Centralized logging with syslog-ng over stunnel

Installing syslog-ng and stunnel

Login to the client and the server, download syslog-ng and stunnel and install them:

[root@host]# yum install -y openssl-devel glibc gcc glib2

[root@host]# wget http://www.stunnel.org/download/stunnel/src/stunnel-4.26.tar.gz

[root@host]# lynx http://www.balabit.com/downloads/files/syslog-ng/open-source-edition/pkgs/dists/rhel-5/syslog-ng-ose-2.1.3/i386/RPMS.syslog-ng/

[root@host]# mkdir -p /usr/local/var/run/stunnel/

[root@host]# cd /usr/src

[root@host]# tar zxfv stunnel-4.26.tar.gz

[root@host]# cd stunnel-4.26

[root@host]# ./configure

[root@host]# make

[root@host]# make install

[root@host]# cd /usr/src/SYSLOG-NG

[root@host]# rpm -Uvh libdbi8-0.8.2bb2-3.rhel5.i386.rpm libdbi8-dev-0.8.2bb2-3.rhel5.i386.rpm libevtlog0-0.2.8-1.i386.rpm syslog-ng-2.1.3-1.i386.rpm

Creating the certificates

After the installation is complete login to your CA server and create the server and the client certificate. If you have more than one client that will log to the server you have to generate new client certificate:

[root@host]# cd /etc/pki/tls/certs

[root@host]# make syslog-ng-server.pem

[root@host]# make syslog-ng-client.pem


Place copies of syslog-ng-server.pem on all machines in /etc/stunnel with one important alteration. The clients only need the certificate section of syslog-ng-server.pem. In other words, remove the private key section from syslog-ng-server.pem on all clients.

Place every client's syslog-ng-client.pem in /etc/stunnel. For server, create a special syslog-ng-client.pem containing the certificate sections for all clients and place in /etc/stunnel. In other words, remove the private key sections from all syslog-ng-client.pem files and concatenate what is left to create server's special syslog-ng-client.pem.

note:It is very important that you put the server's short name when you're asked about the Common Name !

Creating the configuration files

Create the stunnel.conf configuration file in /etc/stunnel on the client:

[root@host]# vi /etc/stunnel/stunnel.conf

#foreground = yes

#debug = 7

client = yes

cert = /etc/stunnel/syslog-ng-client.pem

CAfile = /etc/stunnel/syslog-ng-server.pem

verify = 3

[5140]

accept = 127.0.0.1:514

connect = server.yourdomain.com:5140

For syslog-ng.conf you can start with:

[root@host]# vi /etc/syslog-ng/syslog-ng.conf

options {long_hostnames(off);

sync(0);};

source src {unix-stream("/dev/log");

pipe("/proc/kmsg");

internal();};

destination dest {file("/var/log/messages");};

destination stunnel {tcp("127.0.0.1" port(514));};

log {source(src);destination(dest);};

log {source(src);destination(stunnel);};

Similarly stunnel.conf on the server can look like this:

[root@host]# vi /etc/stunnel/stunnel.conf

#foreground = yes

debug = 7

cert = /etc/stunnel/syslog-ng-server.pem

CAfile = /etc/stunnel/syslog-ng-client.pem

verify = 3

[5140]

accept = server.yourdomain.com:5140

connect = 127.0.0.1:514

An example of syslog-ng.conf on the server:

[root@host]# vi /etc/syslog-ng/syslog-ng.conf

options {  long_hostnames(off);

sync(0);

keep_hostname(yes);

chain_hostnames(no);  };

source src {unix-stream("/dev/log");

pipe("/proc/kmsg");

internal();};

source stunnel {tcp(ip("127.0.0.1")

port(514)

max-connections(500));};

destination remoteclient {file("/var/backup/CentralizedLogging/remoteclients");};

destination dest {file("/var/log/messages");};

log {source(src); destination(dest);};

log {source(stunnel); destination(remoteclient);};

Starting syslog-ng and stunnel

Make sure syslog-ng is not running (it automatically start once you install it from the rpm's)

[root@host]# killall syslog-ng

Start syslong-ng BEFORE stunnel by running:

[root@host]# syslog-ng -f /etc/syslog-ng/syslog-ng.conf

Make sure it's running by checking the logs:

[root@host]# tail -f /var/log/messages

Start stunnel by running:

[root@host]# stunnel /etc/stunnel/stunnel.con

Make sure stunnel is running by checking the logs:

[root@host]# tail -f /var/log/messages

If stunnel is not running you can uncomment the debug line in the stunnel.conf file, start stunnel again and check the logs for detailed description of the problem.

Final steps

Restart stunnel on the server for it to re-read the certificates file and accept the newly added clients:

[root@host]# killall stunnel

stunnel /etc/stunnel/stunnel.conf

Make sure syslog-ng does not start (on client) through the init process:

[root@host]# chkconfig --level 2345 syslog-ng off

Edit /etc/rc.d/rc.local (on client) and add syslog-ng and stunnel:

[root@host]# vi /etc/rc.d/rc.local

echo "Starting syslog-ng ..."

syslog-ng -f /etc/syslog-ng/syslog-ng.conf

echo "Starting stunnel ..."

stunnel /etc/stunnel/stunnel.conf

To test the remote logging run on the client:

[root@host]# logger "Testing remote logging"

The message should appear on your remote server in /var/backup/CentralizedLogging/remoteclients.