When I set up TLS, I added another input for syslog over tcp:
- Code: Select all
tcp {
port => 8888
type => 'syslog'
ssl_extra_chain_certs => ['/etc/pki/tls/certs/ca.pem']
ssl_cert => '/etc/pki/tls/certs/device-nls.crt'
ssl_key => '/etc/pki/tls/private/device-nls.key'
ssl_enable => true
ssl_verify => false
}
I added the following to the client config:
- Code: Select all
#tls setup
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.pem
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
Now, the log messages are still loaded into NLS, but they don't appear to be running through the Apache filter. They are all identified as "syslog" and the program value for apache_access or apache_error is not present.
As far as I can tell, I didn't do anything to change the format of the messages, only the transport. However, something must be different. Any ideas?
Thanks,
Eric