1 1.1 christos <html> 2 1.1 christos <head> 3 1.1 christos <title>NetBSD & Google's Summer of Code: Martin Schuette - Improve syslogd (syslogd)</title> 4 1.1 christos </head> 5 1.1 christos <body> 6 1.1 christos 7 1.1 christos <h1>Testing syslogd</h1> 8 1.1 christos <h2>Compiling</h2> 9 1.1 christos <p>A (hopefully) stable version for testing is available by <a href="http://netbsd-soc.cvs.sourceforge.net/netbsd-soc/syslogd/src/">CVS</a> and as a <a href="syslogd-tls.tar.gz">.tar.gz archive</a>. It contains syslogd itself and all necessary files to build on NetBSD and FreeBSD.</p> 10 1.1 christos 11 1.1 christos <p>To build just type <span style="font-family: monospace;">make</span>. Unless you have a complete NetBSD source tree -- then you can extract the files to <span style="font-family: monospace;">/usr/src/usr.sbin/syslogd</span> and replace the <span style="font-family: monospace;">Makefile</span> with <span style="font-family: monospace;">Makefile.NetBSD</span> and then type <span style="font-family: monospace;">make</span>. 12 1.1 christos 13 1.1 christos <h3>Note on other BSDs</h3> 14 1.1 christos <p>I also tested syslogd on FreeBSD. There are just a few issues/differences:</p> 15 1.1 christos <ul> 16 1.1 christos <li>You have to install libevent first</li> 17 1.1 christos <li>No pidfile is written</li> 18 1.1 christos <li>The code for wallmsg() is only copied, not tested</li> 19 1.1 christos </ul> 20 1.1 christos <p>I assume the same holds for other BSDs but I have no live system to test them.</p> 21 1.1 christos 22 1.1 christos 23 1.1 christos <h2>Command line options</h2> 24 1.1 christos <p>syslogd has to be run as root (because it uses chroot()). You should start it with option "-u username" to drop privileges.</p> 25 1.1 christos 26 1.1 christos <p>By default messages are written in syslog Protocol format. To get the BSD Syslog output like from previous versions use the "-o" option.</p> 27 1.1 christos 28 1.1 christos <h2>syslog.conf</h2> 29 1.1 christos 30 1.1 christos <p>To use TLS some additional configuration is required.</p> 31 1.1 christos 32 1.1 christos <h3>X.509 certificates</h3> 33 1.1 christos <p>Every syslogd using TLS needs an X.509 certificate. 34 1.1 christos The files containing the private key, certificate, and CA are configured with:</p> 35 1.1 christos <pre> 36 1.1 christos tls_key="/etc/openssl/default.key" 37 1.1 christos tls_cert="/etc/openssl/default.crt" 38 1.1 christos tls_ca="/some/where/my.cacert" 39 1.1 christos </pre> 40 1.1 christos 41 1.1 christos <p>If you do not already have a X.509 certificate then you can tell syslogd to generate one for you with</p> 42 1.1 christos <pre> 43 1.1 christos tls_gen_cert=on 44 1.1 christos </pre> 45 1.1 christos 46 1.1 christos <h3>TLS client</h3> 47 1.1 christos <p>To send messages with configure a TLS destination. Here are three examples with different additional options required for authentication</p> 48 1.1 christos <pre> 49 1.1 christos # with CA 50 1.1 christos *.* @[logserver.example.org]:13245 51 1.1 christos *.* @[127.0.0.1]:13245(subject="logserver.example.org") 52 1.1 christos # without CA 53 1.1 christos *.* @[127.0.0.1]:13245(fingerprint="SHA1:E4:E1:A6:1C:D4:31:D7:D4:9B:B8:DC:DF:DD:CE:30:71:46:00:92:C9") 54 1.1 christos </pre> 55 1.1 christos 56 1.1 christos <p>If using a CA then it is checked whether the server's certificate matches the hostname or a given subject. Assuming the logserver's certificate has "logserver.example.org" as its commonName or as a subjectAltName/dnsName the first line is sufficient. (Once a standard portnumber has been assigned the port becomes optional.) If we do not want to rely on DNS and configure the destination with "127.0.0.1" then the subject comparison will fail. The alternatives are either to configure the subject as an option (as in the example above) or to generate a new certificate with the server's IP as a commonName or subjectAltName/ipAddress.</p> 57 1.1 christos 58 1.1 christos <p>Without a CA the easiest way to authenticate the peer's certificate is its fingerprint as in the last line in the example. syslogd logs the fingerprints of all certificates it loads or tries to connect with, but it can also be read from the shell with "openssl x509 -in /etc/openssl/default.crt -noout -fingerprint".</p> 59 1.1 christos 60 1.1 christos <h3>TLS server</h3> 61 1.1 christos <p>To enable TLS server mode use these lines.</p> 62 1.1 christos <pre> 63 1.1 christos tls_server="on" 64 1.1 christos tls_bindhost="127.0.0.1" 65 1.1 christos tls_bindport="13245" 66 1.1 christos </pre> 67 1.1 christos <p>The bindhost is optional. The bindport is currently required (as long as there is no tcp port defined for the syslog service).</p> 68 1.1 christos 69 1.1 christos <p>With a CA that is all -- there is no additional hostname check for clients. 70 1.1 christos Without a CA the server needs to be told which certificates to trust:</p> 71 1.1 christos <pre> 72 1.1 christos tls_allow_fingerprints = MD5:00:A2:A7:02:CA:A0:0E:00:DC:F1:91:BE:6A:AA:FF:27 "SHA1:E4:E1:A6:1C:D4:31:D7:D4:9B:B8:DC:DF:DD:CE:30:71:46:00:92:C9" 73 1.1 christos </pre> 74 1.1 christos 75 1.1 christos <hr> 76 1.1 christos <table border=0> 77 1.1 christos <tr> 78 1.1 christos <td> 79 1.1 christos <a href="http://sourceforge.net"><img align="top" src="http://sourceforge.net/sflogo.php?group_id=141771&type=2" width="125" height="37" border="0" alt="SourceForge.net Logo" /></a> 80 1.1 christos <td> 81 1.1 christos <table> 82 1.1 christos <tr> <td> Martin Schütte <<tt>info (a] mschuette.name</tt>> </td> </tr> 83 1.1 christos <tr> <td> $Id: howto.html,v 1.1 2008/10/31 16:12:19 christos Exp $ </td> </tr> 84 1.1 christos </table> 85 1.1 christos </tr> 86 1.1 christos </table> 87 1.1 christos 88 1.1 christos </body> 89 1.1 christos </html> 90
Indexes created Thu Sep 25 15:09:46 GMT 2025