summaryrefslogtreecommitdiffstats
path: root/source/configuration/modules/omdtls.rst
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 16:27:39 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 16:27:39 +0000
commit1567a06bea58f651a462b43054bf6f604c102ed4 (patch)
tree029c2cfed1095d039ca3922db024e45eda1e6fe8 /source/configuration/modules/omdtls.rst
parentReleasing progress-linux version 8.2402.0+dfsg-1~progress7.99u1. (diff)
downloadrsyslog-doc-1567a06bea58f651a462b43054bf6f604c102ed4.tar.xz
rsyslog-doc-1567a06bea58f651a462b43054bf6f604c102ed4.zip
Merging upstream version 8.2404.0+dfsg.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'source/configuration/modules/omdtls.rst')
-rw-r--r--source/configuration/modules/omdtls.rst268
1 files changed, 268 insertions, 0 deletions
diff --git a/source/configuration/modules/omdtls.rst b/source/configuration/modules/omdtls.rst
new file mode 100644
index 0000000..ccf9be0
--- /dev/null
+++ b/source/configuration/modules/omdtls.rst
@@ -0,0 +1,268 @@
+**********************************************************
+omdtls: Output Module for DTLS Protocol over UDP
+**********************************************************
+
+=========================== ===========================================================================
+**Module Name:** **omdtls**
+**Author:** Andre Lorbach <alorbach@adiscon.com>
+**Available since:** v8.2402.0
+=========================== ===========================================================================
+
+
+Purpose
+=======
+
+The omdtls module for rsyslog is designed to securely transmit syslog data over a network using
+the Datagram Transport Layer Security (DTLS) protocol. This module leverages the robustness and
+security features of OpenSSL to provide an encrypted transport mechanism for syslog messages via UDP.
+
+DTLS, being an adaptation of TLS for datagram-based protocols, offers integrity, authenticity, and
+confidentiality for messages in transit. The omdtls module is particularly useful in environments
+where secure transmission of log data is crucial, such as in compliance-driven industries or when
+transmitting across untrusted networks.
+
+By operating over UDP, omdtls offers the benefits of lower latency and reduced protocol overhead
+compared to TCP-based transport, making it well-suited for high-throughput logging scenarios or in
+networks where connection-oriented protocols may face challenges.
+
+
+Requirements
+============
+
+To send messages by DTLS you will need to fulfill the following requirements:
+
+- OpenSSL 1.0.2 or Higher
+
+
+Configuration Parameters
+========================
+
+.. note::
+
+ Parameter names are case-insensitive.
+
+Module Parameters
+-----------------
+
+Template
+^^^^^^^^
+
+.. csv-table::
+ :header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
+ :widths: auto
+ :class: parameter-table
+
+ "word", "RSYSLOG_TraditionalForwardFormat", "no", "``$ActionForwardDefaultTemplateName``"
+
+Sets a non-standard default template for this module.
+
+
+Action Parameters
+-----------------
+
+target
+^^^^^^
+
+.. csv-table::
+ :header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
+ :widths: auto
+ :class: parameter-table
+
+ "word", "none", "no", "none"
+
+Specifies the target hostname or IP address to send log messages to.
+
+
+port
+^^^^
+
+.. csv-table::
+ :header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
+ :widths: auto
+ :class: parameter-table
+
+ "word", "4433", "yes", "none"
+
+Defines the port number on the target host where log messages will be sent.
+The default port number for DTLS is 4433.
+
+
+tls.AuthMode
+^^^^^^^^^^^^
+
+.. csv-table::
+ :header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
+ :widths: auto
+ :class: parameter-table
+
+ "string", "none", "no", "none"
+
+Sets the mode of authentication to be used.
+Supported values are either "*fingerprint*\ ", "*name"* or "*certvalid*\ ".
+
+Fingerprint: Authentication based on certificate fingerprint.
+Name: Authentication based on the subjectAltName and, as a fallback, the
+subject common name.
+Certvalid: Requires a valid certificate for authentication.
+Certanon: Anything else will allow anonymous authentication (no client certificate).
+
+
+tls.cacert
+^^^^^^^^^^
+
+.. csv-table::
+ :header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
+ :widths: auto
+ :class: parameter-table
+
+ "string", "none", "no", "none"
+
+The CA certificate that is being used to verify the client certificates.
