Syslog-ng stunnel

From snippet wiki
Jump to navigation Jump to search

Personal CA structure

Make a local copy of the file and change some of the default values to your needs (Country, State, Location).

You should expand DAYS and CADAYS to a much longer valid time.

Update the default key length from 1024 bits to 2k by changing the first to the second line:

$REQ -new -keyout 
$REQ -newkey rsa:2048 -keyout

Copy the standard openssl.cnf to your myCA subfolder and point to it by setting a environment variable within

Update openssl.cnf to use that myCA subfolder and match the default_bits to 2048 and default_days to the value above.

Now you can create your CA root certificate once and for all: -newca

Syslog Server

Create a new certificate for the central logging server. Works similar to the client certs.

./ -newreq
./ -sign
openssl rsa -in newkey.pem -out newkey_nopwd.pem

New client

Create a new certificate request for each logging client and sign it:

./ -newreq
./ -sign

Now you have the private key newkey.pem and the certificate newcert.pem in your current directory.

The sign command might throw an error if you recreate a signature for an existing DN. In this case you might see failed to update database! Just remove the offending line within the index.txt of your CA structure and retry.

Optionally remove the password from the private key:

openssl rsa -in newkey.pem -out newkey_nopwd.pem

You might have to remove the verbose text from the certificate file and leave only the dashed block intact.

Now copy the certificate to your logging server into /etc/stunnel/certs/ with a self explaining name and make a symbolic link with the hash of the key:

ln -s client_cert.pem `openssl x509 -noout -hash -in client_cert.pem`.0

(Mind the backticks)

The logging server can now be restartet and let's switch to the new logging client. Copy the newkey.pem to the loggin client into /etc/stunnel/ with a self explainnig name and add a new tunnel configuration:

client = yes
CAfile = /etc/stunnel/cacert.pem
cert = /etc/stunnel/client_cert.pem
key = /etc/stunnel/client_nopwd_key.pem
verify = 2
debug = 5
        accept =
        connect = x.x.x.x:5140

As you can see you will need the personal CA root certificate and your client certificate files too.

For debian you might have to change the /etc/default/stunnel4 file in one line:


Now you can start that stunnel.

You still have to add some lines to your syslog-ng configuration. Create a file 10syslognet.conf within /etc/syslog-ng/conf.d/ with those lines:

destination d_net { tcp("" port(514) log_fifo_size(1000)); };
log { source(s_src); destination(d_net); };

And restart the syslog-ng server. You will see some accepting lines in the /var/log/daemon.log files on both sides about accepting a certificate. These lines only appear after the first transmitted syslog lines, so just be patient or log some lines yourself.

Checking pem files

To check for a valid certificate file you can use this command line:

openssl x509 -in my_client_cert.pem -text -noout

which gives you the dates from and to like:

    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=DE, ST=Hessen, O=YourName,
            Not Before: Apr 14 07:14:16 2016 GMT
            Not After : Apr 14 07:14:16 2018 GMT