<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Setting up a client — rsyslog 8.1911.0 documentation</title>
<link rel="stylesheet" href="../_static/classic.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="../_static/rsyslog.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: '../',
VERSION: '8.1911.0',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true,
SOURCELINK_SUFFIX: '.txt'
};
</script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="next" title="Setting up the UDP syslog relay" href="tls_cert_udp_relay.html" />
<link rel="prev" title="Setting up the Central Server" href="tls_cert_server.html" />
</head>
<body>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../genindex.html" title="General Index"
accesskey="I">index</a></li>
<li class="right" >
<a href="tls_cert_udp_relay.html" title="Setting up the UDP syslog relay"
accesskey="N">next</a> |</li>
<li class="right" >
<a href="tls_cert_server.html" title="Setting up the Central Server"
accesskey="P">previous</a> |</li>
<li class="nav-item nav-item-0"><a href="../index.html">rsyslog 8.1911.0 documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="index.html" >Tutorials</a> »</li>
<li class="nav-item nav-item-2"><a href="tls_cert_summary.html" accesskey="U">Encrypting Syslog Traffic with TLS (SSL)</a> »</li>
</ul>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="setting-up-a-client">
<h1>Setting up a client<a class="headerlink" href="#setting-up-a-client" title="Permalink to this headline">¶</a></h1>
<p>In this step, we configure a client machine. We from our scenario, we
use zuse.example.net. You need to do the same steps for all other
clients, too (in the example, that meanst turing.example.net). The client
check’s the server’s identity and talks to it only if it is the expected
server. This is a very important step. Without it, you would not detect
man-in-the-middle attacks or simple malicious servers who try to get
hold of your valuable log data.</p>
<div class="figure align-center">
<img alt="" src="../_images/tls_cert_100.jpg" />
</div>
<p>Steps to do:</p>
<ul class="simple">
<li>make sure you have a functional CA (<a class="reference external" href="tls_cert_ca.html">Setting up the
CA</a>)</li>
<li>generate a machine certificate for zuse.example.net (follow
instructions in <a class="reference external" href="tls_cert_machine.html">Generating Machine
Certificates</a>)</li>
<li>make sure you copy over ca.pem, machine-key.pem ad machine-cert.pem
to the client. Ensure that no user except root can access them
(<strong>even read permissions are really bad</strong>).</li>
<li>configure the client so that it checks the server identity and sends
messages only if the server identity is known. Please note that you
have the same options as when configuring a server. However, we now
use a single name only, because there is only one central server. No
using wildcards make sure that we will exclusively talk to that
server (otherwise, a compromised client may take over its role). If
you load-balance to different server identities, you obviously need to
allow all of them. It still is suggested to use explicit names.</li>
</ul>
<p><strong>At this point, please be reminded once again that your security needs
may be quite different from what we assume in this tutorial. Evaluate
your options based on your security needs.</strong></p>
<div class="section" id="sample-syslog-conf">
<h2>Sample syslog.conf<a class="headerlink" href="#sample-syslog-conf" title="Permalink to this headline">¶</a></h2>
<p>Keep in mind that this rsyslog.conf sends messages via TCP, only. Also,
we do not show any rules to write local files. Feel free to add them.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="c1"># make gtls driver the default and set certificate files</span>
<span class="k">global</span><span class="p">(</span>
<span class="n">DefaultNetstreamDriver</span><span class="o">=</span><span class="s2">"gtls"</span>
<span class="n">DefaultNetstreamDriverCAFile</span><span class="o">=</span><span class="s2">"/path/to/contrib/gnutls/ca.pem"</span>
<span class="n">DefaultNetstreamDriverCertFile</span><span class="o">=</span><span class="s2">"/path/to/contrib/gnutls/cert.pem"</span>
<span class="n">DefaultNetstreamDriverKeyFile</span><span class="o">=</span><span class="s2">"/path/to/contrib/gnutls/key.pem"</span>
<span class="p">)</span>
<span class="c1"># set up the action for all messages</span>
<span class="n">action</span><span class="p">(</span>
