サーバクライアントともにCentOS8.4
サーバ側とクライアント側に分けて操作する。
クライアント側には、サーバ証明書を検証するために認証局の証明書を設定する必要がある。
今回の場合はca.pemがそれにあたる。
サーバ側
認証局を作る
# 証明書ツールインストール
sudo yum -y install gnutls-utils
# TLS用モジュールインストール
yum install rsyslog-gnutls
# 秘密鍵
sudo certtool --generate-privkey --outfile ca-key.pem
# 認証局の証明書作成
sudo certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Common name:
UID:
Organizational unit name:
Organization name:
Locality name:
State or province name:
Country name (2 chars):
Enter the subject's domain component (DC):
This field should not be used in new certificates.
E-mail:
Enter the certificate's serial number in decimal (123) or hex (0xabcd)
(default is 0x576821c73a7876f76c9485a7682169f3e80985bf)
value:
Activation/Expiration time.
The certificate will expire in (days): 3650
Extensions.
Does the certificate belong to an authority? (y/N):
Is this a TLS web client certificate? (y/N):
Will the certificate be used for IPsec IKE operations? (y/N):
Is this a TLS web server certificate? (y/N):
Enter a dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Will the certificate be used for signing (required for TLS)? (Y/n):
Will the certificate be used for encryption (not required for TLS)? (Y/n):
Will the certificate be used for data encryption? (y/N):
Will the certificate be used to sign OCSP requests? (y/N):
Will the certificate be used to sign code? (y/N):
Will the certificate be used for time stamping? (y/N):
Will the certificate be used for email protection? (y/N):
Enter the URI of the CRL distribution point:
X.509 Certificate Information:
Version: 3
Serial Number (hex): 576821c73a7876f76c9485a7682169f3e80985bf
Validity:
Not Before: Sun Oct 10 07:34:46 UTC 2021
Not After: Wed Oct 08 07:34:51 UTC 2031
Subject:
Subject Public Key Algorithm: RSA
Algorithm Security Level: High (3072 bits)
Modulus (bits 3072):
00:a1:67:43:f9:f8:4f:c1:e6:b9:4c:39:f2:5f:1e:56
49:e7:6e:df:89:f9:05:56:23:a8:ed:c4:7b:6c:da:87
c3:d5:63:7a:b4:94:a8:94:0c:de:da:4b:b8:eb:48:05
f1:c1:bd:eb:89:ae:c0:a3:98:01:b6:fe:70:b8:e2:e0
8c:0e:b0:ec:3b:ef:f4:f5:22:bb:88:52:41:19:c7:a0
4e:43:21:af:3c:d0:ed:19:49:c3:99:c2:67:07:77:cc
a5:46:68:bb:12:89:bb:16:09:da:fe:c6:59:c2:ef:e5
5e:da:05:38:2d:22:44:e7:c2:1d:7a:42:e2:10:df:e1
71:73:e3:b1:57:36:08:42:46:5b:32:0e:84:2d:f6:8c
8e:91:b4:2d:73:b7:a3:a6:3c:d9:98:0f:c6:11:dd:a4
7a:3b:88:e7:9d:45:ad:e9:82:15:4f:97:db:b2:36:c0
ab:54:aa:08:43:80:21:d6:0c:e8:79:a2:cc:2c:c9:17
4a:24:e3:e2:2b:5a:85:fd:12:63:f9:df:38:57:ff:e2
4b:6b:4d:9c:d0:3d:f2:c8:e9:ab:ad:fc:25:64:2f:a8
d7:6c:20:2e:2e:3f:16:02:56:ff:e7:e5:d5:f2:bd:d8
10:53:0b:f8:e5:68:dd:2a:a8:c3:82:4a:38:c6:20:ac
9d:18:2a:7f:d5:0f:36:81:48:11:c6:9e:d5:1e:dc:04
77:c3:01:4a:14:c5:81:01:8f:6c:4d:86:26:16:2a:cd
8d:8b:83:32:af:25:ab:33:09:ca:5f:a9:f7:b2:82:8e
9d:3d:b3:35:5c:ad:7c:e7:94:00:7b:40:31:0e:05:6f
51:55:27:1f:e5:47:7a:72:1c:e3:2a:58:5d:7b:90:f6
07:7e:6b:0c:fe:b1:b2:e0:11:b4:48:92:ff:b2:1a:e9
ef:6e:eb:9b:54:d8:85:8b:a1:0e:59:83:c4:55:fa:10
b9:fb:25:3f:80:b7:5d:e1:f4:c2:c9:15:84:10:eb:02
f3
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Usage (critical):
Digital signature.
