search

fluent-plugins-nursery / fluent-plugin-remote_syslog

Fluentd plugin for output to remote syslog serivce (e.g. Papertrail)
https://github.com/dlackty/fluent-plugin-remote_syslog
MIT License
68 stars 53 forks source link

TLS with selfsigned certificate #44

Open mreiger opened 3 years ago

mreiger commented 3 years ago

Hi I am trying to use this plugin (via the fluentd kubernetes daemonset Debian syslog docker image, which as far as I can tell uses this plugin for output.)

I need to use TLS encryption and the syslog receiver uses a selfsigned certificate. Therefore I tried to disable certificate verification with the verify_mode paramter; however I still get a verification error and no connection.

This is my output configuration:

  <label @OUTPUT>
    <match **>
      @type remote_syslog
      host "syslogserver"
      port 12555
      protocol tcp
      tls true
      verify_mode 0
      packet_size 65535
      <buffer>
        retry_max_interval 300
      </buffer>
      <format>
        @type "json"
      </format>
    </match>
  </label>

Name matching is done via /etc/hosts (through Kubernetes hostAliases) entry.

The selfsigned certificate has "syslogserver" both as issuer and subject CN; but this should not matter since I try to disable certificate verification anyway.

The error message I get is:

2021-06-11 17:41:49 +0000 [warn]: #0 failed to flush the buffer. retry_time=0 next_retry_seconds=2021-06-11 17:41:50 +0000 chunk="5c48105438fdcf12caab52270b36345b" error_class=RuntimeError error="verification error"
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/remote_syslog_sender-1.2.1/lib/remote_syslog_sender/tcp_sender.rb:73:in `block in connect'
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/remote_syslog_sender-1.2.1/lib/remote_syslog_sender/tcp_sender.rb:52:in `synchronize'
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/remote_syslog_sender-1.2.1/lib/remote_syslog_sender/tcp_sender.rb:52:in `connect'
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/remote_syslog_sender-1.2.1/lib/remote_syslog_sender/tcp_sender.rb:38:in `initialize'
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluent-plugin-remote_syslog-1.0.0/lib/fluent/plugin/out_remote_syslog.rb:136:in `new'
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluent-plugin-remote_syslog-1.0.0/lib/fluent/plugin/out_remote_syslog.rb:136:in `create_sender'
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluent-plugin-remote_syslog-1.0.0/lib/fluent/plugin/out_remote_syslog.rb:91:in `write'
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.11.2/lib/fluent/plugin/output.rb:1133:in `try_flush'
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.11.2/lib/fluent/plugin/output.rb:1439:in `flush_thread_run'
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.11.2/lib/fluent/plugin/output.rb:461:in `block (2 levels) in start'
  2021-06-11 17:41:49 +0000 [warn]: #0 /fluentd/vendor/bundle/ruby/2.6.0/gems/fluentd-1.11.2/lib/fluent/plugin_helper/thread.rb:78:in `block in thread_create'

I also tried other values for verify_mode after some searching:

but the result - and the error message - is the same.

Can you advise me what the correct use of the parameter is?

mreiger commented 3 years ago

Update: Using the selfsigned certificate as CA certificate (Parameter ca_file) works.

Still, it is not clear to me how the verify_mode parameter is supposed to work. Can anyone clarify?

satish-suradkar commented 2 years ago

Hi @mreiger

I have cerated self signed CA certificate. Created Server certificate and signed that with the CA.

Syslog server config ->

$ModLoad imtcp
$InputTCPServerRun 1514
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode anon

#Make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
#
$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog-keys/server-cert.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/server-key.pem

Fluentd COnfig


<match *.*>
         @type remote_syslog
         host <syslogsrver-hostname>
         port 1514
         protocol tcp
         tls true
         ca_file /etc/rsyslog-keys-my-ss/ca.pem
  </match>

getting err --> error="verification error"


2022-05-25 12:45:24 +0000 [warn]: #0 failed to flush the buffer. retry_time=11 next_retry_seconds=2022-05-25 13:04:30 +0000 chunk="5dfd52f20e6fd2d95309fb4f32b59316" error_class=RuntimeError error="verification error"
 2022-05-25 12:45:24 +0000 [warn]: #0 suppressed same stacktrace
2022-05-25 13:04:34 +0000 [warn]: #0 failed to flush the buffer. retry_time=12 next_retry_seconds=2022-05-25 13:41:59 +0000 chunk="5dfd52f20e6fd2d95309fb4f32b59316" error_class=RuntimeError error="verification error"
 2022-05-25 13:04:34 +0000 [warn]: #0 suppressed same stacktrace

Could you please suggest what i'm missing?