syslog: T4251: Add TLS support to syslog

[alexandr-san4ez]

Change summary

Add TLS support for remote syslog by extending the CLI and backend to support configuration of CA certificates, client certificates, keys, and authentication modes.

This update integrates with the PKI subsystem for certificate management, ensures proper validation of protocol settings when TLS is enabled, and generates secure rsyslog configuration for forwarding logs over TLS.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Code style update (formatting, renaming)
• Refactoring (no functional changes)
• Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
• Other (please describe):

Related Task(s)

• https://vyos.dev/T4251

Related PR(s)

• syslog: T4251: Add documentation for syslog TLS configuration vyos-documentation#1686

How to test / Smoketest result

Manual tests:

Step 1. Prepare rsyslog.conf for the test server

$ cat rsyslog.conf
global(
  DefaultNetstreamDriver="gtls"
  DefaultNetstreamDriverCAFile="/etc/rsyslog.d/ca.crt"
  DefaultNetstreamDriverCertFile="/etc/rsyslog.d/server.crt"
  DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/server.key"
)
module(
  load="imtcp"
  StreamDriver.Name="gtls"
  StreamDriver.Mode="1"
  StreamDriver.Authmode="x509/certvalid"
)
input(
  type="imtcp"
  port="6514"
)
*.* /var/log/received.log

Step 2. Using docker prepare rsyslog server

$ cat Dockerfile
FROM rsyslog/rsyslog
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
        rsyslog-gnutls \
        rsyslog-openssl \
        ca-certificates \
        iputils-ping \
        openssl \
    && apt-get clean && \
    rm -rf /var/lib/apt/lists/*
WORKDIR /etc/rsyslog.d
RUN echo Create CA... && \
    openssl req -x509 -nodes -days 730 -newkey rsa:2048 \
        -keyout ca.key -out ca.crt -subj "/CN=TestCA" && \
    echo Generate server key and CSR... && \
    openssl req -nodes -newkey rsa:2048 \
        -keyout server.key -out server.csr -subj "/CN=rsyslog-server" && \
    echo Sign server cert with CA... && \
    openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
        -CAcreateserial -out server.crt -days 730 && \
    echo Generate client key and CSR... && \
    openssl req -nodes -newkey rsa:2048 \
        -keyout client.key -out client.csr -subj "/CN=rsyslog-client" && \
    echo Sign client cert with CA... && \
    openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key \
        -CAcreateserial -out client.crt -days 730
COPY ./rsyslog.conf /etc/rsyslog.conf
EXPOSE 6514
WORKDIR /var/log
RUN touch received.log

Step 3. Build and run rsyslog server

$ docker build -t rsyslog_tls .
$ docker run --rm -d -p 6514:6514 --name rsyslog_tls rsyslog_tls

Step 4. Copy CA and generated client certificate for VyOS instance

$ docker cp rsyslog_tls:/etc/rsyslog.d/ca.crt .
$ docker cp rsyslog_tls:/etc/rsyslog.d/client.crt .
$ docker cp rsyslog_tls:/etc/rsyslog.d/client.key .

Step 5. Configure VyOS instance using the certificate

configure
set pki ca my-ca certificate "$(tail -n +2 ca.crt | head -n -1 | tr -d '\n')"
set pki certificate syslog-client certificate "$(tail -n +2 client.crt | head -n -1 | tr -d '\n')"
set pki certificate syslog-client private key "$(sudo tail -n +2 client.key | head -n -1 | tr -d '\n')"

set system syslog remote <address> facility all level debug
set system syslog remote <address> port 6514
set system syslog remote <address> protocol tcp
set system syslog remote <address> tls enable
set system syslog remote <address> tls ca-certificate my-ca
set system syslog remote <address> tls certificate syslog-client
set system syslog remote <address> tls auth-mode name
set system syslog remote <address> tls permitted-peers 'rsyslog-server'
commit

Step 6. Verify configuration

# Check status of rsyslog service
vyos@f7f796d88e82# systemctl status rsyslog
* rsyslog.service - System Logging Service
     Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; preset: enabled)
...

# Send log message from VyOS instance
vyos@f7f796d88e82# logger "Test log message using TLS connection"
vyos@f7f796d88e82# exit

# Read last log messages using rsyslog server
$ docker exec -it rsyslog_tls tail -f received.log
...
2025-09-19T15:10:48+00:00 f7f796d88e82 vyos: Test log message using TLS connection
2025-09-19T15:10:48+00:00 f7f796d88e82 vyos[3222]: Test log message using TLS connection

Smoke tests:

root@0a710c06fb73:/vyos/vyos-build# make test MATCH="syslog"
...
DEBUG - Running Testcase: /usr/libexec/vyos/tests/smoke/cli/test_system_syslog.py
DEBUG - test_basic (__main__.TestRSYSLOGService.test_basic) ... ok
DEBUG - test_console (__main__.TestRSYSLOGService.test_console) ... ok
DEBUG - test_remote (__main__.TestRSYSLOGService.test_remote) ... ok
DEBUG - test_remote_tls (__main__.TestRSYSLOGService.test_remote_tls) ... ok
DEBUG - test_vrf_source_address (__main__.TestRSYSLOGService.test_vrf_source_address) ... ok
DEBUG -
DEBUG - ----------------------------------------------------------------------
DEBUG - Ran 5 tests in 28.918s
DEBUG -
DEBUG - OK

Checklist:

• I have read the CONTRIBUTING document
• I have linked this PR to one or more Phabricator Task(s)
• I have run the components SMOKETESTS if applicable
• My commit headlines contain a valid Task id
• My change requires a change to the documentation
• I have updated the documentation accordingly

[github-actions]

👍
No issues in PR Title / Commit Title

[jestabro]

This is nice work, easily tested thanks to the comprehensive instructions. Manual test and smoketests success confirmed.

[dmbaturin]

I agree with the idea, my quick test worked, and I see no issues in the code.

[github-actions]

CI integration 👍 passed!

Details

CI logs

• CLI Smoketests (no interfaces) 👍 passed
• CLI Smoketests VPP 👍 passed
• CLI Smoketests (interfaces only) 👍 passed
• Config tests 👍 passed
• Config tests VPP 👍 passed
• RAID1 tests 👍 passed
• TPM tests 👍 passed