Re: SoC: Improve syslogd

["Rainer Gerhards" <rgerhards%gmail.com@localhost>]

Joerg,

just in case you don't know. The IETF draft is not yet finished and
currently under discussion. The current state is here:

http://www.ietf.org/internet-drafts/draft-ietf-syslog-transport-tls-12.txt

It has been superseded by new proposed text just recently:

http://www.ietf.org/mail-archive/web/syslog/current/msg01920.html

There is a lot of discussion going on:

http://www.ietf.org/mail-archive/web/syslog/current/index.html

So the specifics are a moving target right now - but it is circeling
around some common ground.

Besides the actual standard, we need to think about how we configure a
syslogd. While of course there are different implementations, I would
like to see a minimum config file compatibility. This may be somewhat
hard to achieve, but I think it is worth trying.

I have a complete implementation of transport-tls in rsyslog. However,
the rsyslog extended config can, I think, not be used as a general
model. But maybe it is possible to find something that works well for
Martin and also can be implemented in rsyslog without major changes to
the core engine (which I can not do for one platform). What was
proposed so far looks like it could work.

Again, just for your information on my interest in this project.

Rainer



On Mon, May 26, 2008 at 6:50 PM, Joerg Sonnenberger
<joerg%britannica.bec.de@localhost> wrote:
> On Mon, May 26, 2008 at 05:49:22PM +0200, Martin Sch?tte wrote:
>> I think for syslogd it is sufficient to use one global list of trusted
>> certificates/fingerprints.
>
> I don't like to force that. Either specify a global certificate list and
> allow each entry to match the common name or allow individual
> certificates for each entry. A sane default behaviour would be to use
> the entry and protocol from the config file and match that against the
> certificate. E.g. look for sctp://example.net as common name.
>
> Joerg
>