Hi, I'll answer inline.
2013/10/18 masoom alam <[email protected]> > Hi Radu and David, > > Thanks for the suggestion regarding transporting logs between RSYSLOG and > RSYSLOG and then storage in to ElasticSearch (ES). However, what about > signing feature, does jetty provides signing of individual messages that > are going to be stored in ES? > I don't know, really, I've never actually signed messages with rsyslog or ES. > > Secondly, do we need to write a custom module for Kibana for visualizing > the verification of signatures for individual messages. I would assume that the signature verification is done before indexing the documents in ES. If that's the case, Kibana would only deal with "signed" data, the rest being discarded. Again, I'm not familiar with this, maybe others can help. > To give an example, > consider a client that may want to verify that whether a particular log > message was generated in its premise and it is unaltered or not through > Kibana? In this regard what about PKI infrastructure required. I mean > private keys should reside at the client side for signing messages. The > ambiguity for me in this scenario is that ES is at our side. If signature > means hash only, how client can verify that log message was not altered at > our side? > I think we need to separate the encryption from the signing part. Here's "the" reference: http://www.rsyslog.com/doc/rsyslog_tls.html If simply encrypting is enough of a guarantee for you that messages are not modified between the first rsyslog instance and ES, then the architecture is pretty straightforward: app-->local rsyslog --TLS--> remote rsyslog --http://localhost--> ES --> Kibana Between the two rsyslog instances you might want to put additional ones (I prefer less layers, but maybe you don't :p). As long as you communicate via TLS you should be fine. If you need additional signing, then I guess you're referring to this: http://www.rsyslog.com/how-to-sign-log-messages-through-signature-provider-guardtime/ which, as David said, currently works only with files. In order to make that work in your usecase, you might want to contribute or sponsor signing for omelasticsearch, or maybe as a message modifying module. I don't know which is the best, because it's beyond my knowledge of rsyslog internals. A message modifier, if feasible, should work with all output modules. A low tech alternative would be to simply write those signed messages in files on the disk of ES nodes, and have something to process those files and index their content. Rsyslog should be able to do it, via imfile and omelasticsearch. If not, there are other tools such as Logstash or Fluentd which should be able to do the trick with regular expressions. Best regards, Radu _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
