Download SSL Certificate

Download star.logit.io.crt file and place in /etc/rsyslog.d/keys/ca.d/ or another directory

https://cdn.logit.io/star.logit.io.crt

sudo mkdir -p /etc/rsyslog.d/keys/ca.d
sudo curl -o /etc/rsyslog.d/keys/ca.d/star.logit.io.crt https://cdn.logit.io/star.logit.io.crt

rsyslog trusts these root CA keys to validate the key presented by logit.io, preventing man-in-the-middle attacks.

RSyslog

On many distros, also install the rsyslog-gnutls package (including CentOS, Fedora, Debian, and Ubuntu).

$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/star.logit.io.crt

$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.logit.io

*.* @@your-logstash-host:your-port

Notes

  • If possible run the latest minor versions of rsyslog v7 or v8. There are many TLS bugs in past versions.
  • Ensure you have @@ not a single @ infront of the host. This is so TCP is used.

Restart

Restart rsyslog so it detects the TLS-over-TCP destination:

sudo /etc/init.d/rsyslog restart

Troubleshooting

could not load module '/usr/lib/rsyslog/lmnsd_gtls.so',
rsyslog error -2078 [try http://www.rsyslog.com/e/2068 ]

Or

could not load module '/usr/lib/rsyslog/lmnsd_gtls.so', 
dlopen: /usr/lib/rsyslog/lmnsd_gtls.so: cannot open shared object file: No such file or directory
[try http://www.rsyslog.com/e/2066 ]

First, make sure that module actually exists by running ls against the path in the error, such as:

ls -la /usr/lib/rsyslog/lmnsd_gtls.so

If it doesn’t exist, install the related package (often called rsyslog-gnutls) or if you compiled rsyslog from source, compile the module.

sudo apt-get install rsyslog-gnutl

Second, ensure that the user which runs rsyslog has permissions to read logit.io’s public key (in the instructions above, /etc/rsyslog.d/keys/ca.d/star.logit.io.crt). On many distributions, rsyslog starts as root and then drops to a user. In that case, run: chmod 644 /etc/rsyslog.d/keys/ca.d/star.logit.io.crt to let all users read the key file.

Finally, this may appear if you are using $ModLoad lmnsd_gtls to explicitly load the TLS module, and that configuration option occurs before the $DefaultNetstreamDriverCAFile has been defined. Explicitly loading the module is rarely required and the configuration above does not use it. We recommend removing that $ModLoad lmnsd_gtls option and relying on autoloading. If your lmnsd_gtls needs to be explicitly loaded, like because it is in a non-default location, move the $DefaultNetstreamDriverCAFile config line above the $ModLoad line.