rsyslog over tls: incoming messages but no message in the input stream

shibumi commented 6 years ago

We have set up a client with rsyslog to send data over TLS to the graylog server. We see incoming data on the right port with tcpdump and we have no errors in our logs (both client and graylog), but we can't see any messages in the input stream.

We have configured the input stream on the webinterface like this:

graylog server log messages:

2018-08-21_10:34:01.95319 INFO  [AbstractTcpTransport] Enabled TLS for input [Syslog TCP/5b7bde773500d103c0a38504]. key-file="/etc/graylog/rsyslog-tls.key.pem" cert-file="/etc/graylog/graylog-pubkey.pem"                       
2018-08-21_10:34:01.95445 INFO  [InputStateListener] Input [Syslog TCP/5b7bde773500d103c0a38504] is now STARTING
2018-08-21_10:34:01.97969 WARN  [NettyTransport] receiveBufferSize (SO_RCVBUF) for input SyslogTCPInput{title=Syslog-over-TLS, type=org.graylog2.inputs.syslog.tcp.SyslogTCPInput, nodeId=82767910-b4b4-4997-aa8e-b2b62f0805e1} should be 1048576 but is 212992.
2018-08-21_10:34:01.98067 INFO  [InputStateListener] Input [Syslog TCP/5b7bde773500d103c0a38504] is now RUNNING

rsyslog client configuration looks like this:

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  -/var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log
$DefaultNetstreamDriverCAFile /etc/ssl/graylog-pubkey.pem
$ActionSendStreamDriver gtls # use gtls netstream driver
$ActionSendStreamDriverMode 1 # require TLS
$ActionSendStreamDriverAuthMode x509/name # authenticate by hostname
$ActionSendStreamDriverPermittedPeer graylog.<censored>
*.*     @@<censored>:514

rsyslog log messages:

Aug 21 10:38:11 cloud-168.<censored> systemd[1]: Starting System Logging Service...
Aug 21 10:38:11 cloud-168.<censored> rsyslogd[1063]:  [origin software="rsyslogd" swVersion="8.24.0" x-pid="1063" x-info="http://www.rsyslog.com"] start
Aug 21 10:38:11 cloud-168.<censored> systemd[1]: Started System Logging Service.

Expected Behavior

We should be able to see incoming messages in the graylog instance.

Current Behavior

We see incoming messages on the port via tcpdump, but we don't see any messages in the webinterface

Possible Solution

no idea

Steps to Reproduce (for bugs)

Setup rsyslog over tls with the configuration above
configure syslog tcp input with tls like above
restart rsyslog on client
watch incoming messages with tcpdump

Context

My goal is secure log forwarding via rsyslog on clients to graylog

Your Environment

Graylog Version: 2.4.6
Elasticsearch Version: no idea
MongoDB Version: no idea
Operating System: Description: Ubuntu 14.04.5 LTS
Browser version: Chrome 68

r0039 commented 5 years ago

hi @shibumi how about this one? did you fix it? could you please give me an advice? because I am working on this scenario. Thank you so much !

shibumi commented 5 years ago

@r0039 I just gave up and I hoped somebody would answer this issue.

Graylog2 / graylog2-server