On 24.03.2021 12:54, odrzen wrote:
Yes, the proper way, since the certificate ties a cryptographic material
to a particular subject (in this case - a server) is to use separate
certificates per each client.
Unfortunately you can't use the information from the certificate during
event processing (at least I don't know of any way to - for example -
extract subject data from the certificate and use it in a ruleset). But
you can limit access to inputs based on client name and allow only
certain peers to connect.
"client name" - You mean by this option `Enter the dnsName of the subject of
the certificate` when create a certificate for the clients ?
and after that with the following directive on central rsyslog configuration:
```
$InputTCPServerStreamDriverPermittedPeer machine-1.example.com
```
?
Can I use it multiple times for different pears, something like that:
```
$InputTCPServerStreamDriverPermittedPeer machine-1.example.com
$InputTCPServerStreamDriverPermittedPeer machine-2.example.com
$InputTCPServerStreamDriverPermittedPeer machine-Y.example.com
$InputTCPServerStreamDriverPermittedPeer machine-x.test.com
```
or with this way:
```
$InputTCPServerStreamDriverPermittedPeer *.example.com machine-Y.example.com
machine-x.test.com
```
?
By the way, can I have many CAs certificates in the same configuration ?
For example :
```
# For devel:
$DefaultNetstreamDriverCAFile /etc/.../ca-devel.pem
$DefaultNetstreamDriverCertFile /etc/.../devel-client-cert.pem
$DefaultNetstreamDriverKeyFile /etc/.../devel-client-key.pem
# For production:
$DefaultNetstreamDriverCAFile /etc/.../ca-prod.pem
$DefaultNetstreamDriverCertFile /etc/.../prod-client-cert.pem
$DefaultNetstreamDriverKeyFile /etc/.../prod-client-key.pem
# or. for another DC...
```
OK. With TLS it all gets tricky.
Firstly, to get it out of the way, you should not use the legacy config
directives. So instead of $InputTCPServerStreamDriverPermittedPeer you
should use a PermitedPeer option of an input(type="imtcp" [...])
directive and so on.
Having said that - as I wrote - TLS is a bit tricky because it works a
bit differently depending on the underlying TLS library and its version,
and some parameters can be a bit vague (like said PermittedPeer option
which, quoting from the docs, "<id-string> semantics depend on the
currently selected AuthMode and network stream driver
<https://www.rsyslog.com/doc/master/concepts/netstrm_drvr.html>.
PermittedPeer may not be set in anonymous modes. PermittedPeer may be
set either to a single peer or an array of peers either of type IP or
name, depending on the tls certificate").
Having multiple CAs is not that easy, and doesn't work with openssl
1.0.x AFAIR. So you might have to do a bit of reading.
Firstly - https://www.rsyslog.com/doc/master/tutorials/tls.html
Then - docs for the appropriate input/output modules
Finally you'd need some testing probably.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
