<div dir="ltr">Wow that did the trick. Thanks Kokan!</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Mar 17, 2021 at 1:13 PM Peter Kokai (pkokai) <<a href="mailto:Peter.Kokai@oneidentity.com">Peter.Kokai@oneidentity.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
Strange behaviour. But this is due to permission issue. Fix the permission of the certs and it should work.<br>
<br>
--<br>
kokan<br>
<br>
________________________________________<br>
From: syslog-ng <<a href="mailto:syslog-ng-bounces@lists.balabit.hu" target="_blank">syslog-ng-bounces@lists.balabit.hu</a>> on behalf of Steven La <<a href="mailto:steven.la@datastax.com" target="_blank">steven.la@datastax.com</a>><br>
Sent: 17 March 2021 21:05<br>
To: <a href="mailto:syslog-ng@lists.balabit.hu" target="_blank">syslog-ng@lists.balabit.hu</a><br>
Subject: [syslog-ng] Docker syslog-ng TLS issue<br>
<br>
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.<br>
<br>
I created a CA cert following the instructions here:<br>
<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__support.oneidentity.com_fr-2Dfr_technical-2Ddocuments_syslog-2Dng-2Dopen-2Dsource-2Dedition_3.22_mutual-2Dauthentication-2Dusing-2Dtls&d=DwIGaQ&c=adz96Xi0w1RHqtPMowiL2g&r=lGZyUVBNUg4qZembwSzde7cgoOzLrxdYqgshn8CzW3I&m=qxVOm32OYBL_xgoaR4oJFGYNOOp3oUGMn5w2lY0cEZc&s=g5jhnNG_v7CDrZXzFk2aPLD4QwqoDzbCvHcTOVaNp1I&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=https-3A__support.oneidentity.com_fr-2Dfr_technical-2Ddocuments_syslog-2Dng-2Dopen-2Dsource-2Dedition_3.22_mutual-2Dauthentication-2Dusing-2Dtls&d=DwIGaQ&c=adz96Xi0w1RHqtPMowiL2g&r=lGZyUVBNUg4qZembwSzde7cgoOzLrxdYqgshn8CzW3I&m=qxVOm32OYBL_xgoaR4oJFGYNOOp3oUGMn5w2lY0cEZc&s=g5jhnNG_v7CDrZXzFk2aPLD4QwqoDzbCvHcTOVaNp1I&e=</a> <<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam12.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fsupport.oneidentity.com-252Ffr-2Dfr-252Ftechnical-2Ddocuments-252Fsyslog-2Dng-2Dopen-2Dsource-2Dedition-252F3.22-252Fmutual-2Dauthentication-2Dusing-2Dtls-26data-3D04-257C01-257Cpeter.kokai-2540oneidentity.com-257C45e47ddcea3c4a02cafa08d8e9800e5d-257C91c369b51c9e439c989c1867ec606603-257C0-257C1-257C637516083526340795-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C1000-26sdata-3D9aMTUEqPJJCzb8pYuXcy9ILAFAEs4Re5lB9iPKXWguM-253D-26reserved-3D0&d=DwIGaQ&c=adz96Xi0w1RHqtPMowiL2g&r=lGZyUVBNUg4qZembwSzde7cgoOzLrxdYqgshn8CzW3I&m=qxVOm32OYBL_xgoaR4oJFGYNOOp3oUGMn5w2lY0cEZc&s=bdt2-lA5WmMqVwRi1v1pg6K-THb1quJ2DK83TPzOi-4&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=https-3A__nam12.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fsupport.oneidentity.com-252Ffr-2Dfr-252Ftechnical-2Ddocuments-252Fsyslog-2Dng-2Dopen-2Dsource-2Dedition-252F3.22-252Fmutual-2Dauthentication-2Dusing-2Dtls-26data-3D04-257C01-257Cpeter.kokai-2540oneidentity.com-257C45e47ddcea3c4a02cafa08d8e9800e5d-257C91c369b51c9e439c989c1867ec606603-257C0-257C1-257C637516083526340795-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C1000-26sdata-3D9aMTUEqPJJCzb8pYuXcy9ILAFAEs4Re5lB9iPKXWguM-253D-26reserved-3D0&d=DwIGaQ&c=adz96Xi0w1RHqtPMowiL2g&r=lGZyUVBNUg4qZembwSzde7cgoOzLrxdYqgshn8CzW3I&m=qxVOm32OYBL_xgoaR4oJFGYNOOp3oUGMn5w2lY0cEZc&s=bdt2-lA5WmMqVwRi1v1pg6K-THb1quJ2DK83TPzOi-4&e=</a> ><br>
<br>
And the serverkey.pem is not encrypted, but syslog-ng is asking for a password when it starts up for the serverkey.pem. Any help would be appreciate<br>
