cyhook/stunnel.md

## stunnel.md

      
    Raw
  

              stunnel.md
            
          
    SETTING UP STUNNEL BETWEEN 3 SERVERS 

STEP 1: Install syslog-ng and stunnel on all servers A,B,C 

$ apt-get install syslog-ng stunnel -y


 OR on CENTOS 

$ yum install syslog-ng stunnel -y

STEP 2: Configure servers A to read log files and send to server B and forward to server C

$ nano /etc/syslog-ng/syslog-ng.conf

Add the following into the file
destination loghost { tcp("[IP ADDRESS OF C]" port(5140)); };
log { source(s_src); destination(loghost); };

STEP 3: Configure server B to accept incoming syslog and send it to stunnel for forwarding

$ nano /etc/syslog-ng/syslog-ng.conf


   At the end of the file add:
# Create source for incoming tcp logs from local servers
source incoming_src { tcp(ip("[IP ADDRESS OF C]") port(5140) keep-alive(yes) max-connections(16)); };

# Create destination for stunnel from localhost to remote site
destination dst_remote_via_stunnel { tcp("127.0.0.1" port(5141)); };

# Send incoming logs to remote
log { source(incoming_src); destination(dst_remote_via_stunnel); };

# Send own logs to remote (optional)
log { source(s_src); destination(dst_remote_via_stunnel); };

STEP 4: Configure stunnel client on server C

$ nano /etc/stunnel/stunnel.conf


   At the end of the file add:
; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = TLSv1

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = nobody
setgid = nobody
; PID is created inside the chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Some debugging stuff useful for troubleshooting
debug = 7
output = stunnel.log

; Use it for client mode
client = yes

[syslog-ng]
accept  = 127.0.0.1:5141
connect = [IP ADDRESS OF D]:5140

STEP 5: Enable auto start of stunnel on C

$ nano /etc/default/stunnel4


 Change the ENABLED=0 entry to ENABLED=1
STEP 6: Create a certificate and key on server D to encrypt the syslog within the tunnel.

$ sudo openssl req -new -x509 -days 3650 -nodes -out /etc/stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem
$ sudo chmod 600 /etc/stunnel/stunnel.pem


STEP 7: Create the stunnel4 file

$ sudo mkdir /var/lib/stunnel4/
$ sudo chown nobody:nobody /var/lib/stunnel4/


STEP 8: Configure stunnel on remote syslog receiver D

#nano /etc/stunnel/stunnel.conf
; Certificate/key is needed in server mode and optional in client mode
cert = /etc/stunnel/stunnel.pem
key = /etc/stunnel/stunnel.pem

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = SSLv3

; Some security enhancements for UNIX systems - comment them out on Win32
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
; PID is created inside the chroot jail
pid = /stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel4/stunnel.log

client = no

[syslog-ng]
accept  = 0.0.0.0:5140
connect = 127.0.0.1:5141


STEP 9: Configure stunnel on remote received D to accept stunnel as a log source

$ nano /etc/syslog-ng/syslog-ng.conf


Add the following into your syslog-ng configuration
#Create a source for the incoming remote logs
source s_incoming_remote { tcp(ip("127.0.0.1") port(5141) keep-alive(yes)); };

#Create a destination that splits the incoming syslog into per-server per-day directories
destination d_remote_split { file("/var/log/PRODUCTION/$HOST/$YEAR.$MONTH.$DAY/messages"); };

#Connect the incoming remote syslog to the splitter destination
log { source(s_incoming_remote); destination(d_remote_split); };


STEP 10: Enable auto start of stunnel on D

$ nano /etc/default/stunnel4


 Change the ENABLED=0 entry to ENABLED=1