We have recently implemented Syslog streaming on our Appian platform. The log file is reporting a TLS handshake failure. We've been able to successfully use Curl (sample command below) to connect to the syslog server. We've done an end-to-end packet capture while doing this curl and can't see any evidence of a TLS handshake error. The certificate we use is a wildcard certificate (i.e. *.oir.qld.gov.au), but Appian support have confirmed this is acceptable. Examining the packet capture, we can see both a client and server hello, and both are successful. Because of this, I suspect the error lies within the rsyslog setup on my syslog server.
Sample Curl Command that reports a successful connection
curl -ilv OIRPSENTINEL01.oir.qld.gov.au:6514
Setup of rsyslog.conf on our Syslog server
---------------------------------------------------------------------------------------------------------------------------------------
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html# or latest version online at www.rsyslog.com/.../rsyslog_conf.html # If you experience problems, see www.rsyslog.com/.../troubleshoot.html
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary filesglobal(workDirectory="/var/lib/rsyslog")
# Use default timestamp formatmodule(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
# Include all config files in /etc/rsyslog.d/include(file="/etc/rsyslog.d/*.conf" mode="optional")
$DebugFile /etc/syslog/debug.log$DebugLevel 2#### MODULES ####module(load="imuxsock" # provides support for local system logging (e.g. via logger command) SysSock.Use="off") # Turn off message reception via local log socket; # local messages are retrieved through imjournal now.module(load="imjournal" # provides access to the systemd journal StateFile="imjournal.state") # File to store the position in the journal#module(load="imklog") # reads kernel messages (the same are read from journald)#module(load="immark") # provides --MARK-- message capability
# Provides UDP syslog reception# for parameters see www.rsyslog.com/.../imudp.html#module(load="imudp") # needs to be done just once#input(type="imudp" port="514")
# Provides TCP syslog reception# for parameters see www.rsyslog.com/.../imtcp.html# make gtls driver the default$DefaultNetstreamDriver ossl
# certificate files$DefaultNetstreamDriverCAFile /home/millarbr/syslog/wildcard_ca.pem$DefaultNetstreamDriverCertFile /home/millarbr/syslog/wildcard_cl.pem$DefaultNetstreamDriverKeyFile /home/millarbr/syslog/wildcard_key.pem
$ModLoad imtcp # load TCP listener
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated$InputTCPServerRun 6514 # start up listener at port 6514
#module(load="imptcp") # needs to be done just once#input(type="imptcp" port="514")
#### RULES ####
# Log all kernel messages to the console.# Logging much else clutters up the screen.#kern.* /dev/console
# Log anything (except mail) of level info or higher.# Don't log private authentication messages!*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.authpriv.* /var/log/secure
# Log all the mail messages in one place.mail.* -/var/log/maillog
# Log cron stuffcron.* /var/log/cron
# Everybody gets emergency messages*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.uucp,news.crit /var/log/spooler
# Save boot messages also to boot.loglocal7.* /var/log/boot.log
-----------------------------------------------------------------
I understand that rsyslog is typically setup for mutual TLS authentication, and Appian only supports server authentication. I am of the understanding this is achieved via the "$InputTCPServerStreamDriverAuthMode anon" command. Are there additional commands required? Does anyone have any other suggestions?
Discussion posts and replies are publicly visible