1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73
|
GSSAPI module support in rsyslog v3
===================================
What is it good for.
- client-serverauthentication
- Log messages encryption
Requirements.
- Kerberos infrastructure
- rsyslog, rsyslog-gssapi
Configuration.
Let's assume there are 3 machines in Kerberos Realm:
- the first is running KDC (Kerberos Authentication Service and Key
Distribution Center),
- the second is a client sending its logs to the server,
- the third is receiver, gathering all logs.
1. KDC:
- Kerberos database must be properly set-up on KDC machine first. Use
kadmin/kadmin.local to do that. Two principals need to be add in our
case:
#. sender@REALM.ORG
- client must have ticket for principal sender
- REALM.ORG is kerberos Realm
#. host/receiver.mydomain.com@REALM.ORG - service principal
- Use ktadd to export service principal and transfer it to
/etc/krb5.keytab on receiver
2. CLIENT:
- set-up rsyslog, in /etc/rsyslog.conf
- $ModLoad omgssapi - load output gss module
- $GSSForwardServiceName otherThanHost - set the name of service
principal, "host" is the default one
- \*.\* :omgssapi:receiver.mydomain.com - action line, forward logs to
receiver
- kinit root - get the TGT ticket
- service rsyslog start
3. SERVER:
- set-up rsyslog, in /etc/rsyslog.conf
- $ModLoad `imgssapi <imgssapi.html>`_ - load input gss module
- $InputGSSServerServiceName otherThanHost - set the name of service
principal, "host" is the default one
- $InputGSSServerPermitPlainTCP on - accept GSS and TCP connections
(not authenticated senders), off by default
- $InputGSSServerRun 514 - run server on port
- service rsyslog start
The picture demonstrate how things work.
.. figure:: gssapi.png
:align: center
:alt: rsyslog gssapi support
rsyslog gssapi support
|