Syslog-ng using TLS, require help

[Lantzvillian]

Hi everyone,

I am a syslog greenhorn, and I am in the process of trying to configure a syslog-ng server that uses TLS.  Currently I have it working for TCP and UDP and have the php-mysql-syslog frontend working.

I read http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch03s12.html

But I find it confusing.  How does one generate the certs they are talking about?  using certutil which is a part of the gnutls-utils package? or use Openssl...

If anyone has some simple steps to generate the certs, and add the material to my configs I would greatly appreciate this.

[Admin]

Yes, you'll either need to create a cert with openssl or buy a cert from a commercial certificate authority.  These instructions:

Copy the CA certificate (e.g., cacert.pem) of the Certificate Authority that issued the certificate of the syslog-ng server to the syslog-ng client hosts, for example into the /etc/syslog-ng/ca.d directory.

Issue the following command on the certificate: openssl x509 -noout -hash -in cacert.pem The result is a hash (e.g., 6d2962a8), a series of alphanumeric characters based on the Distinguished Name of the certificate.

Issue the following command to create a symbolic link to the certificate that uses the hash returned by the previous command and the .0 suffix.

ln -s cacert.pem 6d2962a8.0

assumes you have a certificate and a CA certificate file from the CA.  If you search google for "create self signed certificate using openssl" should find directions to get going.

[Lantzvillian]

I generated the ca and key with this command, and made sure that:

Code:

openssl req -new -x509 -days 3650 -nodes -out syslog-ng.cert -keyout syslog-ng.key

Created the directories and moved the pki files to their associated locations.


I added this to my servers syslog-ng.conf

Code:

source s_tls_syslog_source {
                        tcp(ip(0.0.0.0) port(1999)
                        transport("tls")
                        tls(key_file("/etc/syslog-ng/key.d/syslog-ng.key")
                        cert_file("/etc/syslog-ng/cert.d/syslog-ng.cert")
                        peer_verify(optional-untrusted)
)  );
};

And then I restart syslog-ng. However, it appears there is a syntax error on the first line of this source.

What is wrong?

[badri.avg]

Follow these steps. It worked for me on debian


·   Create a CA with a key and generate a certificate request

Code:

Openssl req -new -config openssl.cnf -keyout private/cakey.pem -out careq.pem

·   Now create a certificate for the CA by using the above key and self sign it.

Code:

Openssl ca -config openssl.cnf -create_serial -out external-ca.csr -batch -keyfile private/cakey.pem -selfsign -extensions v3_ca -infiles careq.pem

·   Now copy external-ca.csr to cacert.pem because the next command will by default look for the CA certificate with the name cacert.pem

Code:

Cp external-ca.csr cacert.pem

·   Now create server keys and generate a server certificate request

Code:

Openssl req -nodes -new -keyout external-server.key -out cert-req.pem -config openssl.cnf

·   Now create a certificate for the server by using the above key and sign it with the CA certificate

Code:

Openssl ca -config openssl.cnf -out external-server.csr -batch -infiles cert-req.pem

Now we have the following with us
External-ca.csr: CA certificate
External-server.csr: Server certificate which contains the public key
External-server.key: Server private key

·   Now copy the CA certificate to the syslog-ng client and do the following

Code:

Openssl x509 –noout –hash –in external-ca.csr

·   The output of the above command is a hash value and will be of the format fa6084d0. Now create a symbolic link for the certificate for debugging purposes.

Code:

Ln –s external-ca.csr fa6084d0.0

(please note the .0 suffix)

·   Now look for following line in the syslog-ng.conf file in client

Code:

Destination d_logserver { tcp(); };

# Modify the above line to

Code:

Destination d_logserver { tcp(“external.badari.com”
port(514)
tls (ca_dir(“/opt/syslog-ng/etc/ca.d”))
);

         };
Where external.badari.com is the FQDN of the server and 514 is the port where syslog listens and ca_dir is the place where we have copied the CA certificate

·   Now open the syslog-ng.conf file on the server and look for the following

Code:

Source s_net {
Udp();
Tcp(); => Modify this line
Syslog();
};

To

Code:

Source s_net {
Udp();
Tcp(
Tls
(
Key_file(“/opt/syslog-ng/etc/external-server.key”)
Cert_file(“/opt/syslog-ng/etc/external-server.csr”)
Peer_verify(optional-untrusted)
)
);
Syslog();
};

* Where /opt/syslog-ng/etc/external-server.key is the location of private key of the server to decrypt the messages sent by the client.
* /opt/syslog-ng/etc/external-server.csr is the location of the certificate.
* Peer_verify(optional-untrusted) is to disable the mutual authentication so that the client doesn’t have to verify the server’s identity.

