Fluentd
Search…
0.12
Introduction
Overview
Use Cases
Configuration
Deployment
Container Deployment
Input Plugins
tail
forward
secure_forward
udp
tcp
http
unix
syslog
exec
scribe
multiprocess
dummy
Others
Output Plugins
Buffer Plugins
Filter Plugins
Parser Plugins
Formatter Plugins
Developer
Articles
Powered By GitBook
secure_forward
The in_secure_forward input plugin accepts messages via SSL with authentication (cf. out_secure_forward). This document doesn't describe all parameters. If you want to know full features, check the Further Reading section.

Installation

in_secure_forward is not included in either td-agent package or fluentd gem. In order to install it, please refer to the Plugin Management article.

Example Configurations

This section provides some example configurations for in_secure_forward.

Minimalist Configuration

At first, generate private CA file by secure-forward-ca-generate, then copy that file to output plugin side by safe way (scp, or anyway else).
1
<source>
2
@type secure_forward
3
shared_key secret_string
4
self_hostname server.fqdn.local # This fqdn is used as CN (Common Name) of certificates
5
secure true
6
ca_cert_path /path/to/certificate/ca_cert.pem
7
ca_private_key_path /path/to/certificate/ca_key.pem
8
ca_private_key_passphrase passphrase_for_private_CA_secret_key
9
</source>
Copied!

Check username/password from Clients

1
<source>
2
@type secure_forward
3
shared_key secret_string
4
self_hostname server.fqdn.local
5
secure true
6
ca_cert_path /path/to/certificate/ca_cert.pem
7
ca_private_key_path /path/to/certificate/ca_key.pem
8
ca_private_key_passphrase passphrase_for_private_CA_secret_key
9
authentication yes # Deny clients without valid username/password
10
<user>
11
username tagomoris
12
password foobar012
13
</user>
14
<user>
15
username frsyuki
16
password yakiniku
17
</user>
18
</source>
Copied!

Deny Unknown Source IP/hosts

1
<source>
2
@type secure_forward
3
shared_key secret_string
4
self_hostname server.fqdn.local
5
secure true
6
ca_cert_path /path/to/certificate/ca_cert.pem
7
ca_private_key_path /path/to/certificate/ca_key.pem
8
ca_private_key_passphrase passphrase_for_private_CA_secret_key
9
allow_anonymous_source no # Allow to accept from nodes of <client>
10
<client>
11
host 192.168.10.30
12
# network address (ex: 192.168.10.0/24) NOT Supported now
13
</client>
14
<client>
15
host your.host.fqdn.local
16
# wildcard (ex: *.host.fqdn.local) NOT Supported now
17
</client>
18
</source>
Copied!
You can use the username/password check and client check together:
1
<source>
2
@type secure_forward
3
shared_key secret_string
4
self_hostname server.fqdn.local
5
secure true
6
ca_cert_path /path/to/certificate/ca_cert.pem
7
ca_private_key_path /path/to/certificate/ca_key.pem
8
ca_private_key_passphrase passphrase_for_private_CA_secret_key
9
allow_anonymous_source no # Allow to accept from nodes of <client>
10
authentication yes # Deny clients without valid username/password
11
<user>
12
username tagomoris
13
password foobar012
14
</user>
15
<user>
16
username frsyuki
17
password sukiyaki
18
</user>
19
<user>
20
username repeatedly
21
password sushi
22
</user
23
<client>
24
host 192.168.10.30 # allow all users to connect from 192.168.10.30
25
</client>
26
<client>
27
host 192.168.10.31
28
users tagomoris,frsyuki # deny repeatedly from 192.168.10.31
29
</client>
30
<client>
31
host 192.168.10.32
32
shared_key less_secret_string # limited shared_key for 192.168.10.32
33
users repeatedly # and repeatedly only
34
</client>
35
</source>
Copied!

Secure Sender-Receiver Setup

Please refer to the Secure Sender-Receiver Setup sample documentation.

Parameters

type

This parameter is required. Its value must be secure_forward.

port (integer)

The default value is 24284.

bind (string)

The default value is 0.0.0.0.

secure (bool)

Indicate published connection is secure or not. Specify yes (or true) if secure encryption needed.

self_hostname (string)

Default value of the auto-generated certificate common name (CN).

shared_key (string)

Shared key between nodes.

allow_keepalive (bool)

Accept keepalive connection. The default value is true.

allow_anonymous_source (bool)

Accept connections from unknown hosts.

authentication (bool)

Require password authentication. The default value is false.

ca_cert_path (string)

The path to the private CA certificate file, which is required to use private CA. (One of this parameter or cert_path is required for secure yes configuration.)

ca_private_key_path (string)

The path to the private key for private CA certificate key file.

ca_private_key_passphrase (string)

The passphrase string for private key file, specified by ca_private_key_path.

read_length (size)

The number of bytes read per nonblocking read. The default value is 8MB=810241024 bytes.

read_interval_msec (integer)

The interval between the non-blocking reads, in milliseconds. The default value is 50.

socket_interval_msec (integer)

The interval between SSL reconnects in milliseconds. The default value is 200.

log_level option

The log_level option allows the user to set different levels of logging for each plugin. The supported log levels are: fatal, error, warn, info, debug, and trace.
Please see the logging article for further details.

Further Reading

If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is a open source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.
Previous
forward
Next
udp
Last modified 1yr ago
Copy link
Contents
Installation
Example Configurations
Minimalist Configuration
Check username/password from Clients
Deny Unknown Source IP/hosts
Secure Sender-Receiver Setup
Parameters
type
port (integer)
bind (string)
secure (bool)
self_hostname (string)
shared_key (string)
allow_keepalive (bool)
allow_anonymous_source (bool)
authentication (bool)
ca_cert_path (string)
ca_private_key_path (string)
ca_private_key_passphrase (string)
read_length (size)
read_interval_msec (integer)
socket_interval_msec (integer)
Further Reading