diff --git a/roles/float-base/tasks/apt.yml b/roles/float-base/tasks/apt.yml
index 3e69364b4bec02247f55136ce5eb91763e0745c2..41b5ffb680bc10cbf99bae2ac2273d2065e2cb73 100644
--- a/roles/float-base/tasks/apt.yml
+++ b/roles/float-base/tasks/apt.yml
@@ -106,7 +106,6 @@
- curl
- lsof
- cgroups-exporter
- - rsyslog-exporter
- logcat
- tabacco
- restic
@@ -118,7 +117,8 @@
- gpg
- firewall
- rsyslog
- - rsyslog-gnutls
+ - rsyslog-relp
+ - rsyslog-exporter
- mtail
- auditd
- audisp-json
diff --git a/roles/float-base/templates/rsyslog.conf.j2 b/roles/float-base/templates/rsyslog.conf.j2
index fbc831f082bf3b15233ed27f64b69fdbd96ddd5a..492833124c18e0512b357f84cbf0cf24e36bb900 100644
--- a/roles/float-base/templates/rsyslog.conf.j2
+++ b/roles/float-base/templates/rsyslog.conf.j2
@@ -1,9 +1,5 @@
global(
maxMessageSize="64k"
- defaultNetstreamDriver="gtls"
- defaultNetstreamDriverCAFile="/etc/credentials/x509/log-client/ca.pem"
- defaultNetstreamDriverCertFile="/etc/credentials/x509/log-client/client/cert.pem"
- defaultNetstreamDriverKeyFile="/etc/credentials/x509/log-client/client/private_key.pem"
)
module(load="imuxsock"
@@ -25,6 +21,11 @@ module(
load="omprog"
)
+module(
+ load="omrelp"
+ tls.tlslib="openssl"
+)
+
ruleset(name="process_stats") {
action(
type="omprog"
@@ -55,15 +56,16 @@ ruleset(name="incoming") {
action.resumeIntervalMax="30")
# Send everything to remote peer, do not write anything locally.
- action(type="omfwd"
- protocol="tcp"
+ action(type="omrelp"
target="log-collector.{{ domain }}"
port="6514"
- StreamDriver="gtls"
- StreamDriverMode="1"
- StreamDriverAuthMode="x509/name"
- StreamDriverPermittedPeers="log-collector.{{ domain }}"
- Keepalive="on"
+ tls="on"
+ tls.compression="on"
+ tls.authmode="certvalid"
+ tls.permittedpeer="log-collector.{{ domain }}"
+ tls.cacert="/etc/credentials/x509/log-client/ca.pem"
+ tls.mycert="/etc/credentials/x509/log-client/client/cert.pem"
+ tls.myprivkey="/etc/credentials/x509/log-client/client/private_key.pem"
action.resumeRetryCount="-1"
action.resumeInterval="2"
action.reportSuspension="on"
diff --git a/roles/float-infra-log-collector/templates/rsyslog-collector.conf.j2 b/roles/float-infra-log-collector/templates/rsyslog-collector.conf.j2
index 42824192e71dafd6f139dead31ba6d8fcf875d5f..a25dcabd7fb76f9d615a5edfef7269093d669df2 100644
--- a/roles/float-infra-log-collector/templates/rsyslog-collector.conf.j2
+++ b/roles/float-infra-log-collector/templates/rsyslog-collector.conf.j2
@@ -1,10 +1,6 @@
global(
maxMessageSize="64k"
- defaultNetstreamDriver="gtls"
- defaultNetstreamDriverCAFile="/etc/credentials/x509/log-collector/ca.pem"
- defaultNetstreamDriverCertFile="/etc/credentials/x509/log-collector/server/cert.pem"
- defaultNetstreamDriverKeyFile="/etc/credentials/x509/log-collector/server/private_key.pem"
)
main_queue(
@@ -293,13 +289,20 @@ ruleset(name="incoming"){
}
module(
- load="imtcp"
- MaxSessions="500"
- StreamDriver.Name="gtls"
- StreamDriver.Mode="1"
- StreamDriver.AuthMode="x509/name"
- PermittedPeer="*.{{ domain }}"
+ load="imrelp"
+ tls.tlslib="openssl"
)
-input(type="imtcp" port="6514" ruleset="incoming")
-
+input(
+ type="imrelp"
+ port="6514"
+ maxDataSize="16k"
+ ruleset="incoming"
+ tls="on"
+ tls.compression="on"
+ tls.cacert="/etc/credentials/x509/log-collector/ca.pem"
+ tls.mycert="/etc/credentials/x509/log-collector/server/cert.pem"
+ tls.myprivkey="/etc/credentials/x509/log-collector/server/private_key.pem"
+ tls.permittedpeer="*.{{ domain }}"
+ tls.authmode="certvalid"
+)