The syslog-ng Administrator GuideDocument version: 1.1.4
|
 |
The syslog-ng Administrator GuideDocument version: 1.1.4
|
|
The Premium Edition of syslog-ng is able to encrypt incoming and outgoing syslog
message flows using SSL/TLS, if the TCP transport protocol (the
tcp() or tcp6() sources or destination) is
used.
![[Note]](./note.png) |
Note |
|---|---|
The format of the TLS connections used by syslog-ng Premium Edition is similar to using syslog-ng and stunnel, but the source IP information is not lost. |
To encrypt connections, use the tls() option in the source and
destination statements.
The tls() option can include the following settings:
| Name | Accepted values | Default | Description |
|---|---|---|---|
| ca_dir() | Directory name | none | Name of a directory, that contains a set of trusted CA certificates in PEM format. The CA certificate files has to be named after the 32 bit hash of the subject's name. This naming can be created using the c_rehash utility in openssl. |
| cert_file() | Filename | none | Name of a file, that contains an X.509 certificate in PEM format, suitable as a TLS certificate, matching the private key. |
| crl_dir() | Directory name | none | Name of a directory that contains the Certificate Revocation Lists
for trusted CAs. Similarly to ca_dir() files, use
the 32bit hash of the name of issuing CAs as filenames. |
| key_file() | Filename | none | Name of a file, that contains an unencrypted private key in PEM format, suitable as a TLS key. |
| peer_verify() | optional-trusted | optional-untrusted | required-trusted | required-untrusted | required-trusted | Verification method of the peer, the four possible values is a combination of two properties of validation: whether the peer is required to provide a certificate (required or optional prefix), and whether the certificate provided needs to be trusted or not. |
Table 9.17. List of TLS options
© 2007-2008 BalaBit IT Security
Please send your comments or documentation bugs to: documentation@balabit.com