Website questions answered first 1) ntsyslog(on windows 2000 pro) is not connecting through stunnel to (fedora core 4) syslog-ng daemon. 2) latest version of stunnel just downloaded it. 3)stunnel syslog-ng -f /etc/syslog-ng.conf 4)ran the command but got no output. (stunnel /etc/stunnel/stunnel.conf -f -D -7) 5)ran the command and it exectuted as above but still got no optput ran (stunnel /etc/stunnel/stunnel.conf -V) 6)Linux echelon.bankserv.com 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT 2005 i686 i686 i386 GNU/Linux 7)sry I'm a noob and don't know how to get this. I am from the windows side of the house. If you need it send me the command and I will get you the output. 8)Using built-in specs. Target: i386-redhat-linux Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-libgcj-multifile --enable-languages=c,c++,objc,java,f95,ada --enable-java-awt=gtk --with-java-home=/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre --host=i386-redhat-linux Thread model: posix gcc version 4.0.0 20050519 (Red Hat 4.0.0-8) 9)This is the latest version for fedora core 4. I downloaded the packages for openssl and ran the updater.

I am setting up centralized logging with stunnel, syslog-ng, ntsyslog. Following the directions from these two links. http://www.stunnel.org/examples/syslog-ng.html http://www.monitorware.com/Common/en/Articles/eventlog-stunnel-syslog.php

Encrypting traffic to a remote syslog-ng server including SSL peer authentication

1. Install stunnel and syslog-ng on all machines.

2. Create certificates for all machines. On RedHat 9 and similar machines, you can do the following as root:

# cd /etc/pki/tls/certs # make syslog-ng-server.pem # make syslog-ng-client.pem

3. Place copies of syslog-ng-server.pem on all machines in /etc/stunnel with one important alteration. The clients only need the certificate section of syslog-ng-server.pem. In other words, remove the private key section from syslog-ng-server.pem on all clients. Place every client's syslog-ng-client.pem in /etc/stunnel. For server, create a special syslog-ng-client.pem containing the certificate sections for all clients and place in /etc/stunnel. In other words, remove the private key sections from all syslog-ng-client.pem files and concatenate what is left to create server's special syslog-ng-client.pem.

4. Give only root ownership, read and write permissions for certificates.

5. On server, create /etc/stunnel/stunnel.conf containing the following replacing server IP address accordingly:

cert = /etc/stunnel/syslog-ng-server.pem CAfile = /etc/stunnel/syslog-ng-client.pem verify = 3 [5140] accept = 192.x.x.x:5140 connect = 127.0.0.1:514

On clients, create /etc/stunnel/stunnel.conf containing the following replacing server IP address accordingly:

client = yes cert = /etc/stunnel/syslog-ng-client.pem CAfile = /etc/stunnel/syslog-ng-server.pem verify = 3 [5140] accept = 127.0.0.1:514 connect = 192.x.x.x:5140

6. On server, create the following in /etc/syslog-ng.conf:

options { long_hostnames(off); sync(0); keep_hostname(yes); chain_hostnames(no); }; source src {unix-stream("/dev/log"); pipe("/proc/kmsg"); internal();}; source stunnel {tcp(ip("127.0.0.1") port(514) max-connections(1));}; destination remoteclient {file("/var/log/remoteclient");}; destination dest {file("/var/log/messages");}; log {source(src); destination(dest);}; log {source(stunnel); destination(remoteclient);};

On clients, create the following in /etc/syslog-ng.conf:

options {long_hostnames(off); sync(0);}; source src {unix-stream("/dev/log"); pipe("/proc/kmsg"); internal();}; destination dest {file("/var/log/messages");}; destination stunnel {tcp("127.0.0.1" port(514));}; log {source(src);destination(dest);}; log {source(src);destination(stunnel);};

(See syslog-ng documentation for more sophisticated syslog-ng.conf alternatives.)

7. Open necessary ports with regards to packet filtering and TCP wrappers.

8. On all machines, add the following lines to boot procedure and execute them now:

# stunnel # syslog-ng -f /etc/syslog-ng.conf

That was the unix side stunnel config.