Key encipherment.
Subject Key Identifier (not critical):
0bae2254fbe5b1e9296f70226a8874b75193e843
Other Information:
Public Key ID:
sha1:0bae2254fbe5b1e9296f70226a8874b75193e843
sha256:ceff07d21b71c2021482894b487ab5f36bd294b44de2738203015fe2f4770c3d
Public Key PIN:
pin-sha256:zv8H0htxwgIUgolLSHq182vSlLRN4nOCAwFf4vR3DD0=
Is the above information ok? (y/N):
サーバ側で秘密鍵とその秘密鍵で署名した証明書要求を作る
# サーバ証明書に署名する秘密鍵を作成 sudo certtool --generate-privkey --outfile server-key.pem # 証明書要求作成 sudo certtool --generate-request --load-privkey server-key.pem --outfile server-request.pem # 認証局から証明書を発行 sudo certtool --generate-certificate --load-request server-request.pem --outfile server-cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
認証局の証明書、サーバ証明書、サーバ秘密鍵が必要なので、所定のディレクトリにセットする
# 証明書用ディレクトリ作成 mkdir /etc/rsyslog.d/tls # 証明書を配置 mv ca.pem /etc/rsyslog.d/tls/ mv server-cert.pem /etc/rsyslog.d/tls mv server-key.pem /etc/rsyslog.d/tls
サーバ側のconfファイルを設定する
vim /etc/rsyslog.d/00-tls-server.conf # # TLS Server # # TCPによる通信を実現するモジュールを読み込む $ModLoad imtcp # デフォルトの受信方式をGnuTLSにする $DefaultNetstreamDriver gtls # 秘密鍵・証明書を設定する $DefaultNetstreamDriverCAFile /etc/rsyslog.d/tls/ca.pem $DefaultNetstreamDriverCertFile /etc/rsyslog.d/tls/server-cert.pem $DefaultNetstreamDriverKeyFile /etc/rsyslog.d/tls/server-key.pem # TLSによる暗号化通信を実行する $InputTCPServerStreamDriverMode 1 # anonは認証なし $InputTCPServerStreamDriverAuthMode anon # セッションの最大接続数 $InputTCPMaxSessions 4000 # TCPコネクション数の上限 $MaxOpenFiles 65536 # 514/TCPのポートを指定して待ち受けを行う # 最後に配置しないと正しく動作しない $InputTCPServerRun 514
サービス起動
systemctl restart rsyslogd
クライアント側
vim /etc/rsyslog.d/00-tls-client.conf # # TLS Client # # デフォルトのドライバをGnuTLSにする $DefaultNetstreamDriver gtls # CA証明書を設定する # - cert, key は不要 $DefaultNetstreamDriverCAFile /etc/rsyslog.d/tls/ca.pem # TLSによる暗号化通信を実行する $ActionSendStreamDriverMode 1 # anonは認証なし $ActionSendStreamDriverAuthMode anon
rsyslog.confとか追記する
ちなみに@はUDP、@@はTCPでの送信となる
local1.* @@192.168.56.109:514 #TCP
動作確認
クライアント側で実行
logger -p local1.error "test by logger"
サーバ側でこのようにログが到着していればOK
[root@CENT84-server ~]# tail -5 /var/log/messages Oct 10 04:41:52 CENT84-server systemd[1]: Starting Network Manager Script Dispatcher Service... Oct 10 04:41:52 CENT84-server dbus-daemon[752]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher' Oct 10 04:41:52 CENT84-server systemd[1]: Started Network Manager Script Dispatcher Service. Oct 10 04:42:02 CENT84-server systemd[1]: NetworkManager-dispatcher.service: Succeeded. Oct 10 04:42:20 CENT84-client root[1730]: test by logger
参考サイト
https://qiita.com/saeki4n/items/198407c8710d769dfa55
http://blog.father.gedow.net/2013/08/13/rsyslog-tls/