Page MenuHomePhabricator

configure TLS for fundraising syslog collection
Closed, ResolvedPublic

Event Timeline

Jgreen created this task.Aug 15 2016, 2:13 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 15 2016, 2:13 PM
Jgreen triaged this task as Medium priority.Sep 23 2016, 2:27 PM

note that firewall access is added with this commit:

commit 75a8183fa45b36339660cbde6deaa67f7de3112f
Author: The Root <root@boron.frack.eqiad.wmnet>
Date: Tue Jan 24 19:58:15 2017 +0000

iptables/pfw policies for SIEM testing (T156146) and for syslog-over-tls 6514/tcp

I was going to do this by switching the existing 10514/tcp listener from imtcp to imptcp, and enabling imtcp on 6514/tcp with gtls. But indium is still Precise and the ancient rsyslog release doesn't support imptcp. So it think it's simplest to defer this task until we deploy indium's replacement.

Jgreen added a comment.Feb 1 2017, 7:39 PM

also this requires a new internal use CA and certs, and we'll need to monitor for cert expiration

this is done

Jgreen closed this task as Resolved.Feb 14 2017, 4:55 PM
Jgreen added a comment.Mar 6 2017, 3:38 PM

pfw/iptables policies to remove 10514/tcp (fundraising private puppet):

commit 8e403abe1e552b078d217479c9f48ed23d892380
Author: Jeff Green <jgreen@wikimedia.org>
Date: Mon Mar 6 15:32:57 2017 +0000

iptables and pfw policies for replacement hosts, remove deprecated 10514/tcp

Bug: T142994,T145107,T145110,T145116