Lab 5.2

LuisCamacho

I understood step 6 must be done only in main.example.com, right? Where should be done the step 7? main or second? I tried in both but I didn't observe any traffic in port 6514; I imagine something is missing, I'd appreciate any help

Thanks in advance

lee42x

Hi Luis ! Thank you for pointing this out.
In the non-encrypted steps we opened listeners on [main] for both TCP and UDP on port 514. It should not have mattered where we ran Wireshark from (main or secondary) as the traffic should be apperant on both systems. As an extra credit fot the un-encrypted lab, you should be able to configure either or both TCP and UDP depending on your local requirements.
Now, the encrypted steps, generate & configure the keys and rsyslog should function the same. The lab steps show a listener on TCP port 6514 on [main] and [secondary] is sending to TCP on port 6514.
We should see a listener on [main] with "ss -lutn | grep 514". The command should show ports 6514 and 514 for either/both TCP and UDP.

The wire shark bit;
If we are on [secondary] monotoring the private network, we should see connection requests going from [secondary ] to [main] and hopefully the reply from [main] to [secondary.
If we are on [main] listening on the private network we should see the incomming connection request from [secondary] to [main] along with the required responses.
One could have Wireshark running on both systems and watch the packets from both systems.

If you see only one half of the connection conversation it it likely that the firewall is misconfigured, try stopping the firewall and re-test. If theat works, you have confirmed a firewall issue.

Let me know if this helps, Regards Lee

LuisCamacho

Hi Lee!
Thanks for your answer.
I did steps 6 and 7 in both, main and second and I could see something new, please, take a look at Wireshark's screenshot I've attached. I can see the same screen in both, main and second, do I reach the goal? If so, what's the meaning of this? I don't catch yet this. If I didn't reach the goal, do you have any idea what's wrong?

Thanks a lot in advance
Luis

m.taniguchi

By the way, After setting in this Lab, I observed "secondary" tried to connect via 6514/tcp, not UDP. because "secondary" cannot send rsyslog packet to main. sor I added firewall rule to 6514/TCP, seemed to work fine.

[main]

#firewall-cmd --zone=public --add-port=6514/tcp --permanent
#firewall-cmd --reload

It's weird that why secondary and main' firewall is set to 6514/UDP, while main is set to 6514/tcp .
Something wrong?

lee42x

Hello, thank you for the input!
In 5-2-4 we open a listener for encrypted traffic on port 6514/tcp. Both client and server are configured for 6514/tcp.
In step 5-2-6, we should have opened port 6514/tcp on the firewall, not udp.

The directive:
InputTCPServerRun 6514 ........sets the encrypted listener to 6514/tcp
And
.@(o)main.example.com:6514 .... sets the client to transmit log data to 6514/tcp ... and that will be encrypted.

So the udp firewall entry is incorrect. That will be corrected in the next version.

Thank you for bringing this to our attention.

Lee