From fad935026196426beb9ddbc76abe97a744417b9e Mon Sep 17 00:00:00 2001
From: root <root@slamuf.jones.dk>
Date: Sun, 13 Sep 2009 22:39:50 +0200
Subject: Fix rsyslog-gnutls config files and improve comments.

---
 rsyslog.d/local-gtls-common.conf  | 21 +++++----------------
 rsyslog.d/local-gtls-receive.conf | 20 ++++++++++++++++++--
 rsyslog.d/local-gtls-send.conf    | 21 ++++++++++++++++++---
 3 files changed, 41 insertions(+), 21 deletions(-)

(limited to 'rsyslog.d')

diff --git a/rsyslog.d/local-gtls-common.conf b/rsyslog.d/local-gtls-common.conf
index aef8117..ebdab86 100644
--- a/rsyslog.d/local-gtls-common.conf
+++ b/rsyslog.d/local-gtls-common.conf
@@ -1,21 +1,10 @@
-# enable gtls driver and make it the default
-$ModLoad imtcp
+# common options for both server reception and client sending
+
+# use gtls driver by default
 $DefaultNetstreamDriver gtls
 
 # certificate files
-$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-certificates.crt
+# (only CAFile needed at client if using AuthMode anon)
+$DefaultNetstreamDriverCAFile /etc/ssl/certs/cacert.org.pem
 $DefaultNetstreamDriverCertFile /etc/ssl/certs/rsyslog.pem
 $DefaultNetstreamDriverKeyFile /etc/ssl/private/rsyslog.pem
-
-$InputTCPServerStreamDriverAuthMode x509/name
-$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
-
-# sample reception (repeat last line for each client)
-#$InputTCPServerRun 514
-#$InputTCPServerStreamDriverPermittedPeer *.example.net
-
-# sample sending (repeat all lines for each server)
-#$ActionSendStreamDriverAuthMode x509/name
-#$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
-#$ActionSendStreamDriverPermittedPeer central.example.net
-#*.* @@central.example.net:514 # forward everything to remote server
diff --git a/rsyslog.d/local-gtls-receive.conf b/rsyslog.d/local-gtls-receive.conf
index b17d55a..1427da1 100644
--- a/rsyslog.d/local-gtls-receive.conf
+++ b/rsyslog.d/local-gtls-receive.conf
@@ -1,5 +1,21 @@
-# enable gtls reception
-$InputTCPServerRun 514
+# server reception
+
+# load support for tcp-based network reception
+$ModLoad imtcp
+
+# run driver in TLS-only mode
+$InputTCPServerStreamDriverMode 1
+
+# enable only one of below authentication schemes
+
+# client is NOT authenticated
+#$InputTCPServerStreamDriverAuthMode anon
 
 # restrict access based on client certificate
+# (adjust and add Peer lines as needed)
+$InputTCPServerStreamDriverAuthMode x509/name
 #$InputTCPServerStreamDriverPermittedPeer *.example.net
+#$InputTCPServerStreamDriverPermittedPeer foo.example.org
+
+# enable gtls reception
+$InputTCPServerRun 10514
diff --git a/rsyslog.d/local-gtls-send.conf b/rsyslog.d/local-gtls-send.conf
index e692b07..b3ec4a4 100644
--- a/rsyslog.d/local-gtls-send.conf
+++ b/rsyslog.d/local-gtls-send.conf
@@ -1,6 +1,21 @@
+# client sending
+
+# run driver in TLS-only mode
+$ActionSendStreamDriverMode 1
+
+# enable only one of below authentication schemes
+
+# client is NOT authenticated
+# (client needs only CAFile certificate)
+#$ActionSendStreamDriverAuthMode anon
+
 # restrict access based on server certificate
-# (repeat all lines for each server)
+# (adjust Peer line as needed)
 #$ActionSendStreamDriverAuthMode x509/name
-#$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
 #$ActionSendStreamDriverPermittedPeer central.example.net
-#*.* @@central.example.net:514 # forward everything to remote server
+
+# forward everything to remote server
+# (adjust as needed)
+#*.* @@central.example.net:10514
+
+# (repeat all above lines for each restricted server, not just last two)
-- 
cgit v1.2.3