[syslog-ng] IPv6 TLS source question

Gergely Nagy algernon at balabit.hu
Thu Jul 4 13:07:59 CEST 2013 

Jeff Lange <jlange6648 at gmail.com> writes:

> I'm attempting to setup a TCP IPv6 source declaration that uses TLS but
> syslog-ng is not happy with the configuration file.

Long story short: syslog-ng 3.3 and 3.4 does not support syslog() over
IPv6, 3.5 does, see below.

> The following is what I use for IPv4 and it works fine:
>
> source s_tls
> {
>   syslog( ip(0.0.0.0) port(6514)
>     transport( "tls" )
>     tls (
>       key_file("/srv/syslog-ng/certs/priv-key.pem")
>       cert_file("/srv/syslog-ng/certs/id-cert.pem")
>       ca_dir("/srv/syslog-ng/certs")
>       cipher_suite("SHA256:!aNULL:!eNULL:!ECDH:!DSS")
>     )
>    );
> };
>
> However the following is not valid:
>
> source s_tls6 {
>   syslog( ip("::") port(6515)
>     transport( "tls" )
>     tls (
>       key_file("/srv/syslog-ng/certs/priv-key.pem")
>       cert_file("/srv/syslog-ng/certs/id-cert.pem")
>       ca_dir("/srv/syslog-ng/certs")
>       cipher_suite("SHA256:!aNULL:!eNULL:!ECDH:!DSS")
>     )
>   );
> };
>
> I've tried the ip with and without quotes with no luck. What am I doing
> wrong?

Unfortunately, syslog-ng defaults to IPv4, and even if you give it an
IPv6 address, it will still try to handle it as if it was IPv4, unless
you tell it not to.

In syslog-ng 3.5, this is possible by adding ip-protocol(6) inside the
syslog() statement. In versions prior to 3.5, it is not doable yet. But
I'm considering teaching the host resolving code to not default to IPv4
by default (by using AF_UNSPEC, unless specified otherwise via
ip-protocol or something similar).

The problem is, all the current sources and destinations make a
distinction between ipv4 and ipv6: tcp(), udp() and syslog() all enforce
ipv4, while tcp6() and udp6() enforce ipv6... and there is no syslog6().

I do not want to change this in neither 3.3, nor 3.4, that would be too
invasive, but for 3.5, I'd love to make the udp(), tcp() and syslog()
statements ip protocol agnostic. That way, your config would just work
out of the box, but would still allow one to limit to either ipv4 or
ipv6 by specifying ip-protocol(N).

-- 
|8]

More information about the syslog-ng mailing list