140
connect = 127.0.0.1:514

Now that both stunnel and syslog-ng is ready you can start them:
root@machine3:/# stunnel
root@machine3:/# service syslog-ng start

root@machine2:/# stunnel
root@machine2:/# service syslog-ng start

and hopefully all will be well (unless you have iptables blocking the damn thing! :P)

You can check out that the tunnel is up by doing:
netstat -putan | grep 5140

netstat -putan | grep 514

Finally remember to put the "stunnel" command to the rc.d of each machine so the channel can be initiated every time the machines boot up BEFORE syslog-ng.

thanks for playing :)

No comments:

Post a Comment