分类: LINUX
2008-03-03 21:25:19
The Premium Edition of syslog-ng can send and receive log messages securely
over the network using the Transport Layer Security (TLS) protocol. TLS is an
encryption protocol over the TCP/IP network protocol, so it can be used only
with TCP-based sources and destinations ( tcp()
and tcp6()
).
# 注释 :PE 版本的 syslog-ng 可以通过 TLS 协议发送/接收消息。TLS 是一个加密协议,用于 TCP/IP 协议,
# 所以它只能用于基于 TCP 的 sources 和 destinations
TLS uses certificates to authenticate and encrypt the communication, as illustrated on the following figure:
# 注释 :TLS 使用“证书”来认证和加密通信。客户端会向 server 端要求其证书和公钥。同样 server 也可以向 client 端索要相同的东西
# 注释 :下面是 syslog-ng 使用 TLS 的前提要求
# -)1、server 端的 syslog-ng 的证书,用于认证 server 的身份
# -)2、在 client 端必须有为 server 发布证书的 CA 的整数,用于验证 server 证书的有效性。
# 注释 :如果是 server 端需要验证 client 的身份,则还需要以下的东西
# -)1、client 端上必须有证书
# -)2、server 上必须有为该 client 颁发证书的 CA 的证书
The client authenticates the server by requesting its certificate and public key. Optionally, the server can also request a certificate from the client, thus mutual authentication is also possible.
In order to use TLS encryption in syslog-ng, the following elements are required:
A certificate on the syslog-ng server that identifies the syslog-ng server.
The certificate of the Certificate Authority that issued the certificate of the syslog-ng server must be available on the syslog-ng client.
When using mutual authentication to verify the identity of the clients, the following elements are required:
A certificate must be available on the syslog-ng client. This certificate identifies the syslog-ng client.
The certificate of the Certificate Authority that issued the certificate of the syslog-ng client must be available on the syslog-ng server.
Mutual authentication ensures that the syslog-ng server accepts log messages only from authorized clients.
See for details on configuring TLS communication in syslog-ng.