<br>
<br>
Head of the server.key<br>
-----BEGIN PRIVATE KEY-----<br>
MIIEvAI....<br>
<br>
syslog error:<br>
[2021-03-17T19:56:03.552322] Error setting up TLS session context; tls_error='system library:fopen:Permission denied', location='/etc/syslog-ng/syslog-ng.conf:21:2'<br>
[2021-03-17T19:56:03.552355] Error setting up TLS context; keyfile='/etc/ssl/certs/cert.d/serverkey.pem'<br>
[2021-03-17T19:56:03.552407] Waiting for password; keyfile='/etc/ssl/certs/cert.d/serverkey.pem'<br>
<br>
<br>
syslog-ng config:<br>
@version: 3.29<br>
@include "scl.conf"<br>
<br>
source s_local {<br>
internal();<br>
};<br>
<br>
source s_network {<br>
default-network-drivers(<br>
# NOTE: TLS support<br>
#<br>
# the default-network-drivers() source driver opens the TLS<br>
# enabled ports as well, however without an actual key/cert<br>
# pair they will not operate and syslog-ng would display a<br>
# warning at startup.<br>
#<br>
tls(key-file("/etc/ssl/certs/cert.d/serverkey.pem") cert-file("/etc/ssl/certs/cert.d/servercert.pem") ca_dir("/etc/ssl/certs/ca.d"))<br>
                peer_verify(optional-untrusted)<br>
);<br>
};<br>
<br>
destination d_local {<br>
file("/var/log/messages");<br>
file("/var/log/messages-kv.log" template("$ISODATE $HOST $(format-welf --scope all-nv-pairs)\n") frac-digits(3));<br>
};<br>
<br>
log {<br>
source(s_local);<br>
source(s_network);<br>
destination(d_local);<br>
};<br>
<br>
docker run command:<br>
sudo docker run -d --privileged -it -v "/data/syslog-ng/config/syslog-ng.conf:/etc/syslog-ng/syslog-ng.conf" -v "/data/syslog-ng/logs:/var/log" -v "/data/syslog-ng/certs:/etc/ssl/certs" -p 514:514/udp -p 601:601 -p 6514:6514 --name syslog-ng2 balabit/syslog-ng:latest -edv<br>
<br>
Thanks,<br>
Steven<br>
--<br>
<br>
Steven La<br>
<br>
408-503-0289<br>
<br>
<a href="mailto:steven.la@datastax.com" target="_blank">steven.la@datastax.com</a><mailto:<a href="mailto:Steven.La@datastax.com" target="_blank">Steven.La@datastax.com</a>>  |  <a href="http://datastax.com" rel="noreferrer" target="_blank">datastax.com</a><<a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__nam12.safelinks.protection.outlook.com_-3Furl-3Dhttp-253A-252F-252Fdatastax.com-252F-26data-3D04-257C01-257Cpeter.kokai-2540oneidentity.com-257C45e47ddcea3c4a02cafa08d8e9800e5d-257C91c369b51c9e439c989c1867ec606603-257C0-257C1-257C637516083526350793-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C1000-26sdata-3D7ehIPJytFEFpe1iA-252F9XfVIX8VcmRBagO2BC16LHMsH4-253D-26reserved-3D0&d=DwIGaQ&c=adz96Xi0w1RHqtPMowiL2g&r=lGZyUVBNUg4qZembwSzde7cgoOzLrxdYqgshn8CzW3I&m=qxVOm32OYBL_xgoaR4oJFGYNOOp3oUGMn5w2lY0cEZc&s=WzkauGW3KGh2LBCDAtXrmyJZ5yI-v640SAEcHhwCO6o&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=https-3A__nam12.safelinks.protection.outlook.com_-3Furl-3Dhttp-253A-252F-252Fdatastax.com-252F-26data-3D04-257C01-257Cpeter.kokai-2540oneidentity.com-257C45e47ddcea3c4a02cafa08d8e9800e5d-257C91c369b51c9e439c989c1867ec606603-257C0-257C1-257C637516083526350793-257CUnknown-257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0-253D-257C1000-26sdata-3D7ehIPJytFEFpe1iA-252F9XfVIX8VcmRBagO2BC16LHMsH4-253D-26reserved-3D0&d=DwIGaQ&c=adz96Xi0w1RHqtPMowiL2g&r=lGZyUVBNUg4qZembwSzde7cgoOzLrxdYqgshn8CzW3I&m=qxVOm32OYBL_xgoaR4oJFGYNOOp3oUGMn5w2lY0cEZc&s=WzkauGW3KGh2LBCDAtXrmyJZ5yI-v640SAEcHhwCO6o&e=</a> ><br>
