Version 3.33 of syslog-ng arrived with basic MQTT support. Version 3.34 has added many important features to it: user authentication, TLS support and WebSocket support. These features give you both security and flexibility while sending log messages to an MQTT broker.
This blog helps you to make your first steps securing your MQTT connection.
Before you begin
To use the latest MQTT features of syslog-ng, you have to install at least version 3.34 with MQTT support enabled. Unfortunately, FreeBSD ports does not include the necessary dependency (Paho MQTT C), so you cannot install syslog-ng with MQTT support enabled from ports. Most Linux distributions do not include this version yet, but 3rd-party repositories are available. Check https://www.syslog-ng.com/products/open-source-log-management/3rd-party-binaries.aspx for details.
Features that have additional dependencies are usually available in sub-packages. In case of Fedora / RHEL and openSUSE / SLES packages, MQTT support is available from the syslog-ng-mqtt package.
TLS needs certificates. For that, I reused certs from one of my earlier blogs. You can use that as a cheat sheet, how to create certificates: https://blog.sudo.ws/posts/2021/08/securing-the-sudo-to-sudo_logsrvd-connection/
On the server (broker) side, I used Mosquitto.
Configuring Mosquitto
The Mosquitto configuration has many examples and comments in it. Finding the relevant lines in the configuration can be challenging, so here is a shortened version without comments or empty lines:
[root@fedora34 ~]# grep -v '^#' /etc/mosquitto/mosquitto.conf | grep -v '^$' listener 8883 172.16.167.153 allow_anonymous true certfile /etc/ssl/sudo/certs/client_cert.pem keyfile /etc/ssl/sudo/private/client_key.pem
As you can see, when it comes to the actual configuration, it is really not long. By default, Mosquitto is only listening on localhost. The listener setting above makes sure that it listens on a remotely accessible IP address. We do not use user authentication. The last two lines are related to TLS: the certificate and key files.
Configuring syslog-ng
If your distribution of choice supports it, create a new configuration file under the /etc/syslog-ng/conf.d/ directory with a .conf extension. Otherwise, append the configuration below to syslog-ng.conf.
destination d_mqtt {
mqtt (
address("ssl://172.16.167.153:8883"),
topic("test/$HOST"),
fallback-topic("syslog/fallback")
tls(
peer-verify(no)
)
);
};
log {
source(src);
destination(d_mqtt);
};
Obviously you need to replace the IP address in the above configuration with the actual IP address or host name of your Mosquitto server.
This configuration is similar to the configuration we used previously without TLS, however there are notable differences:
-
in the address() we use ssl:// instead of tcp://
-
the port number for TLS connections is 8883 by default (instead of 1883)
-
the tls() option enables encryption, but the peer is not verified
Testing
You can subscribe to the topic where syslog-ng publishes its log messages. The easiest way is if we use a wildcard instead of subscribing to specific topics:
mosquitto_sub -h 172.16.167.153 -p 8883 --cafile /etc/ssl/sudo/cacert.pem -t '+/+'
The mosquitto_sub command is part of the mosquitto package. As usual, you should replace the IP address with the actual IP address or hostname of your host running Mosquitto, and the --cafile parameter with the path to the CA certificate you use in your Mosquitto configuration.
When you reload syslog-ng, you should see similar messages on screen:
[root@fedora34 mosquitto]# mosquitto_sub -h 172.16.167.153 -p 8883 --cafile /etc/ssl/sudo/cacert.pem -t '+/+' 2021-09-14T17:12:05+02:00 localhost syslog-ng[2964]: syslog-ng starting up; version='3.34.1'
-
If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik.