2

I have the following rsyslog config file 10-custom.conf in which I want to have access to the distinguished name (CN, OU, L etc.) of the TLS client certificate that is used to establish the connection to rsyslog.

module(
load="imtcp"
StreamDriver.Name="gtls"
StreamDriver.Mode="1"
StreamDriver.Authmode="x509/name"
PermittedPeer="peers.mydomain.com"
)


$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile ca-root.cer
$DefaultNetstreamDriverCertFile rsyslog.cer
$DefaultNetstreamDriverKeyFile syslog_private.key

ruleset(name="tofile"){
    action(type="omfile" file="/var/log/test.log")
}

input(type="imtcp" port="1514" ruleset="tofile")

Is there a way to access the before mentioned distinguished name properties for log processing? E.g. passing logs to different hosts depending on the common name? Non-working example:

if ($commonname contains "client1") then {
   action(type="omfile" file="/var/log/client1.log")
}
if ($commonname contains "client2") then {
   action(type="omfile" file="/var/log/client2.log")
}
dmuensterer
  • 1,875
  • 11
  • 26
  • Can you please share an example of what a log you receive looks like? – eDonkey Oct 05 '22 at 06:25
  • There’s no info on determining the client from the log or sender address unfortunately. Just a syslog formatted log containing a JSON payload. – dmuensterer Oct 05 '22 at 07:54
  • 1
    So.. not even a hostname? Because as far as I know, you can't access any certificate information inside the config. – eDonkey Oct 05 '22 at 11:20
  • 1
    No, I can’t see the hostname information I wish to see. But it‘s useful information for me that apparently it is not possible to see any cert info in the config. Thank you – dmuensterer Oct 05 '22 at 13:33

0 Answers0