finalized tutorial for creating a TLS-secured syslog infrastructure

1 files changed, 105 insertions, 0 deletions

diff --git a/doc/tls_cert_udp_relay.html b/doc/tls_cert_udp_relay.html
new file mode 100644
index 00000000..f4740ce7
--- /dev/null
+++ b/doc/tls_cert_udp_relay.html
@@ -0,0 +1,105 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html><head><title>TLS-protected syslog: UDP relay setup</title>
+</head>
+<body>
+
+<h1>Encrypting Syslog Traffic with TLS (SSL)</h1>
+<p><small><i>Written by <a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer
+Gerhards</a> (2008-07-03)</i></small></p>
+
+<ul>
+<li><a href="rsyslog_secure_tls.html">Overview</a>
+<li><a href="tls_cert_scenario.html">Sample Scenario</a>
+<li><a href="tls_cert_ca.html">Setting up the CA</a>
+<li><a href="tls_cert_machine.html">Generating Machine Certificates</a>
+<li><a href="tls_cert_server.html">Setting up the Central Server</a>
+<li><a href="tls_cert_client.html">Setting up syslog Clients</a>
+<li><a href="tls_cert_udp_relay.html">Setting up the UDP syslog relay</a>
+<li><a href="tls_cert_summary.html">Wrapping it all up</a>
+</ul>
+
+<h3>Setting up the UDP syslog relay</h3>
+<p>In this step, we configure the UDP relay ada.example.net. 
+As a reminder, that machine relays messages from a local router, which only 
+supports UDP syslog, to the central syslog server. The router does not talk
+directly to it, because we would like to have TLS protection for its sensitve
+logs. If the router and the syslog relay are on a sufficiently secure private
+network, this setup can be considered reasonable secure. In any case, it is the
+best alternative among the possible configuration scenarios.
+<span style="float: left">
+<script type="text/javascript"><!--
+google_ad_client = "pub-3204610807458280";
+/* rsyslog doc inline */
+google_ad_slot = "5958614527";
+google_ad_width = 125;
+google_ad_height = 125;
+//-->
+</script>
+<script type="text/javascript"
+src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
+</script>
+</span>
+<p><center><img src="tls_cert_100.jpg"></center>
+<p>Steps to do:
+<ul>
+<li>make sure you have a functional CA (<a href="tls_cert_ca.html">Setting up the CA</a>)
+<li>generate a machine certificate for ada.example.net (follow instructions in
+    <a href="tls_cert_machine.html">Generating Machine Certificates</a>)
+<li>make sure you copy over ca.pem, machine-key.pem ad machine-cert.pem to the client.
+Ensure that no user except root can access them (<b>even read permissions are really bad</b>).
+<li>configure the client so that it checks the server identity and sends messages only
+if the server identity is known.
+</ul>
+<p>These were essentially the same steps as for any
+<a href="tls_cert_client.html">TLS syslog client</a>. We now need to add the
+capability to forward the router logs:
+<ul>
+<li>make sure that the firewall rules permit message recpetion on UDP port 514 (if you use
+a non-standard port for UDP syslog, make sure that port number is permitted).
+<li>you may want to limit who can send syslog messages via UDP. A great place to do this
+is inside the firewall, but you can also do it in rsyslog.conf via an $AllowedSender
+directive. We have used one in the sample config below. Please be aware that this is
+a kind of weak authentication, but definitely better than nothing...
+<li>add the UDP input plugin to rsyslog's config and start a UDP listener
+<li>make sure that your forwarding-filter permits to forward messages received
+from the remote router to the server. In our sample scenario, we do not need to
+add anything special, because all messages are forwarded. This includes messages
+received from remote hosts.
+</ul>
+<p><b>At this point, please be reminded once again that your security needs may be quite different from
+what we assume in this tutorial. Evaluate your options based on your security needs.</b>
+<h3>Sample syslog.conf</h3>
+<p>Keep in mind that this rsyslog.conf sends messages via TCP, only. Also, we do not
+show any rules to write local files. Feel free to add them.
+<code><pre>
+# start a UDP listener for the remote router
+$ModLoad imudp    # load UDP server plugin
+$AllowedSender UDP, 192.0.2.1 # permit only the router
+$UDPServerRun 514 # listen on default syslog UDP port 514
+
+# make gtls driver the default
+$DefaultNetstreamDriver gtls
+
+# certificate files
+$DefaultNetstreamDriverCAFile /rsyslog/protected/ca.pem
+$DefaultNetstreamDriverCertFile /rsyslog/protected/machine-cert.pem
+$DefaultNetstreamDriverKeyFile /rsyslog/protected/machine-key.pem
+
+$ActionSendStreamDriverAuthMode x509/name
+$ActionSendStreamDriverPermittedPeer central.example.net
+$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
+*.* @@central.example.net:10514 # forward everything to remote server
+</pre></code>
+<p><font color="red"><b>Be sure to safeguard at least the private key (machine-key.pem)!</b>
+If some third party obtains it, you security is broken!</font>
+<h2>Copyright</h2>
+<p>Copyright &copy; 2008 <a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer
+Gerhards</a> and
+<a href="http://www.adiscon.com/en/">Adiscon</a>.</p>
+<p> Permission is granted to copy, distribute and/or modify this
+document under the terms of the GNU Free Documentation License, Version
+1.2 or any later version published by the Free Software Foundation;
+with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
+Texts. A copy of the license can be viewed at
+<a href="http://www.gnu.org/copyleft/fdl.html">http://www.gnu.org/copyleft/fdl.html</a>.</p>
+</body></html>