3

I have configured my syslog-ng server to receive logs in udp, tcp and tls. No problems for plain udp and tcp but with tls I get a wrong date in the syslog header.

I created a self signed certificate with an unprotected private key (as stated here) and configured syslog-ng as follows:

options {
    flush_lines (0);
    time_reopen (10);
    log_fifo_size (1000);
    chain_hostnames (off);
    use_dns (no);
    use_fqdn (no);
    create_dirs (no);
    keep_hostname (yes);
};

source s_sys {
    system();
    internal();
    # udp(ip(0.0.0.0) port(514));
};

# Source UDP 514
source s_udp {
    network(
        ip(0.0.0.0)
        port(514)
        transport("udp")
    );
};

# Source TCP 514
source s_tcp {
    network(
        ip(0.0.0.0)
        port(514)
        transport("tcp")
        log-msg-size(16384)
    );
};

# Source TLS 6514
source s_tls {
    network(
        ip(0.0.0.0)
        port(6514)
        transport("tls")
        tls(
            key-file("/opt/certs/myserver.key")
            cert-file("/opt/certs/myserver.crt")
            peer-verify(optional-untrusted)
        )
    );
};

I am receiving mesages from a source in the cloud, I have created the appropriate filter and log stataments:

filter myfilter { netmask("xx.xx.xx.xx"); };   <-- public ip here
destination mydestination { file("/var/log/mysender.log" group("foo") owner("foo"));};
log { source(s_tls); filter(myfilter); destination(mydestination); flags(final); };

The cloud source is asking me for some information:

  • chain certificate
  • certificate
  • key certificate

As said I have created a self signed certificate on the server and set it for both certificate and chain certificate on my cloud source. I do not know what is asking for key certificate, to make it work I put here the private key of the server (though I don't think this is correct).

Having this configuration, I can send test messages from my cloud source and I can see that the messages are received correctly and wrote to a file, the content is clear. But the date is always Jan 1 00:00:00.

note: I have upgraded from syslog-ng 3.5 to 3.9, with the previous version I had the same problem but the date was Dec 31 00:00:00.

I have many other sources using udp and plain tcp and they are working. If I configure this source to use plain tcp it works as well.

I can't understand what the problem is, any idea on how to fix the date? Thanks in advance

Miso Mijatovic
  • 357
  • 3
  • 7
  • Hi, can you try running a tcpdump on your syslog-ng server to see if the date in the message is already wrong before reaching syslog-ng? – Robert Fekete Jun 15 '17 at 10:37
  • @RobertFekete isn't the date added by the server itself? the date changed when I updated syslog-ng from 3.5 to 3.9 – Miso Mijatovic Jun 15 '17 at 14:39
  • I guess the date was wrong in both cases. The question is if syslog-ng messes up the date for some reason, or it's already bogus in the incoming message. If you do a tcpdump, you can see what's in the messages before they reach syslog-ng – Robert Fekete Jun 16 '17 at 07:32
  • Ok, I discovered that this was an error of the platform that was sending me logs. It was difficult to demonstrate this to the vendor which was insisting that there was an error with my configuration. Your comment about the tcpdump helped. – Miso Mijatovic Jul 31 '17 at 08:00

0 Answers0