Rainer, thanks for the explanation and the blog link. Really awesome stuff.
And I just came here to share a thread from the Logstash mailing list about Kibana and authentication: https://groups.google.com/forum/#!searchin/logstash-users/kibana3/logstash-users/jH4MzYcsguc/PZTbHCevTogJ Now my brain is kind of baked with all this new info. Maybe it's because it's Friday :p 2013/10/18 Rainer Gerhards <[email protected]> > On Fri, Oct 18, 2013 at 1:17 PM, Radu Gheorghe <[email protected] > >wrote: > > > > > If you need additional signing, then I guess you're referring to this: > > > > > http://www.rsyslog.com/how-to-sign-log-messages-through-signature-provider-guardtime/ > > > > which, as David said, currently works only with files. In order to make > > that work in your usecase, you might want to contribute or sponsor > signing > > for omelasticsearch, or maybe as a message modifying module. I don't know > > which is the best, because it's beyond my knowledge of rsyslog > internals. A > > message modifier, if feasible, should work with all output modules. > > > > Crypto is always tricky ;) > > Creating a generic "signuature module" that you put into the middle of the > processing chain is very dangerous and most probably does not lead to the > desired results. That's the prime reason I have not done this. > > If you sign messages for real security, you want to make sure that > > a) the message itself is authentic > b) there is no message missing inside the message stream > c) there has no additional message been inserted into the message stream > > note that doing a) is entangeld with b+c, as we have very short messages to > deal with, so the collision resistance of a single message is not very high > (e.g. you can brute-force hashes). Doing real signatures for single > messages is far to expensive - both computational too intense and requires > too much space (avg syslog message is ~80 bytes, avg signature 1.5k). > > If you now place a signer into the middle of the chain, you must ensure > that the full signature stream receives at *each* output and nothing is > reorderd (e.g. udp). In short, tons of things that you can misconfigure. > And then you still have the problem of local compromise, even by an > malicious admin. And this is just scratching on the issues that exists ;) > > Some more background can be found here: > > http://blog.gerhards.net/2013/05/rsyslogs-first-signature-provider-why.html > > Rainer > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
