Add rsyslog config snippets to use TLS.

3 files changed, 32 insertions, 0 deletions

diff --git a/rsyslog.d/local-gtls-client.conf b/rsyslog.d/local-gtls-client.conf
new file mode 100644
index 0000000..e692b07
--- /dev/null
+++ b/rsyslog.d/local-gtls-client.conf
@@ -0,0 +1,6 @@
+# restrict access based on server certificate
+# (repeat all lines for each server)
+#$ActionSendStreamDriverAuthMode x509/name
+#$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
+#$ActionSendStreamDriverPermittedPeer central.example.net
+#*.* @@central.example.net:514 # forward everything to remote server
diff --git a/rsyslog.d/local-gtls-server.conf b/rsyslog.d/local-gtls-server.conf
new file mode 100644
index 0000000..b17d55a
--- /dev/null
+++ b/rsyslog.d/local-gtls-server.conf
@@ -0,0 +1,5 @@
+# enable gtls reception
+$InputTCPServerRun 514
+
+# restrict access based on client certificate
+#$InputTCPServerStreamDriverPermittedPeer *.example.net
diff --git a/rsyslog.d/local-gtls.conf b/rsyslog.d/local-gtls.conf
new file mode 100644
index 0000000..aef8117
--- /dev/null
+++ b/rsyslog.d/local-gtls.conf
@@ -0,0 +1,21 @@
+# enable gtls driver and make it the default
+$ModLoad imtcp
+$DefaultNetstreamDriver gtls
+
+# certificate files
+$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-certificates.crt
+$DefaultNetstreamDriverCertFile /etc/ssl/certs/rsyslog.pem
+$DefaultNetstreamDriverKeyFile /etc/ssl/private/rsyslog.pem
+
+$InputTCPServerStreamDriverAuthMode x509/name
+$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
+
+# sample reception (repeat last line for each client)
+#$InputTCPServerRun 514
+#$InputTCPServerStreamDriverPermittedPeer *.example.net
+
+# sample sending (repeat all lines for each server)
+#$ActionSendStreamDriverAuthMode x509/name
+#$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
+#$ActionSendStreamDriverPermittedPeer central.example.net
+#*.* @@central.example.net:514 # forward everything to remote server