Fluentd
0.12
0.121.0
0.12
0.121.0
  • Introduction
  • Overview
    • Getting Started
    • Installation
    • Life of a Fluentd event
    • Support
    • FAQ
  • Use Cases
    • Centralized App Logging
    • Monitoring Service Logs
    • Data Analytics
    • Connecting to Data Storages
    • Stream Processing
    • Windows Event Collection
    • IoT Data Logger
  • Configuration
    • Config File Syntax
    • Routing Examples
    • Recipes
  • Deployment
    • Logging
    • Monitoring
    • Signals
    • RPC
    • High Availability Config
    • Failure Scenarios
    • Performance Tuning
    • Plugin Management
    • Trouble Shooting
    • Secure Forwarding
    • Fluentd UI
    • Command Line Option
  • Container Deployment
    • Docker Image
    • Docker Logging Driver
    • Docker Compose
    • Kubernetes
  • Input Plugins
    • tail
    • forward
    • secure_forward
    • udp
    • tcp
    • http
    • unix
    • syslog
    • exec
    • scribe
    • multiprocess
    • dummy
    • Others
  • Output Plugins
    • file
    • s3
    • kafka
    • forward
    • secure_forward
    • exec
    • exec_filter
    • copy
    • geoip
    • roundrobin
    • stdout
    • null
    • webhdfs
    • splunk
    • mongo
    • mongo_replset
    • relabel
    • rewrite_tag_filter
    • Others
  • Buffer Plugins
    • memory
    • file
  • Filter Plugins
    • record_transformer
    • grep
    • parser
    • stdout
  • Parser Plugins
    • regexp
    • apache2
    • apache_error
    • nginx
    • syslog
    • ltsv
    • csv
    • tsv
    • json
    • multiline
    • none
  • Formatter Plugins
    • out_file
    • json
    • ltsv
    • csv
    • msgpack
    • hash
    • single_value
  • Developer
    • Plugin Development
    • Community
    • Mailing List
    • Source Code
    • Bug Tracking
    • ChangeLog
    • Logo
  • Articles
    • Store Apache Logs into MongoDB
    • Apache To Riak
    • Store Apache Logs into Amazon S3
    • Before Install
    • Cep Norikra
    • Collect Glusterfs Logs
    • Common Log Formats
    • Docker Logging Efk Compose
    • Docker Logging
    • Filter Modify Apache
    • Forwarding Over Ssl
    • Free Alternative To Splunk By Fluentd
    • Data Collection to Hadoop (HDFS)
    • Data Analytics with Treasure Data
    • Install By Chef
    • Install By Deb
    • Install By Dmg
    • Install By Gem
    • Install By Rpm
    • Install From Source
    • Install On Beanstalk
    • Install On Heroku
    • Java
    • Kinesis Stream
    • Kubernetes Fluentd
    • Monitoring by Prometheus
    • Monitoring by Rest Api
    • Nodejs
    • Performance Tuning Multi Process
    • Performance Tuning Single Process
    • Perl
    • Php
    • Python
    • Quickstart
    • Raspberrypi Cloud Data Logger
    • Recipe Apache Logs To Elasticsearch
    • Recipe Apache Logs To Mongo
    • Recipe Apache Logs To S3
    • Recipe Apache Logs To Treasure Data
    • Recipe Cloudstack To Mongodb
    • Recipe Csv To Elasticsearch
    • Recipe Csv To Mongo
    • Recipe Csv To S3
    • Recipe Csv To Treasure Data
    • Recipe Http Rest Api To Elasticsearch
    • Recipe Http Rest Api To Mongo
    • Recipe Http Rest Api To S3
    • Recipe Http Rest Api To Treasure Data
    • Recipe Json To Elasticsearch
    • Recipe Json To Mongo
    • Recipe Json To S3
    • Recipe Json To Treasure Data
    • Recipe Nginx To Elasticsearch
    • Recipe Nginx To Mongo
    • Recipe Nginx To S3
    • Recipe Nginx To Treasure Data
    • Recipe Syslog To Elasticsearch
    • Recipe Syslog To Mongo
    • Recipe Syslog To S3
    • Recipe Syslog To Treasure Data
    • Recipe Tsv To Elasticsearch
    • Recipe Tsv To Mongo
    • Recipe Tsv To S3
    • Recipe Tsv To Treasure Data
    • Ruby
    • Scala
    • Splunk Like Grep And Alert Email
Powered by GitBook
On this page
  • Installation
  • Example Configurations
  • Minimalist Configuration
  • Check username/password from Clients
  • Deny Unknown Source IP/hosts
  • Secure Sender-Receiver Setup
  • Parameters
  • type
  • port (integer)
  • bind (string)
  • secure (bool)
  • self_hostname (string)
  • shared_key (string)
  • allow_keepalive (bool)
  • allow_anonymous_source (bool)
  • authentication (bool)
  • ca_cert_path (string)
  • ca_private_key_path (string)
  • ca_private_key_passphrase (string)
  • read_length (size)
  • read_interval_msec (integer)
  • socket_interval_msec (integer)
  • Further Reading

Was this helpful?

