Month: June 2007

srlog2: secure remote logging

A year ago, Bruce Guenter released srlog2, which is a secure remote log transmission system. At work we will be wanting centralized logging, which is why I finally hacked on an ebuild for it.

Getting there was a bit tricky, as nistp224 (ebuild) — an elliptic curve crypto library — did not compile using gcc-4. Luckily Griffon26 is more asm-savy than I am and within minutes he produced a working patch. (Thanks!)

Anyway – getting srlog2 to work is a breeze:

  1. On the receiver aka. central loghost, create srlog2d keys


    receiver.example.com $ srlog2-keygen -t nistp224 /var/log/srlog2

    The public key will need to be distributed to all sending hosts (see step 5).

  2. Set the private key as server key


    receiver.example.com $ mv /var/log/srlog2/nistp224 /var/log/srlog2/secrets

  3. Use the following run file to start srlog2d


    #!/bin/bash
    cd /var/log/srlog2
    exec srlog2d srlog2-logger --mkdirs

  4. On the sender, create host keys


    sender-hostname.example.com $ srlog2-keygen -t nistp224 /etc/srlog2

    The public key needs to be put on the receiving host (see step 7).

  5. Put the receivers public key into /etc/srlog2/servers/receiver.example.com.nistp224
  6. Start a log service. srlog2 takes a log line from standard input and sends it to the central loghost. It is designed to be similar to multilog and thus also supports the patterns.


    sender-hostname.example.com $ srlog2 bla receiver.example.com
    --type stuff--

  7. Before the above will work you need to put the senders public key into /var/log/srlog2/senders. Prepend it with its hostname (not fqdn) followed by a semicolon:


    sender-hostname:nistp224:0kfFexdXjzVPPRQOUbLq3f2K9fDqC2BDsE3o/Q==

Done!

You will now start to see logfiles in /var/log/srlog2/sender-hostname/bla/. If everything worked well, you should be seeing what you typed in step 6.

If you want to use curve25519 instead of nistp224, replace all occurrences of nistp224 above accordingly. However, currently curve25519 is only supported on 32-bit x86.

Note: The example above is only meant to get you up and running. On a production system the server keys would not be stored in /var/log/srlog2. Also be aware of funny line wrapping in the shell commands above.

Update: it was pointed out to me, that dragonheart already had prepared ebuilds for nistp224 and srlog2. And they are much more refined too. Way cool!

Happy hacking!