diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 16:27:18 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 16:27:18 +0000 |
commit | f7f20c3f5e0be02585741f5f54d198689ccd7866 (patch) | |
tree | 190d5e080f6cbcc40560b0ceaccfd883cb3faa01 /source/configuration/modules/gssapi.rst | |
parent | Initial commit. (diff) | |
download | rsyslog-doc-f7f20c3f5e0be02585741f5f54d198689ccd7866.tar.xz rsyslog-doc-f7f20c3f5e0be02585741f5f54d198689ccd7866.zip |
Adding upstream version 8.2402.0+dfsg.upstream/8.2402.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | source/configuration/modules/gssapi.rst | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/source/configuration/modules/gssapi.rst b/source/configuration/modules/gssapi.rst new file mode 100644 index 0000000..157f5a3 --- /dev/null +++ b/source/configuration/modules/gssapi.rst @@ -0,0 +1,73 @@ +GSSAPI module support in rsyslog v3 +=================================== + +What is it good for. + +- client-serverauthentication +- Log messages encryption + +Requirements. + +- Kerberos infrastructure +- rsyslog, rsyslog-gssapi + +Configuration. + +Let's assume there are 3 machines in Kerberos Realm: + +- the first is running KDC (Kerberos Authentication Service and Key + Distribution Center), +- the second is a client sending its logs to the server, +- the third is receiver, gathering all logs. + +1. KDC: + +- Kerberos database must be properly set-up on KDC machine first. Use + kadmin/kadmin.local to do that. Two principals need to be add in our + case: + +#. sender@REALM.ORG + +- client must have ticket for principal sender +- REALM.ORG is kerberos Realm + +#. host/receiver.mydomain.com@REALM.ORG - service principal + +- Use ktadd to export service principal and transfer it to + /etc/krb5.keytab on receiver + +2. CLIENT: + +- set-up rsyslog, in /etc/rsyslog.conf +- $ModLoad omgssapi - load output gss module +- $GSSForwardServiceName otherThanHost - set the name of service + principal, "host" is the default one +- \*.\* :omgssapi:receiver.mydomain.com - action line, forward logs to + receiver +- kinit root - get the TGT ticket +- service rsyslog start + +3. SERVER: + +- set-up rsyslog, in /etc/rsyslog.conf + +- $ModLoad `imgssapi <imgssapi.html>`_ - load input gss module + +- $InputGSSServerServiceName otherThanHost - set the name of service + principal, "host" is the default one + +- $InputGSSServerPermitPlainTCP on - accept GSS and TCP connections + (not authenticated senders), off by default + +- $InputGSSServerRun 514 - run server on port + +- service rsyslog start + +The picture demonstrate how things work. + +.. figure:: gssapi.png + :align: center + :alt: rsyslog gssapi support + + rsyslog gssapi support + |