Login to the client and the server, download syslog-ng and stunnel and install them:
[root@host]# yum install -y openssl-devel glibc gcc glib2
[root@host]# wget http://www.stunnel.org/download/stunnel/src/stunnel-4.26.tar.gz
[root@host]# lynx http://www.balabit.com/downloads/files/syslog-ng/open-source-edition/pkgs/dists/rhel-5/syslog-ng-ose-2.1.3/i386/RPMS.syslog-ng/
[root@host]# mkdir -p /usr/local/var/run/stunnel/
[root@host]# cd /usr/src
[root@host]# tar zxfv stunnel-4.26.tar.gz
[root@host]# cd stunnel-4.26
[root@host]# ./configure
[root@host]# make
[root@host]# make install
[root@host]# cd /usr/src/SYSLOG-NG
[root@host]# rpm -Uvh libdbi8-0.8.2bb2-3.rhel5.i386.rpm libdbi8-dev-0.8.2bb2-3.rhel5.i386.rpm libevtlog0-0.2.8-1.i386.rpm syslog-ng-2.1.3-1.i386.rpm
Creating the certificates
After the installation is complete login to your CA server and create the server and the client certificate. If you have more than one client that will log to the server you have to generate new client certificate:
[root@host]# cd /etc/pki/tls/certs
[root@host]# make syslog-ng-server.pem
[root@host]# make syslog-ng-client.pem
Place copies of syslog-ng-server.pem on all machines in /etc/stunnel with one important alteration. The clients only need the certificate section of syslog-ng-server.pem. In other words, remove the private key section from syslog-ng-server.pem on all clients.
Place every client’s syslog-ng-client.pem in /etc/stunnel. For server, create a special syslog-ng-client.pem containing the certificate sections for all clients and place in /etc/stunnel. In other words, remove the private key sections from all syslog-ng-client.pem files and concatenate what is left to create server’s special syslog-ng-client.pem.
note:It is very important that you put the server’s short name when you’re asked about the Common Name !
Creating the configuration files
Create the stunnel.conf configuration file in /etc/stunnel on the client:
[root@host]# vi /etc/stunnel/stunnel.conf
#foreground = yes
#debug = 7
client = yes
cert = /etc/stunnel/syslog-ng-client.pem
CAfile = /etc/stunnel/syslog-ng-server.pem
verify = 3
[5140]
accept = 127.0.0.1:514
connect = server.yourdomain.com:5140
For syslog-ng.conf you can start with:
[root@host]# vi /etc/syslog-ng/syslog-ng.conf
options {long_hostnames(off);
sync(0);};
source src {unix-stream(“/dev/log”); pipe(“/proc/kmsg”); internal();};
destination dest {file(“/var/log/messages”);};
destination stunnel {tcp(“127.0.0.1” port(514));};
log {source(src);destination(dest);};
log {source(src);destination(stunnel);};
Similarly stunnel.conf on the server can look like this:
[root@host]# vi /etc/stunnel/stunnel.conf
#foreground = yes
debug = 7
cert = /etc/stunnel/syslog-ng-server.pem
CAfile = /etc/stunnel/syslog-ng-client.pem
verify = 3
[5140]
accept = server.yourdomain.com:5140
connect = 127.0.0.1:514
An example of syslog-ng.conf on the server:
[root@host]# vi /etc/syslog-ng/syslog-ng.conf
options { long_hostnames(off); sync(0); keep_hostname(yes); chain_hostnames(no); };
source src {unix-stream(“/dev/log”); pipe(“/proc/kmsg”); internal();};
source stunnel {tcp(ip(“127.0.0.1”) port(514) max-connections(500));};
destination remoteclient {file(“/var/backup/CentralizedLogging/remoteclients”);};
destination dest {file(“/var/log/messages”);};
log {source(src); destination(dest);};
log {source(stunnel); destination(remoteclient);};
Starting syslog-ng and stunnel
Make sure syslog-ng is not running (it automatically start once you install it from the rpm’s)
[root@host]# killall syslog-ng
Start syslong-ng BEFORE stunnel by running:
[root@host]# syslog-ng -f /etc/syslog-ng/syslog-ng.conf
Make sure it’s running by checking the logs:
[root@host]# tail -f /var/log/messages
Start stunnel by running:
[root@host]# stunnel /etc/stunnel/stunnel.conf
Make sure stunnel is running by checking the logs:
[root@host]# tail -f /var/log/messages
If stunnel is not running you can uncomment the debug line in the stunnel.conf file, start stunnel again and check the logs for detailed description of the problem.
Final steps
Restart stunnel on the server for it to re-read the certificates file and accept the newly added clients:
[root@host]# killall stunnel stunnel /etc/stunnel/stunnel.conf
Make sure syslog-ng does not start (on client) through the init process:
[root@host]# chkconfig –level 2345 syslog-ng off
Edit /etc/rc.d/rc.local (on client) and add syslog-ng and stunnel:
[root@host]# vi /etc/rc.d/rc.local
echo “Starting syslog-ng …”
syslog-ng -f /etc/syslog-ng/syslog-ng.conf
echo “Starting stunnel …”
stunnel /etc/stunnel/stunnel.conf
To test the remote logging run on the client:
[root@host]# logger “Testing remote logging”
The message should appear on bu3 in /var/backup/CentralizedLogging/remoteclients
One alternative to syslog-ng is Splunk. You can always use Splunk along syslog-ng for indexing purpose
