Wow that did the trick. Thanks Kokan! On Wed, Mar 17, 2021 at 1:13 PM Peter Kokai (pkokai) < Peter.Kokai@oneidentity.com> wrote:
Hello,
Strange behaviour. But this is due to permission issue. Fix the permission of the certs and it should work.
-- kokan
________________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Steven La <steven.la@datastax.com> Sent: 17 March 2021 21:05 To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Docker syslog-ng TLS issue
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
I created a CA cert following the instructions here:
https://urldefense.proofpoint.com/v2/url?u=https-3A__support.oneidentity.com... < https://urldefense.proofpoint.com/v2/url?u=https-3A__nam12.safelinks.protect...
And the serverkey.pem is not encrypted, but syslog-ng is asking for a password when it starts up for the serverkey.pem. Any help would be appreciate
Head of the server.key -----BEGIN PRIVATE KEY----- MIIEvAI....
syslog error: [2021-03-17T19:56:03.552322] Error setting up TLS session context; tls_error='system library:fopen:Permission denied', location='/etc/syslog-ng/syslog-ng.conf:21:2' [2021-03-17T19:56:03.552355] Error setting up TLS context; keyfile='/etc/ssl/certs/cert.d/serverkey.pem' [2021-03-17T19:56:03.552407] Waiting for password; keyfile='/etc/ssl/certs/cert.d/serverkey.pem'
syslog-ng config: @version: 3.29 @include "scl.conf"
source s_local { internal(); };
source s_network { default-network-drivers( # NOTE: TLS support # # the default-network-drivers() source driver opens the TLS # enabled ports as well, however without an actual key/cert # pair they will not operate and syslog-ng would display a # warning at startup. # tls(key-file("/etc/ssl/certs/cert.d/serverkey.pem") cert-file("/etc/ssl/certs/cert.d/servercert.pem") ca_dir("/etc/ssl/certs/ca.d")) peer_verify(optional-untrusted) ); };
destination d_local { file("/var/log/messages"); file("/var/log/messages-kv.log" template("$ISODATE $HOST $(format-welf --scope all-nv-pairs)\n") frac-digits(3)); };
log { source(s_local); source(s_network); destination(d_local); };
docker run command: sudo docker run -d --privileged -it -v "/data/syslog-ng/config/syslog-ng.conf:/etc/syslog-ng/syslog-ng.conf" -v "/data/syslog-ng/logs:/var/log" -v "/data/syslog-ng/certs:/etc/ssl/certs" -p 514:514/udp -p 601:601 -p 6514:6514 --name syslog-ng2 balabit/syslog-ng:latest -edv
Thanks, Steven --
Steven La
408-503-0289
steven.la@datastax.com<mailto:Steven.La@datastax.com> | datastax.com< https://urldefense.proofpoint.com/v2/url?u=https-3A__nam12.safelinks.protect...
______________________________________________________________________________ Member info: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.balabit.hu_mailma... Documentation: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_support_... FAQ: https://urldefense.proofpoint.com/v2/url?u=http-3A__www.balabit.com_wiki_sys...
-- Steven La 408-503-0289 steven.la@datastax.com <Steven.La@datastax.com> | datastax.com