Hello Mariusz, ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday, March 24, 2021 10:40 AM, Mariusz Kruk via rsyslog <[email protected]> wrote:
> [ --%< snipped %<--- ] > > I suppose the idea is that if you're administering a system you know > what you're doing ;-) > > So the information that you don't have permission to read the file > should be enough. SELinux issues are very specific to a particular OS > and if you use it you should understand it. (and yes, I sometimes get > hit by SELinux permission issues myself if I forget to adjust my policies). Yes, OK, I agree with you. You're right. Yes, I know and I feel you! > > > > I want to create a pair of certificates for all my machines (not > > > > separately for each machine). > > > > These machines may have completely different domain names but I want > > > > all of them to send their logs with the same certificate (for > > > > convenience) to a central rsyslog machine. > > > > Bad idea. If you're going for encryption, do it properly. > > > > The right way is to create a certificate per client - right ? I > > > > understand that - it makes sense. > > > > In addition to security/safety/privacy, can I get additional benefits > > > > from rsyslog (central) side with different certificates per client ? > > > > For example, can I check the certificate with rsyslog and do something ? > > Yes, the proper way, since the certificate ties a cryptographic material > to a particular subject (in this case - a server) is to use separate > certificates per each client. > > Unfortunately you can't use the information from the certificate during > event processing (at least I don't know of any way to - for example - > extract subject data from the certificate and use it in a ruleset). But > you can limit access to inputs based on client name and allow only > certain peers to connect. "client name" - You mean by this option `Enter the dnsName of the subject of the certificate` when create a certificate for the clients ? and after that with the following directive on central rsyslog configuration: ``` $InputTCPServerStreamDriverPermittedPeer machine-1.example.com ``` ? Can I use it multiple times for different pears, something like that: ``` $InputTCPServerStreamDriverPermittedPeer machine-1.example.com $InputTCPServerStreamDriverPermittedPeer machine-2.example.com $InputTCPServerStreamDriverPermittedPeer machine-Y.example.com $InputTCPServerStreamDriverPermittedPeer machine-x.test.com ``` or with this way: ``` $InputTCPServerStreamDriverPermittedPeer *.example.com machine-Y.example.com machine-x.test.com ``` ? By the way, can I have many CAs certificates in the same configuration ? For example : ``` # For devel: $DefaultNetstreamDriverCAFile /etc/.../ca-devel.pem $DefaultNetstreamDriverCertFile /etc/.../devel-client-cert.pem $DefaultNetstreamDriverKeyFile /etc/.../devel-client-key.pem # For production: $DefaultNetstreamDriverCAFile /etc/.../ca-prod.pem $DefaultNetstreamDriverCertFile /etc/.../prod-client-cert.pem $DefaultNetstreamDriverKeyFile /etc/.../prod-client-key.pem # or. for another DC... ``` I thought this because I see the `$Default` prefix in these directives. So, can I have more directives besides the defaults? Thank you all for your help _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
