본문 바로가기

Skills/mY Technutz

How to Encrypt/Decrypt to system log files via Rsyslog ?

Firstly, I got question for this, I didn't know this is not difficulty trhough by google but it is my bad..

Because howto is just simple but I could not found exactly information for this even if spent 1 hour for googling...

I asked to ChatGPT but they came over more confusion to me because they provided to faked information.

Actuall almost article introduce to just TLS encryption for security communication between remote log server.
( Link: Secure Log-Server with Rsyslog on Oracle Linux )

Anyway, I just quickly share to how to encryption/decryption to linux system log files via Rsyslog.

For encryption to logfiles, that available via libgcrypto library.

In rsyslog, that provide by "lmcry_gcry.so"

 

  1. Install lmcry_gcry.so module for rsyslog service (Install to all of dependency packages) :
     # yum install rsyslog-crypto
  2. Load module in /etc/rsyslog.conf
    - Add to "module(load="lmcry_gcry")" in any line
    For example:
     #### MODULES ####
    
    module(load="lmcry_gcry")​
  3. Define to encrypted files in /etc/rsyslog.conf ( Add or change to all of encryption files )
    For example:
     *.info;mail.none;authpriv.none;cron.none action(type="omfile" file="/var/log/messages" cry.provider="gcry" cry.keyfile="/etc/rs.key")
     authpriv.* action(type="omfile" file="/var/log/secure" cry.provider="gcry" cry.keyfile="/etc/rs.key")
  4. Save and Exit
  5. Generate Key file (Must be 16 bytes over)
    For example:
     # rscryutil -r 16 --write-keyfile /etc/rs.key
    ** -r: generation key file
  6. Restart rsyslog service
     # systemctl restart rsyslog
  7. Check any error for rsyslog service
     # systemctl status rsyslog
    ● rsyslog.service - System Logging Service
    Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
    Active: active (running) since Tue 2024-04-02 09:08:23 GMT; 4s ago
    Docs: man:rsyslogd(8)
    https://www.rsyslog.com/doc/
    Main PID: 43280 (rsyslogd)
    Tasks: 3 (limit: 35677)
    Memory: 1.1M
    CGroup: /system.slice/rsyslog.service
    └─43280 /usr/sbin/rsyslogd -n
    
    Apr 02 09:08:23 instance-20231122-mltest systemd[1]: rsyslog.service: Succeeded.
    Apr 02 09:08:23 instance-20231122-mltest systemd[1]: Stopped System Logging Service.
    Apr 02 09:08:23 instance-20231122-mltest systemd[1]: Starting System Logging Service...
    Apr 02 09:08:23 instance-20231122-mltest systemd[1]: Started System Logging Service.
    Apr 02 09:08:23 instance-20231122-mltest rsyslogd[43280]: [origin software="rsyslogd" swVersion="8.2102.0-15.el8" x-pid="43280" x-info="htt>
    Apr 02 09:08:23 instance-20231122-mltest rsyslogd[43280]: imjournal: journal files changed, reloading... [v8.2102.0-15.el8 try https://www>
    Apr 02 09:08:23 instance-20231122-mltest rsyslogd[43280]: Libgcrypt warning: missing initialization - please fix the application
  8. Check log file
     # logger "Encryption Test"
    # tail -n 3 /var/log/messages
    @<O▒▒▒▒t▒▒▒)g▒▒▒=9▒▒dQ▒9▒
    ▒▒W▒Zٖ-▒Y▒▒\_▒R▒޽(q2▒▒P▒▒ H▒▒▒A▒▒▒ʄ▒q#▒]▒S㔽2͕
          ▒c▒|▒3|jH'ǀ▒▒
  9. Decryption a encrypted files
     # rscryutil -d -k /etc/rs.key /var/log/messages
    Apr  3 03:05:30 instance-20231122-mltest systemd[1]: Started User Manager for UID 1000.
    Apr  3 03:05:30 instance-20231122-mltest systemd[1]: Started Session 7 of user opc.
    
     ## For decrypted file
     # rscryutil -d -k /etc/rs.key /var/log/messages > messages.dec
    Apr  2 09:20:01 instance-20231122-mltest systemd[1]: Starting system activity accounting tool...
    Apr  2 09:20:01 instance-20231122-mltest systemd[1]: sysstat-collect.service: Succeeded.

Of course, rsyslog and crypto module not recommended this library using on production environment.

( In my opinion, key management and enc/dec management is not easy and vulnerable )

But it is very simply way for keeping security file logging.