GSSAPI module support in rsyslog v3

What is it good for.

  • client-serverauthentication

  • Log messages encryption

Requirements.

  • Kerberos infrastructure

  • rsyslog, rsyslog-gssapi

Configuration.

Let’s assume there are 3 machines in Kerberos Realm:

  • the first is running KDC (Kerberos Authentication Service and Key Distribution Center),

  • the second is a client sending its logs to the server,

  • the third is receiver, gathering all logs.

  1. KDC:

  • Kerberos database must be properly set-up on KDC machine first. Use kadmin/kadmin.local to do that. Two principals need to be add in our case:

  1. sender@REALM.ORG

  • client must have ticket for principal sender

  • REALM.ORG is kerberos Realm

  1. host/receiver.mydomain.com@REALM.ORG - service principal

  • Use ktadd to export service principal and transfer it to /etc/krb5.keytab on receiver

  1. CLIENT:

  • set-up rsyslog, in /etc/rsyslog.conf

  • $ModLoad omgssapi - load output gss module

  • $GSSForwardServiceName otherThanHost - set the name of service principal, “host” is the default one

  • *.* :omgssapi:receiver.mydomain.com - action line, forward logs to receiver

  • kinit root - get the TGT ticket

  • service rsyslog start

  1. SERVER:

  • set-up rsyslog, in /etc/rsyslog.conf

  • $ModLoad imgssapi - load input gss module

  • $InputGSSServerServiceName otherThanHost - set the name of service principal, “host” is the default one

  • $InputGSSServerPermitPlainTCP on - accept GSS and TCP connections (not authenticated senders), off by default

  • $InputGSSServerRun 514 - run server on port

  • service rsyslog start

The picture demonstrate how things work.

rsyslog gssapi support

rsyslog gssapi support

Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project

Contributing: Source & docs: rsyslog source project

© 2008–2025 Rainer Gerhards and others. Licensed under the Apache License 2.0.