Martin Schütte schrieb:
You could always use *.* @@(mode=tls,whatever-else)server.example.net
Now that I have my certificate validation working I am coming back to the config format and see some problems.
- the latest proposed text (http://www.ietf.org/mail-archive/web/syslog/current/msg01920.html) requires a per-destination configuration of a certificate subject or fingerprint. To keep everything readable I suggest moving the hostname to the left and the options field to the end of the line.
For example I do not like this: @@(fingerprint="SHA1:E4:E1:A6:1C:D4:31:D7:D4:9B:B8:DC:DF:DD:CE:30:71:46:00:92:C9")server.example.net @@(subject="2001:db8::1428:57ab")server.example.net @@(subject="server.example.net")2001:db8::1428:57ab but would prefer this format: @@server.example.net(fingerprint="SHA1:E4:E1:A6:1C:D4:31:D7:D4:9B:B8:DC:DF:DD:CE:30:71:46:00:92:C9") @@server.example.net(subject="2001:db8::1428:57ab") @@2001:db8::1428:57ab(subject="server.example.net")- And especially regarding rsyslog-compatibility: How do you configure an IPv6 address with a portnumber? A simple ":" is not enough, because it is not clear if the following is the port number or the last part of the IPv6. So it might be necessary to introduce a new IP-delimiter like
in @@[10.1.2.3]:514 and @@[2001:db8::1428:57ab]:514For NetBSD this currently is not an issue, because it does not allow different port numbers (it always uses the service port as set in /etc/services). Question to our readers: Would you like the NetBSD syslogd to support different ports?
To support fingerprints I imagine to either list them in syslog.conf
I think this point is obsolete, because the current draft clarifies the requirements for fingerprints to be tied to one receiver.
-- Martin