usr.sbin/syslogd/howto.html

*1c6aec20Schristos<html>
*1c6aec20Schristos<head>
*1c6aec20Schristos<title>NetBSD &amp; Google's Summer of Code: Martin Schuette - Improve syslogd (syslogd)</title>
*1c6aec20Schristos</head>
*1c6aec20Schristos<body>
*1c6aec20Schristos
*1c6aec20Schristos<h1>Testing syslogd</h1>
*1c6aec20Schristos<h2>Compiling</h2>
*1c6aec20Schristos<p>A (hopefully) stable version for testing is available by <a href="http://netbsd-soc.cvs.sourceforge.net/netbsd-soc/syslogd/src/">CVS</a> and as a <a href="syslogd-tls.tar.gz">.tar.gz archive</a>. It contains syslogd itself and all necessary files to build on NetBSD and FreeBSD.</p>
*1c6aec20Schristos
*1c6aec20Schristos<p>To build just type <span style="font-family: monospace;">make</span>. Unless you have a complete NetBSD source tree -- then you can extract the files to <span style="font-family: monospace;">/usr/src/usr.sbin/syslogd</span> and replace the <span style="font-family: monospace;">Makefile</span> with <span style="font-family: monospace;">Makefile.NetBSD</span> and then type <span style="font-family: monospace;">make</span>.
*1c6aec20Schristos
*1c6aec20Schristos<h3>Note on other BSDs</h3>
*1c6aec20Schristos<p>I also tested syslogd on FreeBSD. There are just a few issues/differences:</p>
*1c6aec20Schristos<ul>
*1c6aec20Schristos   <li>You have to install libevent first</li>
*1c6aec20Schristos   <li>No pidfile is written</li>
*1c6aec20Schristos   <li>The code for wallmsg() is only copied, not tested</li>
*1c6aec20Schristos</ul>
*1c6aec20Schristos<p>I assume the same holds for other BSDs but I have no live system to test them.</p>
*1c6aec20Schristos
*1c6aec20Schristos
*1c6aec20Schristos<h2>Command line options</h2>
*1c6aec20Schristos<p>syslogd has to be run as root (because it uses chroot()). You should start it with option "-u username" to drop privileges.</p>
*1c6aec20Schristos
*1c6aec20Schristos<p>By default messages are written in syslog Protocol format. To get the BSD Syslog output like from previous versions use the "-o" option.</p>
*1c6aec20Schristos
*1c6aec20Schristos<h2>syslog.conf</h2>
*1c6aec20Schristos
*1c6aec20Schristos<p>To use TLS some additional configuration is required.</p>
*1c6aec20Schristos
*1c6aec20Schristos<h3>X.509 certificates</h3>
*1c6aec20Schristos<p>Every syslogd using TLS needs an X.509 certificate.
*1c6aec20SchristosThe files containing the private key, certificate, and CA are configured with:</p>
*1c6aec20Schristos<pre>
*1c6aec20Schristostls_key="/etc/openssl/default.key"
*1c6aec20Schristostls_cert="/etc/openssl/default.crt"
*1c6aec20Schristostls_ca="/some/where/my.cacert"
*1c6aec20Schristos</pre>
*1c6aec20Schristos
*1c6aec20Schristos<p>If you do not already have a X.509 certificate then you can tell syslogd to generate one for you with</p>
*1c6aec20Schristos<pre>
*1c6aec20Schristostls_gen_cert=on
*1c6aec20Schristos</pre>
*1c6aec20Schristos
*1c6aec20Schristos<h3>TLS client</h3>
*1c6aec20Schristos<p>To send messages with configure a TLS destination. Here are three examples with different additional options required for authentication</p>
*1c6aec20Schristos<pre>
*1c6aec20Schristos# with CA
*1c6aec20Schristos*.*      @[logserver.example.org]:13245
*1c6aec20Schristos*.*      @[127.0.0.1]:13245(subject="logserver.example.org")
*1c6aec20Schristos# without CA
*1c6aec20Schristos*.*      @[127.0.0.1]:13245(fingerprint="SHA1:E4:E1:A6:1C:D4:31:D7:D4:9B:B8:DC:DF:DD:CE:30:71:46:00:92:C9")
*1c6aec20Schristos</pre>
*1c6aec20Schristos
*1c6aec20Schristos<p>If using a CA then it is checked whether the server's certificate matches the hostname or a given subject. Assuming the logserver's certificate has "logserver.example.org" as its commonName or as a subjectAltName/dnsName the first line is sufficient. (Once a standard portnumber has been assigned the port becomes optional.) If we do not want to rely on DNS and configure the destination with "127.0.0.1" then the subject comparison will fail. The alternatives are either to configure the subject as an option (as in the example above) or to generate a new certificate with the server's IP as a commonName or subjectAltName/ipAddress.</p>
*1c6aec20Schristos
*1c6aec20Schristos<p>Without a CA the easiest way to authenticate the peer's certificate is its fingerprint as in the last line in the example. syslogd logs the fingerprints of all certificates it loads or tries to connect with, but it can also be read from the shell with "openssl x509 -in /etc/openssl/default.crt -noout -fingerprint".</p>
*1c6aec20Schristos
*1c6aec20Schristos<h3>TLS server</h3>
*1c6aec20Schristos<p>To enable TLS server mode use these lines.</p>
*1c6aec20Schristos<pre>
*1c6aec20Schristostls_server="on"
*1c6aec20Schristostls_bindhost="127.0.0.1"
*1c6aec20Schristostls_bindport="13245"
*1c6aec20Schristos</pre>
*1c6aec20Schristos<p>The bindhost is optional. The bindport is currently required (as long as there is no tcp port defined for the syslog service).</p>
*1c6aec20Schristos
*1c6aec20Schristos<p>With a CA that is all -- there is no additional hostname check for clients.
*1c6aec20SchristosWithout a CA the server needs to be told which certificates to trust:</p>
*1c6aec20Schristos<pre>
*1c6aec20Schristostls_allow_fingerprints = MD5:00:A2:A7:02:CA:A0:0E:00:DC:F1:91:BE:6A:AA:FF:27 "SHA1:E4:E1:A6:1C:D4:31:D7:D4:9B:B8:DC:DF:DD:CE:30:71:46:00:92:C9"
*1c6aec20Schristos</pre>
*1c6aec20Schristos
*1c6aec20Schristos<hr>
*1c6aec20Schristos<table border=0>
*1c6aec20Schristos<tr>
*1c6aec20Schristos<td>
*1c6aec20Schristos<a href="http://sourceforge.net"><img align="top" src="http://sourceforge.net/sflogo.php?group_id=141771&amp;type=2" width="125" height="37" border="0" alt="SourceForge.net Logo" /></a>
*1c6aec20Schristos<td>
*1c6aec20Schristos  <table>
*1c6aec20Schristos  <tr> <td> Martin Sch&uuml;tte &lt;<tt>info@mschuette.name</tt>&gt; </td> </tr>
*1c6aec20Schristos  <tr> <td> $Id: howto.html,v 1.1 2008/10/31 16:12:19 christos Exp $ </td> </tr>
*1c6aec20Schristos  </table>
*1c6aec20Schristos</tr>
*1c6aec20Schristos</table>
*1c6aec20Schristos
*1c6aec20Schristos</body>
*1c6aec20Schristos</html>