Wednesday, September 6, 2017

Forward syslogs to a central server using TLS (OpenBSD)

Syslogd runs by default on OpenBSD and is used to collect log messages on a host

You can see (some of) the logs using

$ tail /var/log/messages

And you can add a message using

$ logger 'hello'

Say you have dozens or hundreds of servers. You don't want to login to each one and look at each log. Instead, it makes sense to forward them to a central server. It's also safer, as it makes it more difficult for a hacker to hide his tracks.

We don't want to send potentially sensitive logs in plain text, so we'll use TLS

Server ( aka 'loghost')

# cd /etc/ssl/private
# openssl genrsa -out loghost.key 2048 `# generate 2048-bit RSA key`
# openssl req -x509 -new -key loghost.key -out ../loghost.crt -days 365 `# generate cert. set common name to loghost`
# echo ' loghost' >> /etc/hosts
# rcctl set syslogd flags "-S loghost" `# -S means use TLS`
# rcctl restart syslogd
# tail -f /var/log/messages `# watch for syslog messages`

Client ( aka 'logclient')

Add to /etc/syslog.conf:

*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none  @tls://loghost
auth,daemon,syslog,;authpriv.kern.debug  @tls://loghost

# echo ' loghost' >> /etc/hosts
# scp nonRootSSHUser@loghost:/etc/ssl/loghost.crt /etc/ssl/trusted.crt `# copy the cert from server`
# rcctl set syslogd flags "-h -C /etc/ssl/trusted.crt" `# use hostnames instead of IPs and set the TLS trust store`
# rcctl restart syslogd
# logger hello from logclient `# you should see this on loghost`

If you need to debug syslogd, run /usr/sbin/syslogd -d

No comments: