Enabling TLS/SSL for Syslog-NG in CentOS6

The default CentOS6 syslog-ng is not built with ssl/tls support. So, we have to rebuild it with support.
 

Install Dependencies

root# yum -y install wget epel-release eventlog-devel libnet-devel glib2-devel libdbi-devel pcre-devel openssl-devel libtool pkgconfig tcp_wrappers-devel libdbi-dbd-sqlite rpm-build gcc

Get the code

root# wget http://mirrors.syringanetworks.net/fedora-epel/6/SRPMS/Packages/s/syslog-ng-3.2.5-4.el6.src.rpm
root# rpm --force -Uhv syslog-ng*

We have now installed our dependencies, and installed the source rpm for syslog-ng. Don’t let this confuse you, installing a source rpm, and installing an rpm are different. What this does is dump the code in the proper directory structure for you to build it. If you look in ~/rpmbuild, you’ll notice it created some directories and files. Specifically, a spec file, and a source tarball. Using rpmbuild, we wont have to mess with the source directly. We just edit the spec file and tell it what to do.
 

Enable SSL

Lets start by enabling SSL in the ./configure command, and then lets enable the unit tests for it, since we are actually building with it enabled.

root# cd ~/rpmbuild/SPECS
root# sed -i 's/--disable-ssl/--enable-ssl/g' ~/rpmbuild/SPECS/syslog-ng.spec 
root# sed -i 's/^%patch0 -p1$//g' ~/rpmbuild/SPECS/syslog-ng.spec

In case the above is not self explanatory, what we are doing is replacing the string in the spec file. We find disable-ssl and change it to enable-ssl, then we wack patch0 by replacing it with an empty string.
 

Lets build

[root@ip-10-229-138-19 x86_64]# cd ~/rpmbuild/SPECS
[root@ip-10-229-138-19 x86_64]# rpmbuild -bb syslog-ng.spec
< lots of building should happen> 

If all goes well, this will create the binary rpms in ~/rpmbuild/RPMS/x86_64/. Note, CentOS6’s default syslog-ng package is not built with support for TLS as a server or a client. Meaning, you will need to install this rpm on the client machines as well.

[root@ip-10-229-138-19 x86_64]# cd ~/rpmbuild/RPMS/x86_64
[root@ip-10-229-138-19 x86_64]# ls
syslog-ng-3.2.5-4.el6.x86_64.rpm  syslog-ng-debuginfo-3.2.5-4.el6.x86_64.rpm  syslog-ng-devel-3.2.5-4.el6.x86_64.rpm  syslog-ng-libdbi-3.2.5-4.el6.x86_64.rpm
[root@ip-10-229-138-19 x86_64]#

Our build process created a few extra packages as well. We dont need them for setting up encrypted syslog. You should only need to install the one syslog-ng package. Everything else can go.
 

Lets double check our work (Optional)

[root@ip-10-229-138-19 x86_64]# ls
syslog-ng-3.2.5-4.el6.x86_64.rpm  syslog-ng-debuginfo-3.2.5-4.el6.x86_64.rpm  syslog-ng-devel-3.2.5-4.el6.x86_64.rpm  syslog-ng-libdbi-3.2.5-4.el6.x86_64.rpm
[root@ip-10-229-138-19 x86_64]# mkdir test
[root@ip-10-229-138-19 x86_64]# cd test
[root@ip-10-229-138-19 test]# cp ../syslog-ng-3.2.5-4.el6.x86_64.rpm .
[root@ip-10-229-138-19 test]# rpm2cpio syslog-ng-3.2.5-4.el6.x86_64.rpm | cpio -dim
3345 blocks
[root@ip-10-229-138-19 test]# ./sbin/syslog-ng -V | grep SSL
Enable-SSL: on
[root@ip-10-229-138-19 test]# 

As you can see above, I have extracted the rpm, and validated that the binary now has SSL support. Obviously you don’t need to do that, just install the rpm by doing rpm -Uhv syslog-ng-3*rpm.