GSoC final report: Improve syslogd

To: tech-userlevel%netbsd.org@localhost
Subject: GSoC final report: Improve syslogd
From: Martin Schütte <lists%mschuette.name@localhost>
Date: Tue, 02 Sep 2008 15:11:12 +0200

Hello,

I am happy to send you this final report for my Google Summer of Codeproject to improve syslogd.


= Final Report: Improve syslogd =

== new functions ==
Good news first... I completed nearly all my deliverables and
implemented the following functions for Syslog:

=== TLS transport ===
Syslogd(8) has been enhanced to be able to send and receive messages
over TLS, thus providing an encrypted and authenticated message
transport. Mutual authentication can be performed using a Certificate
Authority or using the peer's fingerprint (or it can be disabled).
If no certificate is present, syslogd(8) will generate a new one
(which then has to be configured for the peer to accept it). In
addition, syslogd(8) now supports message buffering which was
necessary to implement the TLS transport. This means that syslogd(8)
can now preserve TLS messages during a network outage, and send them
again when the network connection is restored.

=== syslog-protocol ===
I have enhanced syslog(3) by creating a new variant syslogp(3)
function that can be used to log messages in syslog-protocol.
Syslogp(3) takes two additional parameters -- one for MsgID and one
for structured data fields -- these will remain empty with syslog(3).

Syslogd(8) will accept messages both in syslog-protocol and
traditional BSD Syslog format. For output, both formats are supported,
but one has to be chosen globally using a command line option. If
necessary, messages are converted into the selected output format.

=== syslog-sign ===
Syslogd(8) can digitally sign all syslog messages it sends/relays.
Later on, the signatures can be checked to verify the integrity,
authenticity, and order of messages.

== open TODOs ==
Two tasks are not finished yet, but I will continue to work on
them:

=== interoperability tests ===
So far I have tested connections from/to rsyslog. The next syslog-ng
version with TLS and -protocol format has not been released yet,
so I will have to test that later.

=== TLS authentication ===
The RFC on TLS transport will probably require explicit support for
internationalized domain names and wildcards in certificates. These were
just added as requirements and have yet to be implemented in syslogd(8).

== possible future development ==
A few other improvements came up in discussion which I did not
implement but which form desirable directions for further development:

=== new config file format ===
It would be nice to have a better syslog.conf format. In particular
TLS actions with multiple options should be more readable.  The
issue was raised early on, but I did not have time to approach it
during GSoC.

=== destination based output format ===
For greater flexibility the output format could be set independently for
each destination. Most functionality for this is already present, but I
did not want to squeeze another flag for this into the old configuration
format.

=== modular/plugin architecture ===
With 5 different output types the code would benefit from a big
split between core functions and separate output modules.


Finally I would like to thank Christos Zoulas for being my mentor.

For further documentation and source code please see the project pageat: http://netbsd-soc.sourceforge.net/projects/syslogd/


--
Martin Schütte

Prev by Date: Re: broken current by "pthread_mutex_destroy"
Next by Date: /usr/bin/c99
Previous by Thread: broken current by "pthread_mutex_destroy"
Next by Thread: /usr/bin/c99
Indexes:

Home | Main Index | Thread Index | Old Index