diff options
| -rw-r--r-- | ChangeLog | 1 | ||||
| -rw-r--r-- | doc/gssapi.html | 118 | ||||
| -rw-r--r-- | doc/gssapi.png | bin | 0 -> 35638 bytes | |||
| -rw-r--r-- | doc/manual.html | 11 |
4 files changed, 124 insertions, 6 deletions
@@ -4,6 +4,7 @@ Version 3.14.3 (rgerhards), 2008-04-?? could not lead to a segfault, as snprintf() was used, but could cause some trouble with extensively long hostnames. - applied patch from Tiziano Müller to remove some compiler warnings +- added gssapi overview/howto thanks to Peter Vrabec --------------------------------------------------------------------------- Version 3.14.2 (rgerhards), 2008-04-09 - bugfix: segfault with expression-based filters diff --git a/doc/gssapi.html b/doc/gssapi.html new file mode 100644 index 00000000..400be4a3 --- /dev/null +++ b/doc/gssapi.html @@ -0,0 +1,118 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<html><head><title>GSSAPI module support in rsyslog v3</title> + +</head> +<body> +<h1>GSSAPI module support in rsyslog v3</h1> +<p style="font-weight: bold;">What is it good for.</p> +<ul style="margin-left: 1.25cm;"> +<li> +client-serverauthentication </li> +<li> +Log +messages encryption </li> +</ul> +<p class="P5"> </p> +<p class="P3"><span style="font-weight: bold;">Requirements.</span> +</p> +<ul> +<li>Kerberos infrastructure</li> +<li>rsyslog, rsyslog-gssapi</li> +</ul> +<p> </p> +<p><span style="font-weight: bold;">Configuration.</span> +</p> +<p>Let's assume there are 3 machines in kerberos Realm: </p> +<ul> +<li>the +first is running KDC (Kerberos Authentication Service and Key +Distribution Center),</li> +<li>the second is a client sending its logs to the server,</li> +<li>the third is receiver, gathering all logs.</li> +</ul> +<p class="P7"> </p> +<p class="P10"><span style="font-style: italic;">1. +KDC:</span> </p> +<ul> +<li>Kerberos +database must be properly set-up on KDC machine first. Use +kadmin/kadmin.local to do that. Two principals need to be add in our +case:</li> +</ul> +<ol style="margin-left: 1.25cm; list-style-type: decimal;"> +<li> +<p>sender@REALM.ORG +</p> +</li> +</ol> +<ul> +<li>client must have ticket for pricipal sender</li> +<li>REALM.ORG is kerberos Realm</li> +</ul> +<ol style="margin-left: 1.25cm; list-style-type: decimal;"> +<li>host/receiver.mydomain.com@REALM.ORG - service principal</li> +</ol> +<ul> +<li>Use ktadd to export service principal and transfer it to +/etc/krb5.keytab +on receiver </li> +</ul> +<p><span style="font-style: italic;">2. CLIENT:</span> +</p> +<ul> +<li>set-up rsyslog, in /etc/rsyslog.conf</li> +<li>$ModLoad omgssapi.so - load output gss module </li> +<li>$GSSForwardServiceName +otherThanHost - set the name of service principal, "host" is the +default one</li> +<li>*.* :omgssapi:receiver.mydomain.com - action line, forward +logs to receiver</li> +<li>kinit root - get the TGT ticket</li> +<li>service rsyslog start +<p class="P14" style="margin-left: 0.25cm;"> </p> +</li> +</ul> +<p><span style="font-style: italic;">3. SERVER:</span> +</p> +<ul> +<li class="P14" style="margin-left: 0cm;"> +<p class="P14" style="margin-left: 0.25cm;">set-up +rsyslog, in /etc/rsyslog.conf </p> +</li> +<li class="P16"> +<p class="P16" style="margin-left: 0.25cm;">$ModLoad +<a href="imgssapi.html">imgssapi.so</a> - load input gss module </p> +</li> +<li class="P16"> +<p class="P16" style="margin-left: 0.25cm;">$InputGSSServerServiceName +otherThanHost - set the name of service principal, "host" is the +default one </p> +</li> +<li class="P16"> +<p class="P16" style="margin-left: 0.25cm;">$InputGSSServerPermitPlainTCP +on - accept GSS and TCP connections (not authenticated senders), off by +default </p> +</li> +<li class="P16"> +<p class="P16" style="margin-left: 0.25cm;">$InputGSSServerRun +514 - run server on port </p> +</li> +<li class="P14" style="margin-left: 0cm;"> +<p class="P14" style="margin-left: 0.25cm;">service +rsyslog start </p> +</li> +</ul> +<span style="font-weight: bold;">The picture demonstrate +how things work.</span> +<p class="P18"> </p> +<img src="gssapi.png" alt="rsyslog gssapi support"> +<p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>] +[<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p> +<p><font size="2">This documentation is part of the +<a href="http://www.rsyslog.com/">rsyslog</a> +project.<br> +Copyright © 2008 by <a href="http://www.gerhards.net/rainer">Rainer +Gerhards</a> and +<a href="http://www.adiscon.com/">Adiscon</a>. +Released under the GNU GPL version 3 or higher.</font></p> +</body></html>
\ No newline at end of file diff --git a/doc/gssapi.png b/doc/gssapi.png Binary files differnew file mode 100644 index 00000000..c82baa52 --- /dev/null +++ b/doc/gssapi.png diff --git a/doc/manual.html b/doc/manual.html index 9d4dbefd..8bdee8b7 100644 --- a/doc/manual.html +++ b/doc/manual.html @@ -1,6 +1,5 @@ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<html><head><title>rsyslog documentation</title> -</head> +<html><head><title>rsyslog documentation</title></head> <body> <h1>RSyslog - Documentation</h1> <p><b><a href="http://www.rsyslog.com/">Rsyslog</a> @@ -18,9 +17,9 @@ novice user. And as we know what enterprise users really need, there is also <a href="professional_support.html">professional rsyslog support</a> available directly from the source!</p> <p><b>This documentation is for version 3.14.2 of rsyslog.</b> -Visit the <i> <a href="http://www.rsyslog.com/doc-status.html">rsyslog status page</a></i></b> to obtain current +Visit the <i> <a href="http://www.rsyslog.com/doc-status.html">rsyslog status page</a></i> to obtain current version information and project status. -<p><b>If you like rsyslog, you might +</p><p><b>If you like rsyslog, you might want to lend us a helping hand. </b>It doesn't require a lot of time - even a single mouse click helps. Learn <a href="how2help.html">how to help the rsyslog project</a>. Due to popular demand, there is now a <a href="rsyslog_ng_comparison.html">side-by-side comparison @@ -64,7 +63,7 @@ php-syslog-ng with rsyslog</a></li> <li><a href="rsyslog_recording_pri.html">recording the syslog priority (severity and facility) to the log file</a></li> <li><a href="http://www.rsyslog.com/Article19.phtml">preserving -syslog sender over NAT</a> (online only)</li> +syslog sender over NAT</a> (online only)</li><li><a href="gssapi.html">an overview and howto of rsyslog gssapi support</a></li> <li><a href="debug.html">debug support in rsyslog</a></li> <li><a href="dev_queue.html">the rsyslog message queue object</a></li> @@ -100,4 +99,4 @@ may find <a href="http://www.gerhards.net/rainer">Rainer</a>'s <a href="http://rgerhards.blogspot.com/">blog</a> an interesting read (filter on syslog and rsyslog tags).</p> -</body></html> +</body></html>
\ No newline at end of file |