+Has to be configured if tls.authmode is set to "*fingerprint*\ ", "*name"* or "*certvalid*\ ".
+
+
+tls.mycert
+^^^^^^^^^^
+
+.. csv-table::
+ :header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
+ :widths: auto
+ :class: parameter-table
+
+ "string", "none", "no", "none"
+
+Specifies the certificate file used by omdtls.
+This certificate is presented to peers during the DTLS handshake.
+
+
+tls.myprivkey
+^^^^^^^^^^^^^
+
+.. csv-table::
+ :header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
+ :widths: auto
+ :class: parameter-table
+
+ "string", "none", "no", "none"
+
+The private key file corresponding to tls.mycert.
+This key is used for the cryptographic operations in the DTLS handshake.
+
+
+tls.tlscfgcmd
+^^^^^^^^^^^^^
+
+.. csv-table::
+ :header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
+ :widths: auto
+ :class: parameter-table
+
+ "string", "none", "no", "none"
+
+Used to pass additional OpenSSL configuration commands. This can be used to fine-tune the OpenSSL
+settings by passing configuration commands to the openssl libray.
+OpenSSL Version 1.0.2 or higher is required for this feature.
+A list of possible commands and their valid values can be found in the documentation:
+https://www.openssl.org/docs/man1.0.2/man3/SSL_CONF_cmd.html
+
+The setting can be single or multiline, each configuration command is separated by linefeed (\n).
+Command and value are separated by equal sign (=). Here are a few samples:
+
+Example 1
+---------
+
+This will allow all protocols except for SSLv2 and SSLv3:
+
+.. code-block:: none
+
+ tls.tlscfgcmd="Protocol=ALL,-SSLv2,-SSLv3"
+
+
+Example 2
+---------
+
+This will allow all protocols except for SSLv2, SSLv3 and TLSv1.
+It will also set the minimum protocol to TLSv1.2
+
+.. code-block:: none
+
+ tls.tlscfgcmd="Protocol=ALL,-SSLv2,-SSLv3,-TLSv1
+ MinProtocol=TLSv1.2"
+
+
+Template
+^^^^^^^^
+
+.. csv-table::
+ :header: "type", "default", "mandatory", "|FmtObsoleteName| directive"
+ :widths: auto
+ :class: parameter-table
+
+ "word", "RSYSLOG_TraditionalForwardFormat", "no", ""
+
+Sets a non-standard default template for this action instance.
+
+
+.. _statistics-counter_omdtls_label:
+
+Statistic Counter
+=================
+
+This plugin maintains global :doc:`statistics <../rsyslog_statistic_counter>` for omdtls that
+accumulate all action instances. The statistic origin is named "omdtls" with following counters:
+
+
+- **submitted** - This counter tracks the number of log messages that have been successfully send
+ by the current output instance.
+
+- **failures** - This counter tracks the number of log messages that have been failed to send
+ to the target server.
+
+These statistics counters are updated in real-time by the rsyslog output module as log data is processed,
+and they provide valuable information about the performance and operation of the input module.
+
+For multiple actions using statistics callback, there will be one record for each action.
+
+.. _omdtls-examples-label:
+
+Examples
+========
+
+Example 1: Basic
+----------------
+
+The following sample does the following:
+- loads the omdtls module
+- Sends all syslog messages to 192.168.2.1 by DTLS on port 4433.
+
+.. code-block:: none
+
+ module(load="omdtls")
+ action(type="omdtls" name="omdtls" target="192.168.2.1" port="4433")
+
+
+Example 2: Message throttleling
+------------------------------------
+
+The following sample does the following:
+
+- loads the omdtls module
+- Sends all syslog messages to 192.168.2.1 by DTLS on port 4433.
+- Slows down sending to avoid package loss due the nature of UDP. In this sample,
+ using dequeueSlowDown 1000 will limit the messages per second to 1000.
+
+.. code-block:: none
+
+ module(load="omdtls")
+ action(type="omdtls"
+ name="omdtls"
+ target="192.168.2.1"
+ port="4433"
+ queue.type="FixedArray"
+ queue.size="100000"
+ queue.dequeueBatchSize="1"
+ queue.minDequeueBatchSize.timeout="1000"
+ queue.timeoutWorkerthreadShutdown="1000"
+ queue.timeoutshutdown="1000"
+ queue.dequeueSlowDown="1000"
+ )