Testing syslogd

Compiling

A (hopefully) stable version for testing is available by CVS and as a .tar.gz archive. It contains syslogd itself and all necessary files to build on NetBSD and FreeBSD.

To build just type make. Unless you have a complete NetBSD source tree -- then you can extract the files to /usr/src/usr.sbin/syslogd and replace the Makefile with Makefile.NetBSD and then type make.

Note on other BSDs

I also tested syslogd on FreeBSD. There are just a few issues/differences:

I assume the same holds for other BSDs but I have no live system to test them.

Command line options

syslogd has to be run as root (because it uses chroot()). You should start it with option "-u username" to drop privileges.

By default messages are written in syslog Protocol format. To get the BSD Syslog output like from previous versions use the "-o" option.

syslog.conf

To use TLS some additional configuration is required.

X.509 certificates

Every syslogd using TLS needs an X.509 certificate. The files containing the private key, certificate, and CA are configured with:

tls_key="/etc/openssl/default.key"
tls_cert="/etc/openssl/default.crt"
tls_ca="/some/where/my.cacert"

If you do not already have a X.509 certificate then you can tell syslogd to generate one for you with

tls_gen_cert=on

TLS client

To send messages with configure a TLS destination. Here are three examples with different additional options required for authentication

# with CA
*.*      @[logserver.example.org]:13245
*.*      @[127.0.0.1]:13245(subject="logserver.example.org")
# without CA
*.*      @[127.0.0.1]:13245(fingerprint="SHA1:E4:E1:A6:1C:D4:31:D7:D4:9B:B8:DC:DF:DD:CE:30:71:46:00:92:C9")

If using a CA then it is checked whether the server's certificate matches the hostname or a given subject. Assuming the logserver's certificate has "logserver.example.org" as its commonName or as a subjectAltName/dnsName the first line is sufficient. (Once a standard portnumber has been assigned the port becomes optional.) If we do not want to rely on DNS and configure the destination with "127.0.0.1" then the subject comparison will fail. The alternatives are either to configure the subject as an option (as in the example above) or to generate a new certificate with the server's IP as a commonName or subjectAltName/ipAddress.

Without a CA the easiest way to authenticate the peer's certificate is its fingerprint as in the last line in the example. syslogd logs the fingerprints of all certificates it loads or tries to connect with, but it can also be read from the shell with "openssl x509 -in /etc/openssl/default.crt -noout -fingerprint".

TLS server

To enable TLS server mode use these lines.

tls_server="on"
tls_bindhost="127.0.0.1"
tls_bindport="13245"

The bindhost is optional. The bindport is currently required (as long as there is no tcp port defined for the syslog service).

With a CA that is all -- there is no additional hostname check for clients. Without a CA the server needs to be told which certificates to trust:

tls_allow_fingerprints = MD5:00:A2:A7:02:CA:A0:0E:00:DC:F1:91:BE:6A:AA:FF:27 "SHA1:E4:E1:A6:1C:D4:31:D7:D4:9B:B8:DC:DF:DD:CE:30:71:46:00:92:C9"

SourceForge.net Logo
Martin Schütte <[email protected]>
$Id: howto.html,v 1.1 2008/10/31 16:12:19 christos Exp $