GSSAPI module support in rsyslog v3

What is it good for.

  • client-serverauthentication

  • Log messages encryption

Requirements.

  • Kerberos infrastructure

  • rsyslog, rsyslog-gssapi

Configuration.

Let’s assume there are 3 machines in Kerberos Realm:

  • the first is running KDC (Kerberos Authentication Service and Key Distribution Center),

  • the second is a client sending its logs to the server,

  • the third is receiver, gathering all logs.

  1. KDC:

  • Kerberos database must be properly set-up on KDC machine first. Use kadmin/kadmin.local to do that. Two principals need to be add in our case:

  1. sender@REALM.ORG

  • client must have ticket for principal sender

  • REALM.ORG is kerberos Realm

  1. host/receiver.mydomain.com@REALM.ORG - service principal

  • Use ktadd to export service principal and transfer it to /etc/krb5.keytab on receiver

  1. CLIENT:

  • set-up rsyslog, in /etc/rsyslog.conf

  • $ModLoad omgssapi - load output gss module

  • $GSSForwardServiceName otherThanHost - set the name of service principal, “host” is the default one

  • *.* :omgssapi:receiver.mydomain.com - action line, forward logs to receiver

  • kinit root - get the TGT ticket

  • service rsyslog start

  1. SERVER:

  • set-up rsyslog, in /etc/rsyslog.conf

  • $ModLoad imgssapi - load input gss module

  • $InputGSSServerServiceName otherThanHost - set the name of service principal, “host” is the default one

  • $InputGSSServerPermitPlainTCP on - accept GSS and TCP connections (not authenticated senders), off by default

  • $InputGSSServerRun 514 - run server on port

  • service rsyslog start

The picture demonstrate how things work.

rsyslog gssapi support

rsyslog gssapi support

Configuration Parameters

Note

Parameter names are case-insensitive; camelCase is recommended for readability.

Module Parameters

Parameter

Summary

GssForwardServiceName

Sets the Kerberos service principal base name used when omgssapi establishes a GSSAPI-secured forwarding session.

GssMode

Chooses whether omgssapi requests integrity-only or encrypted message protection for GSSAPI sessions.

ActionGSSForwardDefaultTemplate

Sets the default output template omgssapi applies when a forwarding action omits an explicit template.

Action Parameters

The omgssapi action is configured via module parameters. In modern action() syntax, it takes a target parameter and can optionally have a template assigned.

Legacy :omgssapi: syntax is also supported and includes options for compression and TCP framing. These are specified in parentheses after the selector, for example :omgssapi:(z5,o)hostname.

  • z[0-9]: Enables zlib compression. The optional digit specifies the compression level (0-9). Defaults to 9 if no digit is given.

  • o: Enables octet-counted TCP framing.

Support: rsyslog Assistant | GitHub Discussions | GitHub Issues: rsyslog source project

Contributing: Source & docs: rsyslog source project

© 2008–2025 Rainer Gerhards and others. Licensed under the Apache License 2.0.