From 1cf0e7a125156684bd4bc29526ce95a5dd1e4384 Mon Sep 17 00:00:00 2001 From: ondrejrozsypal Date: Mon, 20 Apr 2020 19:13:32 +0200 Subject: [PATCH 01/13] add CA_path var with defsault value --- Linux Script/configure-linux.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Linux Script/configure-linux.sh b/Linux Script/configure-linux.sh index 57ed7e3..c21a170 100644 --- a/Linux Script/configure-linux.sh +++ b/Linux Script/configure-linux.sh @@ -47,6 +47,8 @@ EXISTING_SYSLOG_PORT= HOST_NAME= #this variable will hold the name of the linux distribution LINUX_DIST= +#this variable will hold the path to public root certificates +CA_PATH="/etc/ssl/certs/ca-certificates.crt" #host name for logs-01.loggly.com LOGS_01_HOST=logs-01.loggly.com From 45277aa5deb5a584399f593ac7af9ce3ec4f540a Mon Sep 17 00:00:00 2001 From: ondrejrozsypal Date: Mon, 20 Apr 2020 19:13:49 +0200 Subject: [PATCH 02/13] remove checking of gen2 environment --- Linux Script/configure-linux.sh | 8 -------- 1 file changed, 8 deletions(-) diff --git a/Linux Script/configure-linux.sh b/Linux Script/configure-linux.sh index c21a170..5e3c11f 100644 --- a/Linux Script/configure-linux.sh +++ b/Linux Script/configure-linux.sh @@ -366,14 +366,6 @@ checkIfLogglyServersAccessible() { logMsgToConfigSysLog "ERROR" "ERROR: This is not a recognized subdomain. Please ask the account owner for the subdomain they signed up with. Please note that your subdomain is just the first string in your loggly account URL not the entire account name." exit 1 fi - - echo "INFO: Checking if Gen2 account." - if [ $(curl -s --head --request GET $LOGGLY_ACCOUNT_URL/apiv2/customer | grep "404 NOT FOUND" | wc -l) == 1 ]; then - logMsgToConfigSysLog "ERROR" "ERROR: This scripts need a Gen2 account. Please contact Loggly support." - exit 1 - else - echo "INFO: It is a Gen2 account." - fi } #check if user name and password is valid From 790eade0a2a903b3a1ee3eb42c0099302eed9849 Mon Sep 17 00:00:00 2001 From: ondrejrozsypal Date: Mon, 20 Apr 2020 19:14:37 +0200 Subject: [PATCH 03/13] remove downloading lg cert --- Linux Script/configure-linux.sh | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/Linux Script/configure-linux.sh b/Linux Script/configure-linux.sh index 5e3c11f..1a6569c 100644 --- a/Linux Script/configure-linux.sh +++ b/Linux Script/configure-linux.sh @@ -503,16 +503,6 @@ checkAuthTokenAndWriteContents() { fi } -downloadTlsCerts() { - echo "DOWNLOADING CERTIFICATE" - mkdir -pv /etc/rsyslog.d/keys/ca.d - curl -O https://logdog.loggly.com/media/logs-01.loggly.com_sha12.crt - sudo cp -Prf logs-01.loggly.com_sha12.crt /etc/rsyslog.d/keys/ca.d/logs-01.loggly.com_sha12.crt - sudo rm logs-01.loggly.com_sha12.crt - if [ ! -f /etc/rsyslog.d/keys/ca.d//logs-01.loggly.com_sha12.crt ]; then - logMsgToConfigSysLog "ERROR" "ERROR: Certificate could not be downloaded." - exit 1 - fi } confString() { @@ -598,7 +588,6 @@ action(type=\"omfwd\" protocol=\"tcp\" target=\"$LOGS_01_HOST\" port=\"$LOGGLY_S #install the certificate and check if gnutls package is installed installTLSDependencies() { if [ $LOGGLY_TLS_SENDING == "true" ]; then - downloadTlsCerts if [ "$SUPPRESS_PROMPT" == "true" ]; then /bin/bash -c "sudo $PKG_MGR install -y rsyslog-gnutls" else From 000c9c21ecc91b23265f19d491c05509cdcad13b Mon Sep 17 00:00:00 2001 From: ondrejrozsypal Date: Mon, 20 Apr 2020 22:50:38 +0200 Subject: [PATCH 04/13] change lg cert path to os truststore ca bundle --- Linux Script/configure-linux.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Linux Script/configure-linux.sh b/Linux Script/configure-linux.sh index 1a6569c..1a9250d 100644 --- a/Linux Script/configure-linux.sh +++ b/Linux Script/configure-linux.sh @@ -526,7 +526,7 @@ confString() { \$ActionResumeRetryCount -1 # infinite retries if host is down #RsyslogGnuTLS -\$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/logs-01.loggly.com_sha12.crt +\$DefaultNetstreamDriverCAFile $CA_PATH \$ActionSendStreamDriver gtls \$ActionSendStreamDriverMode 1 \$ActionSendStreamDriverAuthMode x509/name @@ -548,7 +548,7 @@ confString() { \$ActionResumeRetryCount -1 # infinite retries if host is down #RsyslogGnuTLS -\$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/logs-01.loggly.com_sha12.crt +\$DefaultNetstreamDriverCAFile $CA_PATH template(name=\"LogglyFormat\" type=\"string\" From 7f41ed53d601bfe659377cc502f53554dee36e15 Mon Sep 17 00:00:00 2001 From: ondrejrozsypal Date: Mon, 20 Apr 2020 22:56:25 +0200 Subject: [PATCH 05/13] add method for setting path to ca bundle --- Linux Script/configure-linux.sh | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Linux Script/configure-linux.sh b/Linux Script/configure-linux.sh index 1a9250d..24505ec 100644 --- a/Linux Script/configure-linux.sh +++ b/Linux Script/configure-linux.sh @@ -503,9 +503,22 @@ checkAuthTokenAndWriteContents() { fi } +setPathToCABundle () { + case "$LINUX_DIST_IN_LOWER_CASE" in + *"debian"* | *"ubuntu"*) + CA_PATH="/etc/ssl/certs/ca-certificates.crt" + ;; + *"red"* | *"centos"* | *"amazon"*) + CA_PATH="/etc/ssl/certs/ca-bundle.crt" + ;; + *) + logMsgToConfigSysLog "WARN" "WARN: The linux distribution '$LINUX_DIST' has not been previously tested with Loggly. Verify path to CA bundle of your linux distribution in '$RSYSLOG_ETCDIR_CONF' -> '\$DefaultNetstreamDriverCAFile' and restart rsyslog service or re-run script with '--inssecure' attribute. Default path to CA bundle is '$CA_PATH'." + ;; + esac } confString() { + setPathToCABundle RSYSLOG_VERSION_TMP=$(echo $RSYSLOG_VERSION | cut -d "." -f1) inputStr_TLS_RSYS_7=" # ------------------------------------------------------- From 7173fdcd9105765c7505c2f142d9643c4137fa84 Mon Sep 17 00:00:00 2001 From: ondrejrozsypal Date: Tue, 21 Apr 2020 08:56:33 +0200 Subject: [PATCH 06/13] update CA_path comment --- Linux Script/configure-linux.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Linux Script/configure-linux.sh b/Linux Script/configure-linux.sh index 24505ec..f0f7aaa 100644 --- a/Linux Script/configure-linux.sh +++ b/Linux Script/configure-linux.sh @@ -47,7 +47,7 @@ EXISTING_SYSLOG_PORT= HOST_NAME= #this variable will hold the name of the linux distribution LINUX_DIST= -#this variable will hold the path to public root certificates +#this variable will hold the path to CA bundle CA_PATH="/etc/ssl/certs/ca-certificates.crt" #host name for logs-01.loggly.com From 17fe266520cdf3f77e0d4a00c36e9ca4dec8049a Mon Sep 17 00:00:00 2001 From: ondrejrozsypal <40829845+ondrejrozsypal@users.noreply.github.com> Date: Wed, 22 Apr 2020 07:24:51 +0200 Subject: [PATCH 07/13] Update Linux Script/configure-linux.sh Co-Authored-By: Ljancek <44829911+Ljancek@users.noreply.github.com> --- Linux Script/configure-linux.