summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--rsyslog.d/local-gtls-common.conf21
-rw-r--r--rsyslog.d/local-gtls-receive.conf20
-rw-r--r--rsyslog.d/local-gtls-send.conf21
3 files changed, 41 insertions, 21 deletions
diff --git a/rsyslog.d/local-gtls-common.conf b/rsyslog.d/local-gtls-common.conf
index aef8117..ebdab86 100644
--- a/rsyslog.d/local-gtls-common.conf
+++ b/rsyslog.d/local-gtls-common.conf
@@ -1,21 +1,10 @@
-# enable gtls driver and make it the default
-$ModLoad imtcp
+# common options for both server reception and client sending
+
+# use gtls driver by default
$DefaultNetstreamDriver gtls
# certificate files
-$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-certificates.crt
+# (only CAFile needed at client if using AuthMode anon)
+$DefaultNetstreamDriverCAFile /etc/ssl/certs/cacert.org.pem
$DefaultNetstreamDriverCertFile /etc/ssl/certs/rsyslog.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/private/rsyslog.pem
-
-$InputTCPServerStreamDriverAuthMode x509/name
-$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
-
-# sample reception (repeat last line for each client)
-#$InputTCPServerRun 514
-#$InputTCPServerStreamDriverPermittedPeer *.example.net
-
-# sample sending (repeat all lines for each server)
-#$ActionSendStreamDriverAuthMode x509/name
-#$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
-#$ActionSendStreamDriverPermittedPeer central.example.net
-#*.* @@central.example.net:514 # forward everything to remote server
diff --git a/rsyslog.d/local-gtls-receive.conf b/rsyslog.d/local-gtls-receive.conf
index b17d55a..1427da1 100644
--- a/rsyslog.d/local-gtls-receive.conf
+++ b/rsyslog.d/local-gtls-receive.conf
@@ -1,5 +1,21 @@
-# enable gtls reception
-$InputTCPServerRun 514
+# server reception
+
+# load support for tcp-based network reception
+$ModLoad imtcp
+
+# run driver in TLS-only mode
+$InputTCPServerStreamDriverMode 1
+
+# enable only one of below authentication schemes
+
+# client is NOT authenticated
+#$InputTCPServerStreamDriverAuthMode anon
# restrict access based on client certificate
+# (adjust and add Peer lines as needed)
+$InputTCPServerStreamDriverAuthMode x509/name
#$InputTCPServerStreamDriverPermittedPeer *.example.net
+#$InputTCPServerStreamDriverPermittedPeer foo.example.org
+
+# enable gtls reception
+$InputTCPServerRun 10514
diff --git a/rsyslog.d/local-gtls-send.conf b/rsyslog.d/local-gtls-send.conf
index e692b07..b3ec4a4 100644
--- a/rsyslog.d/local-gtls-send.conf
+++ b/rsyslog.d/local-gtls-send.conf
@@ -1,6 +1,21 @@
+# client sending
+
+# run driver in TLS-only mode
+$ActionSendStreamDriverMode 1
+
+# enable only one of below authentication schemes
+
+# client is NOT authenticated
+# (client needs only CAFile certificate)
+#$ActionSendStreamDriverAuthMode anon
+
# restrict access based on server certificate
-# (repeat all lines for each server)
+# (adjust Peer line as needed)
#$ActionSendStreamDriverAuthMode x509/name
-#$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
#$ActionSendStreamDriverPermittedPeer central.example.net
-#*.* @@central.example.net:514 # forward everything to remote server
+
+# forward everything to remote server
+# (adjust as needed)
+#*.* @@central.example.net:10514
+
+# (repeat all above lines for each restricted server, not just last two)