[syslog-ng] Docker syslog-ng TLS issue
Peter Kokai (pkokai)
Peter.Kokai at oneidentity.com
Wed Mar 17 20:13:05 UTC 2021
Hello,
Strange behaviour. But this is due to permission issue. Fix the permission of the certs and it should work.
--
kokan
________________________________________
From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Steven La <steven.la at datastax.com>
Sent: 17 March 2021 21:05
To: syslog-ng at lists.balabit.hu
Subject: [syslog-ng] Docker syslog-ng TLS issue
CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
I created a CA cert following the instructions here:
https://support.oneidentity.com/fr-fr/technical-documents/syslog-ng-open-source-edition/3.22/mutual-authentication-using-tls<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.oneidentity.com%2Ffr-fr%2Ftechnical-documents%2Fsyslog-ng-open-source-edition%2F3.22%2Fmutual-authentication-using-tls&data=04%7C01%7Cpeter.kokai%40oneidentity.com%7C45e47ddcea3c4a02cafa08d8e9800e5d%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637516083526340795%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9aMTUEqPJJCzb8pYuXcy9ILAFAEs4Re5lB9iPKXWguM%3D&reserved=0>
And the serverkey.pem is not encrypted, but syslog-ng is asking for a password when it starts up for the serverkey.pem. Any help would be appreciate
Head of the server.key
-----BEGIN PRIVATE KEY-----
MIIEvAI....
syslog error:
[2021-03-17T19:56:03.552322] Error setting up TLS session context; tls_error='system library:fopen:Permission denied', location='/etc/syslog-ng/syslog-ng.conf:21:2'
[2021-03-17T19:56:03.552355] Error setting up TLS context; keyfile='/etc/ssl/certs/cert.d/serverkey.pem'
[2021-03-17T19:56:03.552407] Waiting for password; keyfile='/etc/ssl/certs/cert.d/serverkey.pem'
syslog-ng config:
@version: 3.29
@include "scl.conf"
source s_local {
internal();
};
source s_network {
default-network-drivers(
# NOTE: TLS support
#
# the default-network-drivers() source driver opens the TLS
# enabled ports as well, however without an actual key/cert
# pair they will not operate and syslog-ng would display a
# warning at startup.
#
tls(key-file("/etc/ssl/certs/cert.d/serverkey.pem") cert-file("/etc/ssl/certs/cert.d/servercert.pem") ca_dir("/etc/ssl/certs/ca.d"))
peer_verify(optional-untrusted)
);
};
destination d_local {
file("/var/log/messages");
file("/var/log/messages-kv.log" template("$ISODATE $HOST $(format-welf --scope all-nv-pairs)\n") frac-digits(3));
};
log {
source(s_local);
source(s_network);
destination(d_local);
};
docker run command:
sudo docker run -d --privileged -it -v "/data/syslog-ng/config/syslog-ng.conf:/etc/syslog-ng/syslog-ng.conf" -v "/data/syslog-ng/logs:/var/log" -v "/data/syslog-ng/certs:/etc/ssl/certs" -p 514:514/udp -p 601:601 -p 6514:6514 --name syslog-ng2 balabit/syslog-ng:latest -edv
Thanks,
Steven
--
Steven La
408-503-0289
steven.la at datastax.com<mailto:Steven.La at datastax.com> | datastax.com<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fdatastax.com%2F&data=04%7C01%7Cpeter.kokai%40oneidentity.com%7C45e47ddcea3c4a02cafa08d8e9800e5d%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637516083526350793%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7ehIPJytFEFpe1iA%2F9XfVIX8VcmRBagO2BC16LHMsH4%3D&reserved=0>
More information about the syslog-ng
mailing list