______________________________________________________________________________<br>
Member info: <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.balabit.hu_mailman_listinfo_syslog-2Dng&d=DwIGaQ&c=adz96Xi0w1RHqtPMowiL2g&r=lGZyUVBNUg4qZembwSzde7cgoOzLrxdYqgshn8CzW3I&m=qxVOm32OYBL_xgoaR4oJFGYNOOp3oUGMn5w2lY0cEZc&s=0PguRxd6M1XXqwVuClH-EuzswJ-qOsGnaNX-z3voieM&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.balabit.hu_mailman_listinfo_syslog-2Dng&d=DwIGaQ&c=adz96Xi0w1RHqtPMowiL2g&r=lGZyUVBNUg4qZembwSzde7cgoOzLrxdYqgshn8CzW3I&m=qxVOm32OYBL_xgoaR4oJFGYNOOp3oUGMn5w2lY0cEZc&s=0PguRxd6M1XXqwVuClH-EuzswJ-qOsGnaNX-z3voieM&e=</a> <br>
Documentation: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_support_documentation_-3Fproduct-3Dsyslog-2Dng&d=DwIGaQ&c=adz96Xi0w1RHqtPMowiL2g&r=lGZyUVBNUg4qZembwSzde7cgoOzLrxdYqgshn8CzW3I&m=qxVOm32OYBL_xgoaR4oJFGYNOOp3oUGMn5w2lY0cEZc&s=czdDcIgd1E4lO6IVrabY9cU6k_IpCujybkT4R_aEqoE&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_support_documentation_-3Fproduct-3Dsyslog-2Dng&d=DwIGaQ&c=adz96Xi0w1RHqtPMowiL2g&r=lGZyUVBNUg4qZembwSzde7cgoOzLrxdYqgshn8CzW3I&m=qxVOm32OYBL_xgoaR4oJFGYNOOp3oUGMn5w2lY0cEZc&s=czdDcIgd1E4lO6IVrabY9cU6k_IpCujybkT4R_aEqoE&e=</a> <br>
FAQ: <a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_wiki_syslog-2Dng-2Dfaq&d=DwIGaQ&c=adz96Xi0w1RHqtPMowiL2g&r=lGZyUVBNUg4qZembwSzde7cgoOzLrxdYqgshn8CzW3I&m=qxVOm32OYBL_xgoaR4oJFGYNOOp3oUGMn5w2lY0cEZc&s=CfuAJED9sil3YJnKAH7yf-BFrqu_WrzmGTvJK0xHx2M&e=" rel="noreferrer" target="_blank">https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_wiki_syslog-2Dng-2Dfaq&d=DwIGaQ&c=adz96Xi0w1RHqtPMowiL2g&r=lGZyUVBNUg4qZembwSzde7cgoOzLrxdYqgshn8CzW3I&m=qxVOm32OYBL_xgoaR4oJFGYNOOp3oUGMn5w2lY0cEZc&s=CfuAJED9sil3YJnKAH7yf-BFrqu_WrzmGTvJK0xHx2M&e=</a> <br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div> <div style="font:bold 14px Arial,Helvetica,sans-serif"><span style="color:rgb(136,136,136);font-size:small;font-weight:400"><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="color:rgb(0,122,151);font-family:"Helvetica Neue";font-size:14.6667px;white-space:pre-wrap">Steven La </span><br></p></span><span style="color:rgb(136,136,136);font-size:small;font-weight:400"><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:16px;font-family:Calibri;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent">408-503-0289</span><span style="font-size:16px;font-family:Calibri;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent"> </span></p><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:16px;font-family:Calibri;color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap;background-color:transparent"><a href="mailto:Steven.La@datastax.com" style="color:rgb(17,85,204)" target="_blank">steven.la@datastax.com</a> </span><span style="background-color:transparent;font-size:11pt;font-family:"Helvetica Neue";color:rgb(0,122,151);vertical-align:baseline;white-space:pre-wrap"> </span><span style="background-color:transparent;font-size:11pt;font-family:"Helvetica Neue";color:rgb(0,0,0);vertical-align:baseline;white-space:pre-wrap">|  </span><span style="background-color:transparent;font-size:11pt;font-family:"Helvetica Neue";color:rgb(0,122,151);vertical-align:baseline;white-space:pre-wrap"><a href="http://datastax.com/" style="color:rgb(17,85,204)" target="_blank">datastax.com</a></span></p></span></div>
</div></div></div></div></div>