>> I was thinking of copying logs via ssh to a central storage. > > Note that any old syslogd can forward syslog msgs to a central log host, > and NetBSD even supports to do that TLS-encrypted: > > *.err @[my.log.collector](fingerprint="SHA1:01:02:...")
That's great to know! However, having looked at syslog.conf(5), am I alone in thinking that the documentation of the TLS feature in syslog / syslogd has too many loose ends to effectively "on-board" new users of the TLS feature, especially if this is your first encounter with x509 certs, as contrasted by "of course everyone are already fully on-board with using x509 cert generation stuff of openssl" which I think is quite a stretch. As one example: "where should I get the TLS fingerprint value from?" Also, the man page does not provide any pointers to other relevant man pages or documentation, other than syslog(3) and syslogd(8), and neither of those man pages do anything to explain anything of the TLS feature any further. Best regards, - HÃ¥vard
