[stunnel-users] Stunnel with ntsyslog on windows 2000 forwarding to syslog-ng on fedora core 4 with stunnel in the middle.

Anthony Cicalla Anthony.Cicalla at BankServ.com
Fri Feb 3 19:46:26 CET 2006


Website questions answered first
1) ntsyslog(on windows 2000 pro) is not connecting through stunnel to
(fedora core 4) syslog-ng daemon.  
2) latest version of stunnel just downloaded it.
3)stunnel
 syslog-ng -f /etc/syslog-ng.conf 
4)ran the command but got no output. (stunnel /etc/stunnel/stunnel.conf -f
-D -7)
5)ran the command and it exectuted as above but still got no optput ran
(stunnel /etc/stunnel/stunnel.conf -V)
6)Linux echelon.bankserv.com 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT
2005 i686 i686 i386 GNU/Linux
7)sry I'm a noob and don't know how to get this.  I am from the windows side
of the house.  If you need it send me the command and I will get you the
output. 
8)Using built-in specs.
Target: i386-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man
--infodir=/usr/share/info --enable-shared --enable-threads=posix
--enable-checking=release --with-system-zlib --enable-__cxa_atexit
--disable-libunwind-exceptions --enable-libgcj-multifile
--enable-languages=c,c++,objc,java,f95,ada --enable-java-awt=gtk
--with-java-home=/usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/jre
--host=i386-redhat-linux
Thread model: posix
gcc version 4.0.0 20050519 (Red Hat 4.0.0-8)
9)This is the latest version for fedora core 4.  I downloaded the packages
for openssl and ran the updater.

I am setting up centralized logging with stunnel, syslog-ng, ntsyslog.
Following the directions from these two links.
<http://www.stunnel.org/examples/syslog-ng.html>
<http://www.monitorware.com/Common/en/Articles/eventlog-stunnel-syslog.php>



Encrypting traffic to a remote syslog-ng server including SSL peer
authentication

1. Install stunnel and syslog-ng on all machines.

2. Create certificates for all machines. On RedHat 9 and similar machines,
you can do the following as root:

# cd /etc/pki/tls/certs
# make syslog-ng-server.pem
# make syslog-ng-client.pem

3. Place copies of syslog-ng-server.pem on all machines in /etc/stunnel with
one important alteration. The clients only need the certificate section of
syslog-ng-server.pem. In other words, remove the private key section from
syslog-ng-server.pem on all clients. Place every client's
syslog-ng-client.pem in /etc/stunnel. For server, create a special
syslog-ng-client.pem containing the certificate sections for all clients and
place in /etc/stunnel. In other words, remove the private key sections from
all syslog-ng-client.pem files and concatenate what is left to create
server's special syslog-ng-client.pem.

4. Give only root ownership, read and write permissions for certificates.

5. On server, create /etc/stunnel/stunnel.conf containing the following
replacing server IP address accordingly:

   cert = /etc/stunnel/syslog-ng-server.pem
   CAfile = /etc/stunnel/syslog-ng-client.pem
   verify = 3
   [5140]
        accept = 192.x.x.x:5140
        connect = 127.0.0.1:514

On clients, create /etc/stunnel/stunnel.conf containing the following
replacing server IP address accordingly:

   client = yes
   cert = /etc/stunnel/syslog-ng-client.pem
   CAfile = /etc/stunnel/syslog-ng-server.pem
   verify = 3
   [5140]
        accept = 127.0.0.1:514
        connect = 192.x.x.x:5140

6. On server, create the following in /etc/syslog-ng.conf:

   options {  long_hostnames(off);
              sync(0);
              keep_hostname(yes);
              chain_hostnames(no);  };
   source src {unix-stream("/dev/log");
               pipe("/proc/kmsg");
               internal();};
   source stunnel {tcp(ip("127.0.0.1")
                   port(514)
                   max-connections(1));};
   destination remoteclient {file("/var/log/remoteclient");};
   destination dest {file("/var/log/messages");};
   log {source(src); destination(dest);};
   log {source(stunnel); destination(remoteclient);};

On clients, create the following in /etc/syslog-ng.conf:

   options {long_hostnames(off);
            sync(0);};
   source src {unix-stream("/dev/log"); pipe("/proc/kmsg");
               internal();};
   destination dest {file("/var/log/messages");};
   destination stunnel {tcp("127.0.0.1" port(514));};
   log {source(src);destination(dest);};
   log {source(src);destination(stunnel);};

(See syslog-ng documentation for more sophisticated syslog-ng.conf
alternatives.)