<span class="nb">type</span><span class="o">=</span><span class="s2">"omfwd"</span>
<span class="n">target</span><span class="o">=</span><span class="s2">"central.example.net"</span>
<span class="n">protocol</span><span class="o">=</span><span class="s2">"tcp"</span>
<span class="n">port</span><span class="o">=</span><span class="s2">"6514"</span>
<span class="n">StreamDriver</span><span class="o">=</span><span class="s2">"gtls"</span>
<span class="n">StreamDriverMode</span><span class="o">=</span><span class="s2">"1"</span> <span class="c1"># run driver in TLS-only mode</span>
<span class="n">StreamDriverAuthMode</span><span class="o">=</span><span class="s2">"x509/name"</span>
<span class="n">StreamDriverPermittedPeers</span><span class="o">=</span><span class="s2">"central.example.net"</span>
<span class="p">)</span>
</pre></div>
</div>
<p>Note: the example above forwards every message to the remote server. Of
course, you can use the normal filters to restrict the set of
information that is sent. Depending on your message volume and needs,
this may be a smart thing to do.</p>
<p><strong>Be sure to safeguard at least the private key (machine-key.pem)!</strong> If
some third party obtains it, you security is broken!</p>
<div class="admonition seealso">
<p class="first admonition-title">See also</p>
<p>Help with configuring/using <code class="docutils literal"><span class="pre">Rsyslog</span></code>:</p>
<ul class="last simple">
<li><a class="reference external" href="http://lists.adiscon.net/mailman/listinfo/rsyslog">Mailing list</a> - best route for general questions</li>
<li>GitHub: <a class="reference external" href="https://github.com/rsyslog/rsyslog/">rsyslog source project</a> - detailed questions, reporting issues
that are believed to be bugs with <code class="docutils literal"><span class="pre">Rsyslog</span></code></li>
<li>Stack Exchange (<a class="reference external" href="https://stackexchange.com/filters/327462/rsyslog">View</a>, <a class="reference external" href="https://serverfault.com/questions/ask?tags=rsyslog">Ask</a>)
- experimental support from rsyslog community</li>
</ul>
</div>
<div class="admonition seealso">
<p class="first admonition-title">See also</p>
<p>Contributing to <code class="docutils literal"><span class="pre">Rsyslog</span></code>:</p>
<ul class="last simple">
<li>Source project: <a class="reference external" href="https://github.com/rsyslog/rsyslog/blob/master/README.md">rsyslog project README</a>.</li>
<li>Documentation: <a class="reference external" href="https://github.com/rsyslog/rsyslog-doc/blob/master/README.md">rsyslog-doc project README</a></li>
</ul>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<h3><a href="../index.html">Table Of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">Setting up a client</a><ul>
<li><a class="reference internal" href="#sample-syslog-conf">Sample syslog.conf</a></li>
</ul>
</li>
</ul>
<h4>Previous topic</h4>
<p class="topless"><a href="tls_cert_server.html"
title="previous chapter">Setting up the Central Server</a></p>
<h4>Next topic</h4>
<p class="topless"><a href="tls_cert_udp_relay.html"
title="next chapter">Setting up the UDP syslog relay</a></p>
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../_sources/tutorials/tls_cert_client.rst.txt"
rel="nofollow">Show Source</a></li>
<li><a href="https://github.com/rsyslog/rsyslog-doc/edit/master/source/tutorials/tls_cert_client.rst"
rel="nofollow">Edit on GitHub</a></li>
</ul>
<div id="searchbox" style="display: none" role="search">
<h3>Quick search</h3>
<form class="search" action="../search.html" method="get">
<div><input type="text" name="q" /></div>
<div><input type="submit" value="Go" /></div>
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="right" style="margin-right: 10px">
<a href="../genindex.html" title="General Index"
>index</a></li>
<li class="right" >
<a href="tls_cert_udp_relay.html" title="Setting up the UDP syslog relay"
>next</a> |</li>
<li class="right" >
<a href="tls_cert_server.html" title="Setting up the Central Server"
>previous</a> |</li>
<li class="nav-item nav-item-0"><a href="../index.html">rsyslog 8.1911.0 documentation</a> »</li>
<li class="nav-item nav-item-1"><a href="index.html" >Tutorials</a> »</li>
<li class="nav-item nav-item-2"><a href="tls_cert_summary.html" >Encrypting Syslog Traffic with TLS (SSL)</a> »</li>
</ul>
</div>
<div class="footer" role="contentinfo">
© Copyright 2008-2019, `Rainer Gerhards and Others.
</div>
</body>
</html>