Step 1 - Download SSL Certificate

Download star.logit.io.crt file and place in /etc/certs/syslog/keys/ca.d or another directory

https://cdn.logit.io/star.logit.io.crt

sudo mkdir -p /etc/certs/syslog/keys/ca.d
sudo curl -o /etc/certs/syslog/keys/ca.d/star.logit.io.crt https://cdn.logit.io/star.logit.io.crt

rsyslog trusts these root CA keys to validate the key presented by logit.io, preventing man-in-the-middle attacks.

Step 2 - Locate rsyslog config

/etc/rsyslog.conf

$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/star.logit.io.crt
$ModLoad lmnsd_gtls
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.logit.io

*.* @@your-logstash-host:your-port

Notes

  • If possible run the latest minor versions of rsyslog v7 or v8. There are many TLS bugs in past versions.
  • Ensure you have @@ not a single @ infront of the host. This is so TCP is used.
Step 3 - Check which Solaris syslog is enabled

Solaris has a system default syslog that we may need to disable. To check which system log is running use the below command.

svcs system-log
STATE          STIME    FMRI
disabled       11:16:28 svc:/system/system-log:rsyslog
online         11:16:48 svc:/system/system-log:default

Disable system-log:default

svcadm disable svc:/system/system-log:default

Enable rsyslog

svcadm enable svc:/system/system-log:rsyslog

The above commands can also be used to restart rsyslog if changes are made to the config file.

Step 4 - Troubleshooting

If you receive either of the following errors

could not load module '/usr/lib/rsyslog/lmnsd_gtls.so', rsyslog error -2078 [try http://www.rsyslog.com/e/2068 ]

Or

could not load module '/usr/lib/rsyslog/lmnsd_gtls.so', dlopen: /usr/lib/rsyslog/lmnsd_gtls.so: cannot open shared object file: No such file or directory [try http://www.rsyslog.com/e/2066 ]

First, make sure that module actually exists by running ls against the path in the error, such as

ls -la /usr/lib/rsyslog/lmnsd_gtls.so

Ensure that the user which runs rsyslog has permissions to read logit.io’s public key (in the instructions above, /etc/certs/syslog/keys/ca.d/star.logit.io.crt). On many distributions, rsyslog starts as root and then drops to a user. In that case, run chmod 644 /etc/certs/syslog/keys/ca.d/star.logit.io.crt to let all users read the key file.

Finally, this may appear if you are using $ModLoad lmnsd_gtls to explicitly load the TLS module, and that configuration option occurs before the $DefaultNetstreamDriverCAFile has been defined. Explicitly loading the module is rarely required and the configuration above does not use it. We recommend removing that $ModLoad lmnsd_gtls option and relying on autoloading. If your lmnsd_gtls needs to be explicitly loaded, like because it is in a non-default location, move the $DefaultNetstreamDriverCAFile config line above the $ModLoad line.

Ready to get going?

Try our 14 day free trial

No commitment and no catches

Create Free Trial