7. Open necessary ports with regards to packet filtering and TCP wrappers.

8. On all machines, add the following lines to boot procedure and execute
them now:

# stunnel
# syslog-ng -f /etc/syslog-ng.conf


That was the unix side stunnel config.

Copy the files to a location of your choice. If in doubt what you need,
download the latest stunnel binary as well as the ZIP file with the openssl
libararies. Place everything in the same directory, e.g. c:\bin\stunnel.
Please note that the stunnel binary (eg. stunnel-4.04.exe) is the actual
stunnel program and NOT a self-extracting exe program.

Once you have done this, you only need to supply stunnel with a correct
configuration file. You can use the one from the stunnel UNIX/Linux
tutorial, step 5. Make sure that you not only copy over the config file but
also the needed .PEM files. You probably need to change the pathes in the
stunnel.conf file to reflect your local Windows directory structure.

Once you have the config file ready, you can start the Windows stunnel.
Please note that it by default starts interactively. If all goes well, there
is a small icon in the icon tray. Double-Click it to get a status window. If
something goes wrong, the status window automatically appears with a nice
error message.

AT THIS POINT I AM ABLE TO START STUNNEL WITH NO ERRORS SHOW UP BUT 0 ACTIVE
TUNNELS.

Let's assume all went well. What is left is that we must tell the event log
monitor where to forward events to.

Installation:

    Install the service by executing the following command:

         NTsyslog -install

    The service will be started automatically by the service control manager
during system startup. You can start and stop the service manually from the
Services Control Panel.

    By default the service runs under the LocalSystem account. The service
can be configured to run as a local user with the following rights:

        * Log on as a service
        * Manage auditing and security log 

    The user the service runs as can be configured in the NTsyslog
Properties page which can be accessed through the Services Control Panel.

    A GUI tool, NTSyslogCtrl is provided to configure what types of messages
are monitored and what priority to use for each type.

    The priority for each event log type controls the service and facility
that the syslog message is sent to. Each log type has a seperate priority.
If the priority for a particular key does not exist, as if you were
upgrading, or using an old NTSyslogCtrl app, the default is 9, user.alert.

    Usually, syslog refers to a "facility" and "severity". These are
combined in to a single value called "priority".

    To calculate the priorities from normal facility and severity codes:

        Take the numeric value for the facility, multiply by 8, and add the
numeric value for the severity. 

    Standard facility and severity values are:

        Facility:

        (0) kernel               (12) ntp
        (1) user               (13) log audit
        (2) mail               (14) log alert
        (3) system               (15) clock 2
        (4) security/auth 1          (16) local 0
        (5) syslog               (17) local 1
        (6) line printer          (18) local 2
        (7) news               (19) local 3
        (8) uucp               (20) local 4
        (9) clock 1               (21) local 5
        (10) security/auth 2          (22) local 6
        (11) ftp               (23) local 7

        Severity:

        (0) emergency               (4) warning
        (1) alert               (5) notice
        (2) critical               (6) information
        (3) error               (7) debug

        Note that facility 4, 9, 10, and 15 have different meaning on
various systems. Please consult your system manual pages or syslogd
documentation.
        Complete details are available in RFC 3164. See:
<http://www.ietf.org/rfc/rfc3164.txt>

    The NTSyslog service must be stopped and restarted for the Registry
settings to take effect. By default all messages are sent using the
user.alert priority.



Registry Settings:

    The NTSyslogCtrl program is the preferred method of configuring the
registry. Editing the registry manually is not required when using the
configuration tool.

    The syslog host is configured by creating the following Registry entry:

        [HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet]
        "Syslog"="192.X.X.X"

    An additional syslog host may be configured for redundancy:

        [HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet]
        "Syslog1"=""

    The syslog host can be specified by domain name (loghost.example.com) or
by IP address (10.123.112.1).

