New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS Client Auth support for net
log output
#6079
Comments
I have a feeling that a |
That may be true, but I was thinking it seems fitting that a server that specializes in TLS should be able to establish a TLS connection for transmitting logs. 🤷♂️ |
But is there an actual standard for establishing TLS for writing logs, or is it just a proprietary thing logstash is doing? I don't think it makes sense to do this in the |
It would just be a TLS client config, similar to what the reverse proxy uses or layer 4's proxy -- enable TLS, maybe configure the trusted roots, client auth, timeouts, etc. Would work with any TCP log ingestor (that also supports TLS, presumably remote log servers). |
From prior research, I found that attempting TLS termination for RDBMS and STARTTLS (in the email world) doesn't work like it works for other traffic, e.g. web. They have their own special handling during the handshake. This is where Francis' point about the presence of a standard for such TLS communication in log-writing. We can test it. If the |
It looks like the TCP plugin for logstash is doing a pretty standard exchange. Here are their docs, and here is a typical example of the config for a Logstash TCP endpoint that is expecting a client cert:
|
When sending logs via the
net
output, TLS client auth is necessary for a secure, encrypted connection and safe transmission of logs. This is especially important when sending logs to a foreign server (think: Elasticsearch via Logstash's TCP plugin).The text was updated successfully, but these errors were encountered: