Loggly with TLS

Loggly is a relatively new Bay Area startup, offering a free-tier plan, in a super intuitive, easy to use package (big button infrastructure service). Their mission statement is “Loggly is a cloud based logging service. With Loggly, you can collect logs from your servers and then quickly search them with an intuitive user interface.” All of these things quickly added up to a must investigate. With familiarity with just basic Linux one can be using the service within 20 minutes.

The free-tier plan allows for 200Mb of log data daily, with a retention period of 7 days. To find the free-tier, choose a logging plan using the sliders to the left of “Daily Log Volume” and “Retention Time” to their lowest level.

This page isn’t quite complete. Please drive carefully. Also, see the loggly site for details.

– Basic setup

  • Install rsyslog (see loggly for myriad of methods to send logs)
  • Install loggly certificate /usr/local/etc/loggly.crt
  • Add loggly configuration to /etc/rsyslog.conf (see below)
  • Install gnutls and related (see below, make note of two types of TLS)
  • Restart rsyslog and check for issues ‘tail -f /var/log/messages’
  • Create input on loggly

– Before/after tcpdump

tcpdump -X -s 0 -n -l ‘port 36665’
tcpdump -X -n -l ‘port 36665’
tcpdump -X -l ‘port 36665’

– To install

– yum install gnutls
– yum install rsyslog-gnutls
– yum install gnutls-utils

– Append to /etc/rsyslog.conf
$DefaultNetstreamDriverCAFile /usr/local/admin/etc/loggly/loggly.com.crt
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode anon

# *.* @@logs.loggly.com:38123 # change to reflect your port (see input configuration on loggly dashboard)