From 07c0fcdfc8815ce6b82376d9d312b4e86ed29743 Mon Sep 17 00:00:00 2001
From: Peter Vrabec <pvrabec@redhat.com>
Date: Fri, 11 Apr 2008 16:02:04 +0200
Subject: added gssapi overview/howto thanks to Peter Vrabec

Signed-off-by: Rainer Gerhards <rgerhards@adiscon.com>
---
 doc/gssapi.html | 118 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 118 insertions(+)
 create mode 100644 doc/gssapi.html

(limited to 'doc/gssapi.html')

diff --git a/doc/gssapi.html b/doc/gssapi.html
new file mode 100644
index 00000000..400be4a3
--- /dev/null
+++ b/doc/gssapi.html
@@ -0,0 +1,118 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html><head><title>GSSAPI module support in rsyslog v3</title>
+
+</head>
+<body>
+<h1>GSSAPI module support in rsyslog v3</h1>
+<p style="font-weight: bold;">What is it good for.</p>
+<ul style="margin-left: 1.25cm;">
+<li>
+client-serverauthentication </li>
+<li>
+Log
+messages encryption </li>
+</ul>
+<p class="P5"> </p>
+<p class="P3"><span style="font-weight: bold;">Requirements.</span>
+</p>
+<ul>
+<li>Kerberos infrastructure</li>
+<li>rsyslog, rsyslog-gssapi</li>
+</ul>
+<p> </p>
+<p><span style="font-weight: bold;">Configuration.</span>
+</p>
+<p>Let's assume there are 3 machines in kerberos Realm: </p>
+<ul>
+<li>the
+first is running KDC (Kerberos Authentication Service and Key
+Distribution Center),</li>
+<li>the second is a client sending its logs to the server,</li>
+<li>the third is receiver, gathering all logs.</li>
+</ul>
+<p class="P7"> </p>
+<p class="P10"><span style="font-style: italic;">1.
+KDC:</span> </p>
+<ul>
+<li>Kerberos
+database must be properly set-up on KDC machine first. Use
+kadmin/kadmin.local to do that. Two principals need to be add in our
+case:</li>
+</ul>
+<ol style="margin-left: 1.25cm; list-style-type: decimal;">
+<li>
+<p>sender@REALM.ORG
+</p>
+</li>
+</ol>
+<ul>
+<li>client must have ticket for pricipal sender</li>
+<li>REALM.ORG is kerberos Realm</li>
+</ul>
+<ol style="margin-left: 1.25cm; list-style-type: decimal;">
+<li>host/receiver.mydomain.com@REALM.ORG - service principal</li>
+</ol>
+<ul>
+<li>Use ktadd to export service principal and transfer it to
+/etc/krb5.keytab
+on receiver </li>
+</ul>
+<p><span style="font-style: italic;">2. CLIENT:</span>
+</p>
+<ul>
+<li>set-up rsyslog, in /etc/rsyslog.conf</li>
+<li>$ModLoad omgssapi.so - load output gss module </li>
+<li>$GSSForwardServiceName
+otherThanHost - set the name of service principal, "host" is the
+default one</li>
+<li>*.* :omgssapi:receiver.mydomain.com - action line, forward
+logs to receiver</li>
+<li>kinit root - get the TGT ticket</li>
+<li>service rsyslog start
+<p class="P14" style="margin-left: 0.25cm;"> </p>
+</li>
+</ul>
+<p><span style="font-style: italic;">3. SERVER:</span>
+</p>
+<ul>
+<li class="P14" style="margin-left: 0cm;">
+<p class="P14" style="margin-left: 0.25cm;">set-up
+rsyslog, in /etc/rsyslog.conf </p>
+</li>
+<li class="P16">
+<p class="P16" style="margin-left: 0.25cm;">$ModLoad
+<a href="imgssapi.html">imgssapi.so</a> - load input gss module </p>
+</li>
+<li class="P16">
+<p class="P16" style="margin-left: 0.25cm;">$InputGSSServerServiceName
+otherThanHost - set the name of service principal, "host" is the
+default one </p>
+</li>
+<li class="P16">
+<p class="P16" style="margin-left: 0.25cm;">$InputGSSServerPermitPlainTCP
+on - accept GSS and TCP connections (not authenticated senders), off by
+default </p>
+</li>
+<li class="P16">
+<p class="P16" style="margin-left: 0.25cm;">$InputGSSServerRun
+514 - run server on port </p>
+</li>
+<li class="P14" style="margin-left: 0cm;">
+<p class="P14" style="margin-left: 0.25cm;">service
+rsyslog start </p>
+</li>
+</ul>
+<span style="font-weight: bold;">The picture demonstrate
+how things work.</span>
+<p class="P18"> </p>
+<img src="gssapi.png" alt="rsyslog gssapi support">
+<p>[<a href="rsyslog_conf.html">rsyslog.conf overview</a>]
+[<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
+<p><font size="2">This documentation is part of the
+<a href="http://www.rsyslog.com/">rsyslog</a>
+project.<br>
+Copyright © 2008 by <a href="http://www.gerhards.net/rainer">Rainer
+Gerhards</a> and
+<a href="http://www.adiscon.com/">Adiscon</a>.
+Released under the GNU GPL version 3 or higher.</font></p>
+</body></html>
\ No newline at end of file
-- 
cgit v1.2.3


From 9b59581a6f7d161c7aafbc3300689337939bb382 Mon Sep 17 00:00:00 2001
From: Michael Biebl <biebl@debian.org>
Date: Fri, 18 Jul 2008 16:41:52 +0200
Subject: use the $ModLoad syntax consistently.

Update the documentation to use the new, preferred $ModLoad syntax:
- no more MySQL
- name of the in/output plugin without the trailing .so

Signed-off-by: Rainer Gerhards <rgerhards@adiscon.com>
---
 doc/gssapi.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'doc/gssapi.html')

diff --git a/doc/gssapi.html b/doc/gssapi.html
index 400be4a3..3ad7d07b 100644
--- a/doc/gssapi.html
+++ b/doc/gssapi.html
@@ -61,7 +61,7 @@ on receiver </li>
 </p>
 <ul>
 <li>set-up rsyslog, in /etc/rsyslog.conf</li>
-<li>$ModLoad omgssapi.so - load output gss module </li>
+<li>$ModLoad omgssapi - load output gss module </li>
 <li>$GSSForwardServiceName
 otherThanHost - set the name of service principal, "host" is the
 default one</li>
@@ -81,7 +81,7 @@ rsyslog, in /etc/rsyslog.conf </p>
 </li>
 <li class="P16">
 <p class="P16" style="margin-left: 0.25cm;">$ModLoad
-<a href="imgssapi.html">imgssapi.so</a> - load input gss module </p>
+<a href="imgssapi.html">imgssapi</a> - load input gss module </p>
 </li>
 <li class="P16">
 <p class="P16" style="margin-left: 0.25cm;">$InputGSSServerServiceName
@@ -115,4 +115,4 @@ Copyright 
 Gerhards</a> and
 <a href="http://www.adiscon.com/">Adiscon</a>.
 Released under the GNU GPL version 3 or higher.</font></p>
-</body></html>
\ No newline at end of file
+</body></html>
-- 
cgit v1.2.3