  1. Input Plugins

secure_forward

PreviousforwardNextudp

Last updated 5 years ago

Was this helpful?

The in_secure_forward input plugin accepts messages via SSL with authentication (cf. ). This document doesn't describe all parameters. If you want to know full features, check the Further Reading section.

Installation

Example Configurations

This section provides some example configurations for in_secure_forward.

Minimalist Configuration

At first, generate private CA file by secure-forward-ca-generate, then copy that file to output plugin side by safe way (scp, or anyway else).

<source>
  @type secure_forward
  shared_key      secret_string
  self_hostname   server.fqdn.local  # This fqdn is used as CN (Common Name) of certificates
  secure true
  ca_cert_path        /path/to/certificate/ca_cert.pem
  ca_private_key_path /path/to/certificate/ca_key.pem
  ca_private_key_passphrase passphrase_for_private_CA_secret_key
</source>

Check username/password from Clients

<source>
  @type secure_forward
  shared_key         secret_string
  self_hostname      server.fqdn.local
  secure true
  ca_cert_path        /path/to/certificate/ca_cert.pem
  ca_private_key_path /path/to/certificate/ca_key.pem
  ca_private_key_passphrase passphrase_for_private_CA_secret_key
  authentication     yes # Deny clients without valid username/password
  <user>
    username tagomoris
    password foobar012
  </user>
  <user>
    username frsyuki
    password yakiniku
  </user>
</source>

Deny Unknown Source IP/hosts

<source>
  @type secure_forward
  shared_key         secret_string
  self_hostname      server.fqdn.local
  secure true
  ca_cert_path        /path/to/certificate/ca_cert.pem
  ca_private_key_path /path/to/certificate/ca_key.pem
  ca_private_key_passphrase passphrase_for_private_CA_secret_key
  allow_anonymous_source no  # Allow to accept from nodes of <client>
  <client>
    host 192.168.10.30
    # network address (ex: 192.168.10.0/24) NOT Supported now
  </client>
  <client>
    host your.host.fqdn.local
    # wildcard (ex: *.host.fqdn.local) NOT Supported now
  </client>
</source>

You can use the username/password check and client check together:

<source>
  @type secure_forward
  shared_key         secret_string
  self_hostname      server.fqdn.local
  secure true
  ca_cert_path        /path/to/certificate/ca_cert.pem
  ca_private_key_path /path/to/certificate/ca_key.pem
  ca_private_key_passphrase passphrase_for_private_CA_secret_key
  allow_anonymous_source no  # Allow to accept from nodes of <client>
  authentication         yes # Deny clients without valid username/password
  <user>
    username tagomoris
    password foobar012
  </user>
  <user>
    username frsyuki
    password sukiyaki
  </user>
  <user>
    username repeatedly
    password sushi
  </user
  <client>
    host 192.168.10.30      # allow all users to connect from 192.168.10.30
  </client>
  <client>
    host  192.168.10.31
    users tagomoris,frsyuki # deny repeatedly from 192.168.10.31
  </client>
  <client>
    host 192.168.10.32
    shared_key less_secret_string # limited shared_key for 192.168.10.32
    users      repeatedly         # and repeatedly only
  </client>
</source>

Secure Sender-Receiver Setup

Parameters

type

This parameter is required. Its value must be secure_forward.

port (integer)

The default value is 24284.

bind (string)

The default value is 0.0.0.0.

secure (bool)

Indicate published connection is secure or not. Specify yes (or true) if secure encryption needed.

self_hostname (string)

Default value of the auto-generated certificate common name (CN).

shared_key (string)

Shared key between nodes.

allow_keepalive (bool)

Accept keepalive connection. The default value is true.

allow_anonymous_source (bool)

Accept connections from unknown hosts.

authentication (bool)

Require password authentication. The default value is false.

ca_cert_path (string)

The path to the private CA certificate file, which is required to use private CA. (One of this parameter or cert_path is required for secure yes configuration.)

ca_private_key_path (string)

The path to the private key for private CA certificate key file.

ca_private_key_passphrase (string)

The passphrase string for private key file, specified by ca_private_key_path.

read_length (size)

The number of bytes read per nonblocking read. The default value is 8MB=810241024 bytes.

read_interval_msec (integer)

The interval between the non-blocking reads, in milliseconds. The default value is 50.

socket_interval_msec (integer)

The interval between SSL reconnects in milliseconds. The default value is 200.

log_level option

The log_level option allows the user to set different levels of logging for each plugin. The supported log levels are: fatal, error, warn, info, debug, and trace.

Further Reading

in_secure_forward is not included in either td-agent package or fluentd gem. In order to install it, please refer to the article.

Please refer to the Secure Sender-Receiver Setup .

Please see the for further details.

If this article is incorrect or outdated, or omits critical information, please . is a open source project under . All components are available under the Apache 2 License.

Plugin Management
logging article
fluent-plugin-secure-forward repository
let us know
Fluentd
Cloud Native Computing Foundation (CNCF)
out_secure_forward
sample documentation