Copy the files to a location of your choice. If in doubt what you need, download the latest stunnel binary as well as the ZIP file with the openssl libararies. Place everything in the same directory, e.g. c:\bin\stunnel. Please note that the stunnel binary (eg. stunnel-4.04.exe) is the actual stunnel program and NOT a self-extracting exe program.

Once you have done this, you only need to supply stunnel with a correct configuration file. You can use the one from the stunnel UNIX/Linux tutorial, step 5. Make sure that you not only copy over the config file but also the needed .PEM files. You probably need to change the pathes in the stunnel.conf file to reflect your local Windows directory structure.

Once you have the config file ready, you can start the Windows stunnel. Please note that it by default starts interactively. If all goes well, there is a small icon in the icon tray. Double-Click it to get a status window. If something goes wrong, the status window automatically appears with a nice error message.

AT THIS POINT I AM ABLE TO START STUNNEL WITH NO ERRORS SHOW UP BUT 0 ACTIVE TUNNELS.

Let's assume all went well. What is left is that we must tell the event log monitor where to forward events to.

Installation:

Install the service by executing the following command:

NTsyslog -install

The service will be started automatically by the service control manager during system startup. You can start and stop the service manually from the Services Control Panel.

By default the service runs under the LocalSystem account. The service can be configured to run as a local user with the following rights:

* Log on as a service * Manage auditing and security log

The user the service runs as can be configured in the NTsyslog Properties page which can be accessed through the Services Control Panel.

A GUI tool, NTSyslogCtrl is provided to configure what types of messages are monitored and what priority to use for each type.

The priority for each event log type controls the service and facility that the syslog message is sent to. Each log type has a seperate priority. If the priority for a particular key does not exist, as if you were upgrading, or using an old NTSyslogCtrl app, the default is 9, user.alert.

Usually, syslog refers to a "facility" and "severity". These are combined in to a single value called "priority".

To calculate the priorities from normal facility and severity codes:

Take the numeric value for the facility, multiply by 8, and add the numeric value for the severity.

Standard facility and severity values are:

Facility:

(0) kernel (12) ntp (1) user (13) log audit (2) mail (14) log alert (3) system (15) clock 2 (4) security/auth 1 (16) local 0 (5) syslog (17) local 1 (6) line printer (18) local 2 (7) news (19) local 3 (8) uucp (20) local 4 (9) clock 1 (21) local 5 (10) security/auth 2 (22) local 6 (11) ftp (23) local 7

Severity:

(0) emergency (4) warning (1) alert (5) notice (2) critical (6) information (3) error (7) debug

Note that facility 4, 9, 10, and 15 have different meaning on various systems. Please consult your system manual pages or syslogd documentation. Complete details are available in RFC 3164. See: http://www.ietf.org/rfc/rfc3164.txt

The NTSyslog service must be stopped and restarted for the Registry settings to take effect. By default all messages are sent using the user.alert priority.

Registry Settings:

The NTSyslogCtrl program is the preferred method of configuring the registry. Editing the registry manually is not required when using the configuration tool.

The syslog host is configured by creating the following Registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet] "Syslog"="192.X.X.X"

An additional syslog host may be configured for redundancy:

[HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet] "Syslog1"=""

The syslog host can be specified by domain name (loghost.example.com) or by IP address (10.123.112.1).

The types of event log messages sent to the syslog host can be configured by setting the dword value for each of the types of messages. All types with a non-zero value will be processed. The included registry file enables all event types for each event log:

[HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\System] "Information"=dword:00000001 "Information Priority"=dword:00000009 "Warning"=dword:00000001 "Warning Priority"=dword:00000009 "Error"=dword:00000001 "Error Priority"=dword:00000009 "Audit Success"=dword:00000001 "Audit Success Priority"=dword:00000009 "Audit Failure"=dword:00000001 "Audit Failure Priority"=dword:00000009

[HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\Security] "Information"=dword:00000001 "Information Priority"=dword:00000009 "Warning"=dword:00000001 "Warning Priority"=dword:00000009 "Error"=dword:00000001 "Error Priority"=dword:00000009 "Audit Success"=dword:00000001 "Audit Success Priority"=dword:00000009 "Audit Failure"=dword:00000001 "Audit Failure Priority"=dword:00000009

[HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\Application] "Information"=dword:00000001 "Information Priority"=dword:00000009 "Warning"=dword:00000001 "Warning Priority"=dword:00000009 "Error"=dword:00000001 "Error Priority"=dword:00000009 "Audit Success"=dword:00000001 "Audit Success Priority"=dword:00000009 "Audit Failure"=dword:00000001 "Audit Failure Priority"=dword:00000009

Version 1.11 and later supports user defined event logs. Simply add the appropriate sub-key and settings to the registry in the same format as the three standard event logs:

[HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\Directory Service] "Information"=dword:00000001 "Information Priority"=dword:00000009 "Warning"=dword:00000001 "Warning Priority"=dword:00000009 "Error"=dword:00000001 "Error Priority"=dword:00000009 "Audit Success"=dword:00000001 "Audit Success Priority"=dword:00000009 "Audit Failure"=dword:00000001 "Audit Failure Priority"=dword:00000009

ok after all of this configuration and setup I get no syslogs in on the logging server. I did and ethereal capture and tested a few settings. If I point it directly to the syslog ip address it's still not connecting becuase it's trying to connect on port 514. The syslog server is running on port 5140 from the config. I can telnet to port 5140 with no problems. I can start the nt syslog service with the server's ip and see packets attempting to be sent this tells me that ntsyslog is working. When I go to examine stunnel I get

2006.02.02 10:18:06 LOG5[484:108]: stunnel 4.14 on x86-pc-mingw32-gnu WIN32+SELECT+IPv4 with OpenSSL 0.9.7i 14 Oct 2005 2006.02.02 10:18:07 LOG5[484:652]: No limit detected for the number of clients 2006.02.02 11:38:18 LOG5[484:640]: 5140 connected from 127.0.0.1:1386 2006.02.02 11:38:27 LOG3[484:640]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

And that is where I am stuck... any help would be greatly appreciated. I check this regularly so I will reply or attempt suggestions pretty quickly and reply the results. I am still pretty new with linux so if you want me to do something or to get you some information put the commands or step of how to do it in the post. It will not only help me but it will help others behind me that might not know as much as well. I followed the instructions above which has the commands. I created the pem files and the conf files just as above althought there is not /etc/syslog-ng.conf on the windows machine. I still made the files but they are put in c:\bin\stunnel becuase syslog-ng doesn't run on windows. they reccommended snare of something of the like to forward the logs so I chose ntsyslog. Ntsyslog is setup exactly like the instructions say. like I said above stunnel starts without an error when I start the ntsyslog the error appears in the stunnel log.

Client Stunnel.conf cert = C:\bin\stunnel\syslog-ng-server.pem CAfile = c:\bin\stunnel\syslog-ng-client.pem verify = 3 [5140] accept = 127.0.0.1:514 connect = 192.168.x.x:5140

Client

Server stunnel.conf cert = /etc/stunnel/syslog-ng-server.pem

CAfile = /etc/stunnel/syslog-ng-client.pem

verify = 3

[5140]

accept = 192.168.x.x:5140

connect = 127.0.0.1:514

syslog-ng.conf options { long_hostnames(off);

sync(0);

keep_hostname(yes);

chain_hostnames(no); };

source src {unix-stream("/dev/log");

pipe("/proc/kmsg");

internal();};

source stunnel {tcp(ip("127.0.0.1")

port(514)

max-connections(1));};

destination remoteclient {file("/var/log/remoteclient");};

destination dest {file("/var/log/messages");};

log {source(src); destination(dest);};

log {source(stunnel); destination(remoteclient);};

When you run the gui for ntsyslog it creates the registry entries so i did no have to create them.

Client is on windows the server is the fedora core 4 box