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Linux Script/configure-linux.sh b/Linux Script/configure-linux.sh index f0f7aaa..932a337 100644 --- a/Linux Script/configure-linux.sh +++ b/Linux Script/configure-linux.sh @@ -506,7 +506,7 @@ checkAuthTokenAndWriteContents() { setPathToCABundle () { case "$LINUX_DIST_IN_LOWER_CASE" in *"debian"* | *"ubuntu"*) - CA_PATH="/etc/ssl/certs/ca-certificates.crt" + CA_FILE_PATH="/etc/ssl/certs/ca-certificates.crt" ;; *"red"* | *"centos"* | *"amazon"*) CA_PATH="/etc/ssl/certs/ca-bundle.crt" From 813dac16edc6914bcf8aa16fc9489308334b4891 Mon Sep 17 00:00:00 2001 From: ondrejrozsypal <40829845+ondrejrozsypal@users.noreply.github.com> Date: Wed, 22 Apr 2020 07:24:58 +0200 Subject: [PATCH 08/13] Update Linux Script/configure-linux.sh Co-Authored-By: Ljancek <44829911+Ljancek@users.noreply.github.com> --- Linux Script/configure-linux.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Linux Script/configure-linux.sh b/Linux Script/configure-linux.sh index 932a337..3807448 100644 --- a/Linux Script/configure-linux.sh +++ b/Linux Script/configure-linux.sh @@ -48,7 +48,7 @@ HOST_NAME= #this variable will hold the name of the linux distribution LINUX_DIST= #this variable will hold the path to CA bundle -CA_PATH="/etc/ssl/certs/ca-certificates.crt" +CA_FILE_PATH="/etc/ssl/certs/ca-certificates.crt" #host name for logs-01.loggly.com LOGS_01_HOST=logs-01.loggly.com From e162d3e0e05d873424f57200c3b3bd9c3803e32b Mon Sep 17 00:00:00 2001 From: ondrejrozsypal <40829845+ondrejrozsypal@users.noreply.github.com> Date: Wed, 22 Apr 2020 07:25:07 +0200 Subject: [PATCH 09/13] Update Linux Script/configure-linux.sh Co-Authored-By: Ljancek <44829911+Ljancek@users.noreply.github.com> --- Linux Script/configure-linux.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Linux Script/configure-linux.sh b/Linux Script/configure-linux.sh index 3807448..7210e9d 100644 --- a/Linux Script/configure-linux.sh +++ b/Linux Script/configure-linux.sh @@ -509,7 +509,7 @@ setPathToCABundle () { CA_FILE_PATH="/etc/ssl/certs/ca-certificates.crt" ;; *"red"* | *"centos"* | *"amazon"*) - CA_PATH="/etc/ssl/certs/ca-bundle.crt" + CA_FILE_PATH="/etc/ssl/certs/ca-bundle.crt" ;; *) logMsgToConfigSysLog "WARN" "WARN: The linux distribution '$LINUX_DIST' has not been previously tested with Loggly. Verify path to CA bundle of your linux distribution in '$RSYSLOG_ETCDIR_CONF' -> '\$DefaultNetstreamDriverCAFile' and restart rsyslog service or re-run script with '--inssecure' attribute. Default path to CA bundle is '$CA_PATH'." From 7179b76d74f16ca89791083a64c2c62c10478e94 Mon Sep 17 00:00:00 2001 From: ondrejrozsypal <40829845+ondrejrozsypal@users.noreply.github.com> Date: Wed, 22 Apr 2020 07:25:27 +0200 Subject: [PATCH 10/13] Update Linux Script/configure-linux.sh Co-Authored-By: Ljancek <44829911+Ljancek@users.noreply.github.com> --- Linux Script/configure-linux.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Linux Script/configure-linux.sh b/Linux Script/configure-linux.sh index 7210e9d..f781be5 100644 --- a/Linux Script/configure-linux.sh +++ b/Linux Script/configure-linux.sh @@ -512,7 +512,7 @@ setPathToCABundle () { CA_FILE_PATH="/etc/ssl/certs/ca-bundle.crt" ;; *) - logMsgToConfigSysLog "WARN" "WARN: The linux distribution '$LINUX_DIST' has not been previously tested with Loggly. Verify path to CA bundle of your linux distribution in '$RSYSLOG_ETCDIR_CONF' -> '\$DefaultNetstreamDriverCAFile' and restart rsyslog service or re-run