    The types of event log messages sent to the syslog host can be
configured by setting the dword value for each of the types of messages. All
types with a non-zero value will be processed. The included registry file
enables all event types for each event log:

        [HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\System]
        "Information"=dword:00000001
        "Information Priority"=dword:00000009
        "Warning"=dword:00000001
        "Warning Priority"=dword:00000009
        "Error"=dword:00000001
        "Error Priority"=dword:00000009
        "Audit Success"=dword:00000001
        "Audit Success Priority"=dword:00000009
        "Audit Failure"=dword:00000001
        "Audit Failure Priority"=dword:00000009

        [HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\Security]
        "Information"=dword:00000001
        "Information Priority"=dword:00000009
        "Warning"=dword:00000001
        "Warning Priority"=dword:00000009
        "Error"=dword:00000001
        "Error Priority"=dword:00000009
        "Audit Success"=dword:00000001
        "Audit Success Priority"=dword:00000009
        "Audit Failure"=dword:00000001
        "Audit Failure Priority"=dword:00000009

        [HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\Application]
        "Information"=dword:00000001
        "Information Priority"=dword:00000009
        "Warning"=dword:00000001
        "Warning Priority"=dword:00000009
        "Error"=dword:00000001
        "Error Priority"=dword:00000009
        "Audit Success"=dword:00000001
        "Audit Success Priority"=dword:00000009
        "Audit Failure"=dword:00000001
        "Audit Failure Priority"=dword:00000009

    Version 1.11 and later supports user defined event logs. Simply add the
appropriate sub-key and settings to the registry in the same format as the
three standard event logs:

        [HKEY_LOCAL_MACHINE\SOFTWARE\SaberNet\Syslog\Directory Service]
        "Information"=dword:00000001
        "Information Priority"=dword:00000009
        "Warning"=dword:00000001
        "Warning Priority"=dword:00000009
        "Error"=dword:00000001
        "Error Priority"=dword:00000009
        "Audit Success"=dword:00000001
        "Audit Success Priority"=dword:00000009
        "Audit Failure"=dword:00000001
        "Audit Failure Priority"=dword:00000009



ok after all of this configuration and setup I get no syslogs in on the
logging server.  I did and ethereal capture and tested a few settings.  If I
point it directly to the syslog ip address it's still not connecting becuase
it's trying to connect on port 514.  The syslog server is running on port
5140 from the config.  I can telnet to port 5140 with no problems.  I can
start the nt syslog service with the server's ip and see packets attempting
to be sent this tells me that ntsyslog is working.  When I go to examine
stunnel I get 

2006.02.02 10:18:06 LOG5[484:108]: stunnel 4.14 on x86-pc-mingw32-gnu
WIN32+SELECT+IPv4 with OpenSSL 0.9.7i 14 Oct 2005
2006.02.02 10:18:07 LOG5[484:652]: No limit detected for the number of
clients
2006.02.02 11:38:18 LOG5[484:640]: 5140 connected from 127.0.0.1:1386
2006.02.02 11:38:27 LOG3[484:640]: SSL_accept: 140760FC: error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol


And that is where I am stuck... any help would be greatly appreciated.  I
check this regularly so I will reply or attempt suggestions pretty quickly
and reply the results. I am still pretty new with linux so if you want me to
do something or to get you some information put the commands or step of how
to do it in the post.  It will not only help me but it will help others
behind me that might not know as much as well. 
 I followed the instructions above which has the commands.  I created the
pem files and the conf files just as above althought there is not
/etc/syslog-ng.conf on the windows machine.  I still made the files but they
are put in c:\bin\stunnel becuase syslog-ng doesn't run on windows.  they
reccommended snare of something of the like to forward the logs so I chose
ntsyslog.  Ntsyslog is setup exactly like the instructions say.  like I said
above stunnel starts without an error when I start the ntsyslog the error
appears in the stunnel log. 



Client
Stunnel.conf
cert = C:\bin\stunnel\syslog-ng-server.pem
CAfile = c:\bin\stunnel\syslog-ng-client.pem
verify = 3
[5140]     
     accept = 127.0.0.1:514
     connect = 192.168.x.x:5140

Client

Server
stunnel.conf
cert = /etc/stunnel/syslog-ng-server.pem

CAfile = /etc/stunnel/syslog-ng-client.pem

verify = 3

[5140]
     
     accept = 192.168.x.x:5140
     
     connect = 127.0.0.1:514

syslog-ng.conf
options { long_hostnames(off);
     
     sync(0);
     
     keep_hostname(yes);
     
     chain_hostnames(no); };

source src {unix-stream("/dev/log");

     pipe("/proc/kmsg");
     
     internal();};

source stunnel {tcp(ip("127.0.0.1")
     
     port(514)
     
     max-connections(1));};

destination remoteclient {file("/var/log/remoteclient");};

destination dest {file("/var/log/messages");};

log {source(src); destination(dest);};

log {source(stunnel); destination(remoteclient);};


When you run the gui for ntsyslog it creates the registry entries so i did
no have to create them.



Client is on windows the server is the fedora core 4 box








More information about the stunnel-users mailing list