blob: 8e003bc8e5e7429e4d68be705fe532bd86717215 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><title>TLS-protected syslog: Summary</title>
</head>
<body>
<h1>Encrypting Syslog Traffic with TLS (SSL)</h1>
<p><small><i>Written by <a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer
Gerhards</a> (2008-07-03)</i></small></p>
<ul>
<li><a href="rsyslog_secure_tls.html">Overview</a>
<li><a href="tls_cert_scenario.html">Sample Scenario</a>
<li><a href="tls_cert_ca.html">Setting up the CA</a>
<li><a href="tls_cert_machine.html">Generating Machine Certificates</a>
<li><a href="tls_cert_server.html">Setting up the Central Server</a>
<li><a href="tls_cert_client.html">Setting up syslog Clients</a>
<li><a href="tls_cert_udp_relay.html">Setting up the UDP syslog relay</a>
<li><a href="tls_cert_summary.html">Wrapping it all up</a>
</ul>
<h3>Summary</h3>
<p>If you followed the steps outlined in this documentation set, you now have
<span style="float: left">
<script type="text/javascript"><!--
google_ad_client = "pub-3204610807458280";
/* rsyslog doc inline */
google_ad_slot = "5958614527";
google_ad_width = 125;
google_ad_height = 125;
//-->
</script>
<script type="text/javascript"
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>
</span>
a reasonable (for most needs) secure setup for the following environment:
<center><img src="tls_cert_100.jpg"></center>
<p>You have learned about the security decisions involved and which we
made in this example. <b>Be once again reminded that you must make sure yourself
that whatever you do matches your security needs!</b> There is no guarantee that
what we generally find useful actually is. It may even be totally unsuitable for
your environment.
<p>In the example, we created a rsyslog certificate authority (CA). Guard the CA's
files. You need them whenever you need to create a new machine certificate. We also saw how
to generate the machine certificates themselfs and distribute them to the individual
machines. Also, you have found some configuration samples for a sever, a client and
a syslog relay. Hopefully, this will enable you to set up a similar system in many
environments.
<p>Please be warned that you defined some expiration dates for the certificates.
After they are reached, the certificates are no longer valid and rsyslog will NOT
accept them. At that point, syslog messages will no longer be transmitted (and rsyslogd
will heavily begin to complain). So it is a good idea to make sure that you renew the
certificates before they expire. Recording a reminder somewhere is probably a good
idea.
<p>If you have any more questions, please visit the <a href="http://kb.monitorware.com/rsyslog-f40.html">rsyslog forum</a> and simply ask ;)
<h2>Copyright</h2>
<p>Copyright (c) 2008 <a href="http://www.adiscon.com/en/people/rainer-gerhards.php">Rainer
Gerhards</a> and
<a href="http://www.adiscon.com/en/">Adiscon</a>.</p>
<p> Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover
Texts. A copy of the license can be viewed at
<a href="http://www.gnu.org/copyleft/fdl.html">http://www.gnu.org/copyleft/fdl.html</a>.</p>
</body></html>
|
