11.1Schristos<html> 21.1Schristos<head> 31.1Schristos<title>NetBSD & Google's Summer of Code: Martin Schuette - Improve syslogd (syslogd)</title> 41.1Schristos</head> 51.1Schristos<body> 61.1Schristos 71.1Schristos<h1>Testing syslogd</h1> 81.1Schristos<h2>Compiling</h2> 91.1Schristos<p>A (hopefully) stable version for testing is available by <a href="http://netbsd-soc.cvs.sourceforge.net/netbsd-soc/syslogd/src/">CVS</a> and as a <a href="syslogd-tls.tar.gz">.tar.gz archive</a>. It contains syslogd itself and all necessary files to build on NetBSD and FreeBSD.</p> 101.1Schristos 111.1Schristos<p>To build just type <span style="font-family: monospace;">make</span>. Unless you have a complete NetBSD source tree -- then you can extract the files to <span style="font-family: monospace;">/usr/src/usr.sbin/syslogd</span> and replace the <span style="font-family: monospace;">Makefile</span> with <span style="font-family: monospace;">Makefile.NetBSD</span> and then type <span style="font-family: monospace;">make</span>. 121.1Schristos 131.1Schristos<h3>Note on other BSDs</h3> 141.1Schristos<p>I also tested syslogd on FreeBSD. There are just a few issues/differences:</p> 151.1Schristos<ul> 161.1Schristos <li>You have to install libevent first</li> 171.1Schristos <li>No pidfile is written</li> 181.1Schristos <li>The code for wallmsg() is only copied, not tested</li> 191.1Schristos</ul> 201.1Schristos<p>I assume the same holds for other BSDs but I have no live system to test them.</p> 211.1Schristos 221.1Schristos 231.1Schristos<h2>Command line options</h2> 241.1Schristos<p>syslogd has to be run as root (because it uses chroot()). You should start it with option "-u username" to drop privileges.</p> 251.1Schristos 261.1Schristos<p>By default messages are written in syslog Protocol format. To get the BSD Syslog output like from previous versions use the "-o" option.</p> 271.1Schristos 281.1Schristos<h2>syslog.conf</h2> 291.1Schristos 301.1Schristos<p>To use TLS some additional configuration is required.</p> 311.1Schristos 321.1Schristos<h3>X.509 certificates</h3> 331.1Schristos<p>Every syslogd using TLS needs an X.509 certificate. 341.1SchristosThe files containing the private key, certificate, and CA are configured with:</p> 351.1Schristos<pre> 361.1Schristostls_key="/etc/openssl/default.key" 371.1Schristostls_cert="/etc/openssl/default.crt" 381.1Schristostls_ca="/some/where/my.cacert" 391.1Schristos</pre> 401.1Schristos 411.1Schristos<p>If you do not already have a X.509 certificate then you can tell syslogd to generate one for you with</p> 421.1Schristos<pre> 431.1Schristostls_gen_cert=on 441.1Schristos</pre> 451.1Schristos 461.1Schristos<h3>TLS client</h3> 471.1Schristos<p>To send messages with configure a TLS destination. Here are three examples with different additional options required for authentication</p> 481.1Schristos<pre> 491.1Schristos# with CA 501.1Schristos*.* @[logserver.example.org]:13245 511.1Schristos*.* @[127.0.0.1]:13245(subject="logserver.example.org") 521.1Schristos# without CA 531.1Schristos*.* @[127.0.0.1]:13245(fingerprint="SHA1:E4:E1:A6:1C:D4:31:D7:D4:9B:B8:DC:DF:DD:CE:30:71:46:00:92:C9") 541.1Schristos</pre> 551.1Schristos 561.1Schristos<p>If using a CA then it is checked whether the server's certificate matches the hostname or a given subject. Assuming the logserver's certificate has "logserver.example.org" as its commonName or as a subjectAltName/dnsName the first line is sufficient. (Once a standard portnumber has been assigned the port becomes optional.) If we do not want to rely on DNS and configure the destination with "127.0.0.1" then the subject comparison will fail. The alternatives are either to configure the subject as an option (as in the example above) or to generate a new certificate with the server's IP as a commonName or subjectAltName/ipAddress.</p> 571.1Schristos 581.1Schristos<p>Without a CA the easiest way to authenticate the peer's certificate is its fingerprint as in the last line in the example. syslogd logs the fingerprints of all certificates it loads or tries to connect with, but it can also be read from the shell with "openssl x509 -in /etc/openssl/default.crt -noout -fingerprint".</p> 591.1Schristos 601.1Schristos<h3>TLS server</h3> 611.1Schristos<p>To enable TLS server mode use these lines.</p> 621.1Schristos<pre> 631.1Schristostls_server="on" 641.1Schristostls_bindhost="127.0.0.1" 651.1Schristostls_bindport="13245" 661.1Schristos</pre> 671.1Schristos<p>The bindhost is optional. The bindport is currently required (as long as there is no tcp port defined for the syslog service).</p> 681.1Schristos 691.1Schristos<p>With a CA that is all -- there is no additional hostname check for clients. 701.1SchristosWithout a CA the server needs to be told which certificates to trust:</p> 711.1Schristos<pre> 721.1Schristostls_allow_fingerprints = MD5:00:A2:A7:02:CA:A0:0E:00:DC:F1:91:BE:6A:AA:FF:27 "SHA1:E4:E1:A6:1C:D4:31:D7:D4:9B:B8:DC:DF:DD:CE:30:71:46:00:92:C9" 731.1Schristos</pre> 741.1Schristos 751.1Schristos<hr> 761.1Schristos<table border=0> 771.1Schristos<tr> 781.1Schristos<td> 791.1Schristos<a href="http://sourceforge.net"><img align="top" src="http://sourceforge.net/sflogo.php?group_id=141771&type=2" width="125" height="37" border="0" alt="SourceForge.net Logo" /></a> 801.1Schristos<td> 811.1Schristos <table> 821.1Schristos <tr> <td> Martin Schütte <<tt>info@mschuette.name</tt>> </td> </tr> 831.1Schristos <tr> <td> $Id: howto.html,v 1.1 2008/10/31 16:12:19 christos Exp $ </td> </tr> 841.1Schristos </table> 851.1Schristos</tr> 861.1Schristos</table> 871.1Schristos 881.1Schristos</body> 891.1Schristos</html> 90