script with '--inssecure' attribute. Default path to CA bundle is '$CA_PATH'." + logMsgToConfigSysLog "WARN" "WARN: The linux distribution '$LINUX_DIST' has not been previously tested with Loggly. Verify path to CA bundle of your linux distribution in '$RSYSLOG_ETCDIR_CONF' -> '\$DefaultNetstreamDriverCAFile' and restart rsyslog service or re-run script with '--inssecure' attribute. Default path to CA bundle is '$CA_FILE_PATH'." ;; esac } From 83ecbd2462fea119bdc9a48b5023dc6d342eed68 Mon Sep 17 00:00:00 2001 From: ondrejrozsypal <40829845+ondrejrozsypal@users.noreply.github.com> Date: Wed, 22 Apr 2020 07:25:35 +0200 Subject: [PATCH 11/13] Update Linux Script/configure-linux.sh Co-Authored-By: Ljancek <44829911+Ljancek@users.noreply.github.com> --- Linux Script/configure-linux.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Linux Script/configure-linux.sh b/Linux Script/configure-linux.sh index f781be5..14fb954 100644 --- a/Linux Script/configure-linux.sh +++ b/Linux Script/configure-linux.sh @@ -539,7 +539,7 @@ confString() { \$ActionResumeRetryCount -1 # infinite retries if host is down #RsyslogGnuTLS -\$DefaultNetstreamDriverCAFile $CA_PATH +\$DefaultNetstreamDriverCAFile $CA_FILE_PATH \$ActionSendStreamDriver gtls \$ActionSendStreamDriverMode 1 \$ActionSendStreamDriverAuthMode x509/name From a2d65d4edfd5d891f8c62df7aca4fd0f31c656fa Mon Sep 17 00:00:00 2001 From: ondrejrozsypal <40829845+ondrejrozsypal@users.noreply.github.com> Date: Wed, 22 Apr 2020 07:25:45 +0200 Subject: [PATCH 12/13] Update Linux Script/configure-linux.sh Co-Authored-By: Ljancek <44829911+Ljancek@users.noreply.github.com> --- Linux Script/configure-linux.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Linux Script/configure-linux.sh b/Linux Script/configure-linux.sh index 14fb954..a01da1d 100644 --- a/Linux Script/configure-linux.sh +++ b/Linux Script/configure-linux.sh @@ -561,7 +561,7 @@ confString() { \$ActionResumeRetryCount -1 # infinite retries if host is down #RsyslogGnuTLS -\$DefaultNetstreamDriverCAFile $CA_PATH +\$DefaultNetstreamDriverCAFile $CA_FILE_PATH template(name=\"LogglyFormat\" type=\"string\" From d6e5ed40dd921f80d3a76ffa4cd7b64c4a4445d5 Mon Sep 17 00:00:00 2001 From: ondrejrozsypal Date: Wed, 22 Apr 2020 08:22:20 +0200 Subject: [PATCH 13/13] update response --- Linux Script/configure-linux.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Linux Script/configure-linux.sh b/Linux Script/configure-linux.sh index a01da1d..89018cf 100644 --- a/Linux Script/configure-linux.sh +++ b/Linux Script/configure-linux.sh @@ -512,7 +512,7 @@ setPathToCABundle () { CA_FILE_PATH="/etc/ssl/certs/ca-bundle.crt" ;; *) - logMsgToConfigSysLog "WARN" "WARN: The linux distribution '$LINUX_DIST' has not been previously tested with Loggly. Verify path to CA bundle of your linux distribution in '$RSYSLOG_ETCDIR_CONF' -> '\$DefaultNetstreamDriverCAFile' and restart rsyslog service or re-run script with '--inssecure' attribute. Default path to CA bundle is '$CA_FILE_PATH'." + logMsgToConfigSysLog "WARN" "WARN: The linux distribution '$LINUX_DIST' has not been previously tested with Loggly. Verify path to the file with root CA certificates (usually stored in OS trust store) in '$RSYSLOG_ETCDIR_CONF' -> '\$DefaultNetstreamDriverCAFile' and restart rsyslog service or re-run script with '--inssecure' attribute. Default path to CA file is '$CA_FILE_PATH'." ;; esac }