rsyslog: Testing Your TLS-Encrypted Server

Please see Learning rsyslog for the introduction and index to this series of blog posts about rsyslog.

If you've set up an encrypted instance of an rsyslog logging server, testing is a good idea. For testing rsyslog - both locally and remotely, logger is the answer ... until it isn't, which is as soon as you turn on TLS. logger doesn't speak TLS. In trying to find an answer to how to test a TLS rsyslog server, I came across this: https://askubuntu.com/questions/1091659/how-to-send-tls-syslog-message-via-logger-command - and what follows is almost entirely based on that. The tool we need is gnutls-cli. On Fedora it's in package "gnutls-utils," on Debian it's in the "gnutls-bin" package (neither is installed by default).

To send a test message to a TLS-encrypted rsyslog server:

echo "<142>Test from $HOSTNAME to receiver.gilesorr.com" | gnutls-cli receiver.gilesorr.com --port=6514 --x509cafile=/etc/rsyslog-keys/receiver.gilesorr.com.chain.pem

There's a lot to absorb here:

  • '<142>' is the encoded value for "local1.info". When I first wrote this, I didn't know why it was "142," but see Choosing Your "Facility" and "Severity" near the end for how to calculate that value
  • receiver.gilesorr.com is the remote log server.
  • '--port' should be set to whatever value the receiving server is using: '6514' is semi-standard.
  • '--x509cafile' is the Certificate Authority's certificate - or in this case, the "chain.pem" created on the remote server by Let's Encrypt's scripts. You'll need a copy stored locally.

'Learning rsyslog' Index