> -----Original Message----- > From: [email protected] [mailto:rsyslog- > [email protected]] On Behalf Of Gavin McDonald > Sent: Friday, June 11, 2010 8:25 PM > To: rsyslog-users > Subject: Re: [rsyslog] rsyslog TLS question > > On Fri, Jun 11, 2010 at 5:54 AM, Rainer Gerhards > <[email protected]>wrote: > > > > -----Original Message----- > > > From: [email protected] [mailto:rsyslog- > > > [email protected]] On Behalf Of Gavin McDonald > > > Sent: Friday, June 11, 2010 10:24 AM > > > To: [email protected] > > > Subject: [rsyslog] rsyslog TLS question > > > Well, the certificate is the machine's ID. So if you share certificates > > among > > different machines, you never know which machine you are talking to. > > > > It now depends on your security requirement if that is a problem or > not. If > > it is sufficient to know that the peer you are talking to is one of > those > > that you manage, everything is fine. If you need to set finer-grained > > permissions, you can probably not take this route. > > > > >From a permissions standpoint, It is enough to know that I can 'trust' > the > log source to be one of my machines, and not spoofed data. My one > concern > is when you say that I will "never know which machine [I am] talking > to." > You mean this only from an authentication perspective, correct?
Yes, that's right -- it has no effect on the actual message (and thus on the hostname inside it). :) Rainer >I can > handle that - but I need (would like) to know the identity of the > source > host for log analytics once they are collected. > > You do also state that " It does not affect the hostname as given > inside the > message," so I think the above assumption is correct, I just don't want > to > get caught out on an assumption. (you know what they say...) :) > > Thanks again for your time on this, > > -G > > Gavin McDonald. > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
