4.2. How to Set Up rsyslogd on the Rigado Gateway for Remote Logging

4.2.1. Configuring the Yocto build

4.2.1.1. Enabling rsyslog

The following two recipes are needed to send logs securely to a logging server. The recipes that are needed are rsyslog and gnutls. They can be added to the Yocto build using either method below.

4.2.1.1.1. Method 1

Add rsyslog and gnutls to your own image recipe.

4.2.1.1.2. Method 2

Add the following line to your build/conf/local.conf file:

CORE_IMAGE_EXTRA_INSTALL += "rsyslog gnutls"

4.2.1.2. Disabling syslog from BusyBox

Now that rsyslog is enabled, syslog can be disabled from the BusyBox utility. The instructions for disabling syslog from BusyBox are as follows.

  1. Create the following directory tree in your custom layer:

    recipes-core/busybox/busybox

  2. In the folder recipes-core/busybox/busybox, create a file named no_syslog.cfg with the following content:

    # CONFIG_SYSLOGD is not set
    # CONFIG_FEATURE_ROTATE_LOGFILE is not set
    # CONFIG_FEATURE_REMOTE_LOG is not set
    # CONFIG_FEATURE_SYSLOGD_DUP is not set
    # CONFIG_FEATURE_SYSLOGD_CFG is not set
    CONFIG_FEATURE_SYSLOGD_READ_BUFFER_SIZE=0
    # CONFIG_FEATURE_IPC_SYSLOG is not set
    CONFIG_FEATURE_IPC_SYSLOG_BUFFER_SIZE=0
    # CONFIG_LOGREAD is not set
    # CONFIG_FEATURE_LOGREAD_REDUCED_LOCKING is not set
    # CONFIG_FEATURE_KMSG_SYSLOG is not set
    # CONFIG_FEATURE_SYSLOG is not set
    
  3. In the folder recipes-core/busybox, create a file named busybox_%.bbappend with the following content:

    FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
    
    PACKAGES_remove = "${PN}-syslog"
    RRECOMMENDS_${PN}_remove = " ${PN}-syslog"
    
    SRC_URI += " \
         file://no_syslog.cfg \
         "
    

4.2.2. Generating the machine certificate

There are three important things to keep in mind when creating machine certificates:

  1. The rsyslogd version on the client needs to be <= the rsyslogd version on the server.
  2. The hostnames must be correct while creating certificates.
  3. Certificates must match on the client and server.

For these instructions, the following versions were used:

  • server: rsyslogd v8.23
  • client: rsyslogd v8.22
  • certificate tool: certtool v3.4.10

These instructions were based on information contained on the following link:

The Rigado Gateway Hostname used was: 081020317-00018.RigadoGateway.com

Before beginning, get a copy of ca-key.pem and ca.pem for your server and copy them into your working directory.

Run the following commands:

certtool --generate-privkey --outfile key.pem --sec-param medium

certtool --generate-request --load-privkey key.pem --outfile request.pem

   Generating a PKCS #10 certificate request...
   Common name: 081020317-00018.RigadoGateway.com
   Organizational unit name: Gateway
   Organization name: Rigado
   Locality name: Salem
   State or province name: OR
   Country name (2 chars): US
   Enter the subject's domain component (DC):
   UID:
   Enter a dnsName of the subject of the certificate:
   Enter a URI of the subject of the certificate:
   Enter the IP address of the subject of the certificate:
   Enter the e-mail of the subject of the certificate:
   Enter a challenge password:
   Does the certificate belong to an authority? (y/N):
   Will the certificate be used for signing (DHE ciphersuites)? (Y/n):
   Will the certificate be used for encryption (RSA ciphersuites)? (Y/n):
   Is this a TLS web client certificate? (y/N): y
   Is this a TLS web server certificate? (y/N): y
   Self signature: verified

certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem

   Generating a signed certificate...
   Enter the certificate's serial number in decimal (default: 6402638645929295356):
   Activation/Expiration time.
   The certificate will expire in (days): 1000

   Extensions.
   Do you want to honour the extensions from the request? (y/N):
   Does the certificate belong to an authority? (y/N):
   Is this a TLS web client certificate? (y/N): y
   Will the certificate be used for IPsec IKE operations? (y/N):
   Is this a TLS web server certificate? (y/N): y
   Enter a dnsName of the subject of the certificate: 081020317-00018.RigadoGateway.com
   Enter a dnsName of the subject of the certificate:
   Enter a URI of the subject of the certificate:
   Enter the IP address of the subject of the certificate:
   Will the certificate be used for signing (DHE ciphersuites)? (Y/n):
   Will the certificate be used for encryption (RSA ciphersuites)? (Y/n):
   X.509 Certificate Information:

rm -f request.pem

mv cert.pem gateway-cert.pem
mv key.pem gateway-key.pem

4.2.3. Setting up rsyslog on the client

These instructions were based off of the following link:

  1. On the Gateway, append /etc/rsyslog.conf with the following code snippet. Be sure to replace log.example.com with the correct URI and port.

    # make gtls driver the default
    $DefaultNetstreamDriver gtls
    
    # certificate files
    $DefaultNetstreamDriverCAFile /rsyslog/protected/ca.pem
    $DefaultNetstreamDriverCertFile /rsyslog/protected/gateway-cert.pem
    $DefaultNetstreamDriverKeyFile /rsyslog/protected/gateway-key.pem
    
    $ActionSendStreamDriverAuthMode x509/name
    $ActionSendStreamDriverPermittedPeer log.example.com
    $ActionSendStreamDriverMode 1 # run driver in TLS-only mode
    *.* @@log.example.com:514 # forward everything to remote server
    
  2. Copy the following files to the Gateway folder /rsyslog/protected:

    ca.pem
    gateway-cert.pem
    gateway-key.pem
    
  3. Reboot the Vesta Gateway and the log files will be sent to the server.