Rsyslog 8.1901.0 配置Tls模式加密传输log

需求背景：客户需要配置Tls加密模式上传log，老虎动手来搞搞，
推荐看下面的技术文档，官方的没有下面这个好用

https://rsyslog.readthedocs.io/en/latest/tutorials/tls_cert_summary.html

我们可以在github上下载官方文档编译后查看手册

git clone https://github.com/rsyslog/rsyslog-doc.git
cd rsyslog-doc
git tag #查看我们想要的版本 
git checkout v8.1901.0
pip3 install sphinx
sphinx-build -b html source build
配置下nginx
server {
        listen 8090;
        listen [::]:8090;

        server_name example2.com;

        root /home/tiger/rsyslog-doc/build;
        index index.html;

        location / {
                try_files $uri $uri/ =404;
        }
}
sudo systemctl restart nginx #重启服务后即可访问

我们的Rsyslog配置在Docker服务里面的，在宿主机上面也有个Rsyslog,所以配置的地方有四个，宿主机，docker，server端，服务端

宿主机rsyslog.conf，服务端和客户端都用这一套即可

# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance

# rsyslog v3: load input modules
# If you do not load inputs, nothing happens!
# You may need to set the module load path if modules are not found.
#
# Ported from debian's sysklogd.conf

$ModLoad immark   # provides --MARK-- message capability
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog   # kernel logging (formerly provided by rklogd)
$ModLoad imfile   # other log file
$ModLoad omkafka   # other log file
#
# Set the default permissions
#
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

# :msg, contains, "event_remote"       ~
# Template for ISO8601/rfc3339 timestamp format with millisec resolution
$template rfc3339msecFmt,"%timegenerated:1:23:date-rfc3339%%timegenerated:27:33:date-rfc3339% %syslogtag:1:32%%msg%\n"

auth,authpriv.*                 /var/log/auth.log;rfc3339msecFmt

# disabled ptpd log
:syslogtag, contains, "ptpd2" stop
:syslogtag, contains, "ptploop" stop

# *.*;auth,authpriv.none;local2.none;local6.none          -/var/log/messages;rfc3339msecFmt
# *.*;auth,authpriv.none;local2.none       @remote-host1:514;rfc3339msecFmt
# *.*;auth,authpriv.none;local2.none       @remote-host2:514;rfc3339msecFmt

#
# Emergencies are sent to everybody logged in.
#
*.emerg                         :omusrmsg:*

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

# Save OpenSwitch Event logs to event.log
#:msg, contains, "ops-evt|"       /var/log/event.log
if ($msg contains  "ops-evt|")then{
        /var/log/event.log
        stop
}

# Send OpenSwitch Interface Statistics to Remote hosts
$InputFileName                  /var/log/intf-stats.log
$InputFileTag                   Interface_Statistics
$InputFileSeverity              notice
$InputFileFacility              local2
$InputFileStateFile             /tmp/stat-intf-stats
$InputFilePollInterval          30
$InputFilePersistStateInterval  30
$InputRunFileMonitor
#local2.* @@remote-host:514

# webui.log
local6.*          -/var/log/webui.log

# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
$WorkDirectory /var/spool/rsyslog # where to place spool files
#$ActionQueueFileName uniqName # unique name prefix for spool files
$ActionQueueMaxDiskSpace 10m   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514

# Include Remote Logging ( Syslog ) Configuration
 $IncludeConfig /etc/kafka.conf
 $IncludeConfig /etc/rsyslog.remote.conf

# ######### Receiving Messages from Remote Hosts ##########
# TCP Syslog Server:
# provides TCP syslog reception and GSS-API (if compiled to support it)
#$ModLoad imtcp.so  # load module
#$InputTCPServerRun 514 # start up TCP listener at port 514

# UDP Syslog Server:
#$ModLoad imudp.so  # provides UDP syslog reception
#$UDPServerRun 514 # start a UDP syslog server at standard port 514

Docker rssylog配置

# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")


###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

#
# Set the default permissions for all log files.
#
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


###############
#### RULES ####
###############

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
#cron.*                         /var/log/cron.log
daemon.*                        -/var/log/daemon.log
kern.*                          -/var/log/kern.log
lpr.*                           -/var/log/lpr.log
mail.*                          -/var/log/mail.log
user.*                          -/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
mail.info                       -/var/log/mail.info
mail.warn                       -/var/log/mail.warn
mail.err                        /var/log/mail.err

#
# Some "catch-all" log files.
#
*.=debug;\
        auth,authpriv.none;\
        news.none;mail.none     -/var/log/debug
*.=info;*.=notice;*.=warn;\
        auth,authpriv.none;\
        cron,daemon.none;\
        mail,news.none          -/var/log/messages

#
# Emergencies are sent to everybody logged in.
#
*.emerg                         :omusrmsg:*

服务端配置
/etc/rsyslog.d/tls_server.conf

tls_server.conf

$ModLoad imuxsock # local messages
$ModLoad imtcp # TCP listener

# make gtls driver the default
$DefaultNetstreamDriver gtls

$DefaultNetstreamDriverCAFile /etc/rsyslog.d/tls/ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/tls/server-cert.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/tls/server-key.pem

$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer *.example.net
$InputTCPServerStreamDriverMode anon # run driver in TLS-only mode
$InputTCPServerRun 594 # start up listener at port 10514

客户端配置：
/etc/rsyslog.d/tls_client.conf
tls_client.conf

$DefaultNetstreamDriver gtls

$DefaultNetstreamDriverCAFile /etc/rsyslog.d/tls/ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/tls/server-cert.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/tls/server-key.pem

$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer central.example.net
$ActionSendStreamDriverMode anon # run driver in TLS-only mode
*.* @@192.168.3.20:594 # forward everything to remote server

#$ActionSendStreamDriverAuthMode anon
#$template myFormat,"unique %syslogpriority% %timestamp% %hostname% %syslogtag% %msg%"
#*.* @@192.168.3.20:594;myFormat

具体证书的生成可以参照我另外一篇文章也可以通过官网生成