from small one page howto to huge articles all in one place
 

search text in:





Poll
Which kernel version do you use?





poll results

Last additions:
using iotop to find disk usage hogs

using iotop to find disk usage hogs

words:

887

views:

195681

userrating:

average rating: 1.7 (102 votes) (1=very good 6=terrible)


May 25th. 2007:
Words

486

Views

252064

why adblockers are bad


Workaround and fixes for the current Core Dump Handling vulnerability affected kernels

Workaround and fixes for the current Core Dump Handling vulnerability affected kernels

words:

161

views:

140939

userrating:

average rating: 1.4 (42 votes) (1=very good 6=terrible)


April, 26th. 2006:

Druckversion . pdf icon
You are here: System->Security

Encrypting traffic to a remote syslog-ng server including SSL peer authentication

1. Install stunnel and syslog-ng on all machines.

2. Create certificates for all machines. On RedHat 9 and similar machines, you can do the following as root:

# cd /usr/share/ssl/certs
# make syslog-ng-server.pem
# make syslog-ng-client.pem

3. Place copies of syslog-ng-server.pem on all machines in /etc/stunnel with one important alteration. The clients only need the certificate section of syslog-ng-server.pem. In other words, remove the private key section from syslog-ng-server.pem on all clients.

Place every client's syslog-ng-client.pem in /etc/stunnel. For server, create a special syslog-ng-client.pem containing the certificate sections for all clients and place in /etc/stunnel. In other words, remove the private key sections from all syslog-ng-client.pem files and concatenate what is left to create server's special syslog-ng-client.pem.

4. Give only root ownership, read and write permissions for certificates.

5. On server, create /etc/stunnel/stunnel.conf containing the following

replacing server IP address accordingly:
   cert = /etc/stunnel/syslog-ng-server.pem 
CAfile = /etc/stunnel/syslog-ng-client.pem
verify = 3
[5140]
accept = server IP address:5140
connect = 127.0.0.1:514



On clients, create /etc/stunnel/stunnel.conf containing the following

replacing server IP address accordingly:
   client = yes 
cert = /etc/stunnel/syslog-ng-client.pem
CAfile = /etc/stunnel/syslog-ng-server.pem
verify = 3
[5140]
accept = 127.0.0.1:514
connect = server IP address:5140



6. On server, create the following in /etc/syslog-ng.conf:
   options {  long_hostnames(off); 
sync(0);
keep_hostname(yes);
chain_hostnames(no); };
source src {unix-stream("/dev/log");
pipe("/proc/kmsg");
internal();};
source stunnel {tcp(ip("127.0.0.1")
port(514)
max-connections(1));};
destination remoteclient {file("/var/log/remoteclient");};
destination dest {file("/var/log/messages");};
log {source(src); destination(dest);};
log {source(stunnel); destination(remoteclient);};



On clients, create the following in /etc/syslog-ng.conf:
   options {long_hostnames(off); 
sync(0);};
source src {unix-stream("/dev/log"); pipe("/proc/kmsg");
internal();};
destination dest {file("/var/log/messages");};
destination stunnel {tcp("127.0.0.1" port(514));};
log {source(src);destination(dest);};
log {source(src);destination(stunnel);};



(See syslog-ng documentation for more sophisticated syslog-ng.conf alternatives.)



7. Open necessary ports with regards to packet filtering and TCP wrappers.



8. On all machines, add the following lines to boot procedure and execute them now:


# stunnel 
# syslog-ng -f /etc/syslog-ng.conf

Please send questions and comments to Christian Seberino (chris at pythonsoft dot com).



From http://www.stunnel.org/examples/syslog-ng.html


rate this article:
current rating: average rating: 1.3 (28 votes) (1=very good 6=terrible)
Your rating:
Very good (1) Good (2) ok (3) average (4) bad (5) terrible (6)

back





Support us on Content Nation
rdf newsfeed | rss newsfeed | Atom newsfeed
- Powered by LeopardCMS - Running on Gentoo -
Copyright 2004-2020 Sascha Nitsch Unternehmensberatung GmbH
Valid XHTML1.1 : Valid CSS : buttonmaker
- Level Triple-A Conformance to Web Content Accessibility Guidelines 1.0 -
- Copyright and legal notices -
Time to create this page: 46.5 ms