·   Now restart the syslog-ng on both the machines and the user can see the logs going encrypted, from client to server, in the network captures.

[frakie]

Follow these steps. It worked for me on debian


·   Create a CA with a key and generate a certificate request

Code:

Openssl req -new -config openssl.cnf -keyout private/cakey.pem -out careq.pem

·   Now create a certificate for the CA by using the above key and self sign it.

Code:

Openssl ca -config openssl.cnf -create_serial -out external-ca.csr -batch -keyfile private/cakey.pem -selfsign -extensions v3_ca -infiles careq.pem

·   Now copy external-ca.csr to cacert.pem because the next command will by default look for the CA certificate with the name cacert.pem

Code:

Cp external-ca.csr cacert.pem

·   Now create server keys and generate a server certificate request

Code:

Openssl req -nodes -new -keyout external-server.key -out cert-req.pem -config openssl.cnf

·   Now create a certificate for the server by using the above key and sign it with the CA certificate

Code:

Openssl ca -config openssl.cnf -out external-server.csr -batch -infiles cert-req.pem

Now we have the following with us
External-ca.csr: CA certificate
External-server.csr: Server certificate which contains the public key
External-server.key: Server private key

·   Now copy the CA certificate to the syslog-ng client and do the following

Code:

Openssl x509 –noout –hash –in external-ca.csr

·   The output of the above command is a hash value and will be of the format fa6084d0. Now create a symbolic link for the certificate for debugging purposes.

Code:

Ln –s external-ca.csr fa6084d0.0

(please note the .0 suffix)

·   Now look for following line in the syslog-ng.conf file in client

Code:

Destination d_logserver { tcp(); };

# Modify the above line to

Code:

Destination d_logserver { tcp(“external.badari.com”
port(514)
tls (ca_dir(“/opt/syslog-ng/etc/ca.d”))
);

         };
Where external.badari.com is the FQDN of the server and 514 is the port where syslog listens and ca_dir is the place where we have copied the CA certificate

·   Now open the syslog-ng.conf file on the server and look for the following

Code:

Source s_net {
Udp();
Tcp(); => Modify this line
Syslog();
};

To

Code:

Source s_net {
Udp();
Tcp(
Tls
(
Key_file(“/opt/syslog-ng/etc/external-server.key”)
Cert_file(“/opt/syslog-ng/etc/external-server.csr”)
Peer_verify(optional-untrusted)
)
);
Syslog();
};

* Where /opt/syslog-ng/etc/external-server.key is the location of private key of the server to decrypt the messages sent by the client.
* /opt/syslog-ng/etc/external-server.csr is the location of the certificate.
* Peer_verify(optional-untrusted) is to disable the mutual authentication so that the client doesn’t have to verify the server’s identity.

·   Now restart the syslog-ng on both the machines and the user can see the logs going encrypted, from client to server, in the network captures.

I followed those instruction step by step but on the server side syslog-ng logs:

SSL error while reading stream; tls_error='SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown'


Why? I can't handle it.

[Admin]

It sounds like the server is not able to verify the authenticity of the cert that the client is presenting, but having the peer_verify(optional_unstrusted) should have addressed that. 

Take a look at this site: http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch03s13.html and see if anything is out of whack with what you have set up.

[frakie]

It sounds like the server is not able to verify the authenticity of the cert that the client is presenting, but having the peer_verify(optional_unstrusted) should have addressed that. 

Take a look at this site: http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/ch03s13.html and see if anything is out of whack with what you have set up.

Yes, I already read that paragraph on the pdf version.
The post above seems to tell correctly the same things.
I don't know what to do now.

[Admin]

What OS and version of syslog-NG are you using on the client and server?

[frakie]

Linux 2.6.18-8.el5PAE #1 SMP Fri Jan 26 14:28:43 EST 2007 i686 i686 i386 GNU/Linux
on both  server and client.

syslog-ng-3.0.5-1.rhel5          on server side
syslog-ng-client-3.0.5-1.rhel5 on client  side

[frakie]

Is syslog-ng-client the problem? Do I need to install the server version on the client too?

[frakie]

I've found my mistake: while creating the ca certificate and the server certificate I used my username in the

"Common Name (eg, your name or your server's hostname) []"

request. Now trying with the server IP address it works.

What is going to happen when the server IP address will change?

[Admin]

it will stop working again.  The best way to go would be to set up a host name for the client in DNS or in /etc/hosts - then you can change the IP address at will.