Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- centos:web_c7:graylog2 [17.02.2017 11:43. ] – [/etc/graylog/server/server.conf] django
+++ centos:web_c7:graylog2 [22.07.2019 14:42. ] (aktuell) – django
@@ Zeile 64: / Zeile 64: @@
   sub  2048R/60D31954 2013-09-16
-Diesen **Key fingerprint = 4609 5ACC 8548 582C 1A26  99A9 D27D 666C D88E 42B4** vergleichen wir nun mit den Angaben auf der [[https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-repositories.html|elasticsearch Dokumentationsseite]]. Stimmen beide Fingerprints überein, steht dem Import des Schlüssels nicht's mehr entgegen.
+Diesen **Key fingerprint = 4609 5ACC 8548 582C 1A26  99A9 D27D 666C D88E 42B4** vergleichen wir nun mit den Angaben auf der [[https://www.elastic.co/guide/en/elasticsearch/reference/current/setup-repositories.html|elasticsearch Dokumentationsseite]]. Stimmen beide Fingerprints überein, steht dem Import des Schlüssels nichts mehr entgegen.
    # rpm --import /etc/pki/rpm-gpg/GPG-KEY-elasticsearch
@@ Zeile 70: / Zeile 70: @@
 Graylog selbst werden wir später aus dem Repository von **graylog** installieren. So bleibt zum einen der Konfigurationsaufwand überschaubar und wir werden mit Updates versorgt, wenn Änderungen und/oder Erweiterungen am Programmcode von graylog notwendig werden.
 Die Integration des benötigten Repositories erfolgt direkt mit nachfolgendem Befehl:
-   # yum localinstall https://packages.graylog2.org/repo/packages/graylog-2.2-repository_latest.rpm
+   # yum localinstall https://packages.graylog2.org/repo/packages/graylog-2.3-repository_latest.rpm
-Anschließend kontrollieren wir nun die installierte Repo-Datei und tragen dort z.B. die gewünschte Priorität nach.
+Anschliessend kontrollieren wir nun die installierte Repo-Datei und tragen dort z.B. die gewünschte Priorität nach.
    # vim /etc/yum.repos.d/graylog.repo
 <file bash /etc/yum.repos.d/graylog.repo>[graylog]
 name=graylog
-baseurl=https://packages.graylog2.org/repo/el/stable/2.2/$basearch/
+baseurl=https://packages.graylog2.org/repo/el/stable/2.3/$basearch/
 gpgcheck=1
 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-graylog
@@ Zeile 249: / Zeile 249: @@
 Im nächsten Schritt installieren wir nun noch elasticsearch als Suchmaschine/-server.
    # yum install elasticsearch -y
-Bei der Installation des RPMs werden unter anderem folgende Informationen angegeben:
-<code>...
-Running transaction check
-Running transaction test
-Transaction test succeeded
-Running transaction
-Creating elasticsearch group... OK
-Creating elasticsearch user... OK
-  Installing : elasticsearch-2.4.4-1.noarch                                                                                                                                 1/1
-### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
- sudo systemctl daemon-reload
- sudo systemctl enable elasticsearch.service
-### You can start elasticsearch service by executing
- sudo systemctl start elasticsearch.service
-  Verifying  : elasticsearch-2.4.4-1.noarch                                                                                                                                 1/1
-Installed:
-  elasticsearch.noarch 0:2.4.4-1
-</code>
-Bei dr späteren Konfiguration werden wir diese Schritte dann nachholen.
 Wollen wir wissen, welche Dateien und Verzeichnisse das Paket auf unseren Server packte, benutzen wir folgenden Befehl.
@@ Zeile 370: / Zeile 347: @@
 /var/log/elasticsearch
 /var/run/elasticsearch</code>
 ==== graylog ====
 Zu guter letzt installieren wir nun noch Pakete **graylog** sowie das Zusatzprogramm **pwgen** zum Generieren von Passwörtern, natürlich auch dieses mal mit Unterstützung von **YUM**.
@@ Zeile 378: / Zeile 356: @@
    # rpm -qil graylog-server
 <code>Name        : graylog-server
-Version     : 2.2.0
+Version     : 2.3.1
-Release     : 11
+Release     : 1
 Architecture: noarch
-Install Date: Wed 15 Feb 2017 04:21:21 PM CET
+Install Date: Wed 27 Sep 2017 11:26:28 AM CEST
 Group       : optional
-Size        : 106769271
+Size        : 110416070
 License     : GPLv3
-Signature   : RSA/SHA1, Thu 09 Feb 2017 12:43:00 PM CET, Key ID d44c1d8db1606f22
+Signature   : RSA/SHA1, Fri 25 Aug 2017 03:57:24 PM CEST, Key ID d44c1d8db1606f22
-Source RPM  : graylog-server-2.2.0-11.src.rpm
+Source RPM  : graylog-server-2.3.1-1.src.rpm
-Build Date  : Thu 09 Feb 2017 12:42:54 PM CET
+Build Date  : Fri 25 Aug 2017 03:57:17 PM CEST
-Build Host  : f89729f86e48
+Build Host  : 5ee9456006b4
 Relocations : /
 Packager    : Graylog, Inc. <hello@graylog.org>
@@ Zeile 407: / Zeile 385: @@
 /usr/share/graylog-server/lib/sigar/libsigar-amd64-linux.so
 /usr/share/graylog-server/lib/sigar/libsigar-x86-linux.so
-/usr/share/graylog-server/plugin/graylog-plugin-anonymous-usage-statistics-2.2.0.jar
+/usr/share/graylog-server/plugin/graylog-plugin-anonymous-usage-statistics-2.3.1.jar
-/usr/share/graylog-server/plugin/graylog-plugin-beats-2.2.0.jar
+/usr/share/graylog-server/plugin/graylog-plugin-beats-2.3.1.jar
-/usr/share/graylog-server/plugin/graylog-plugin-collector-2.2.0.jar
+/usr/share/graylog-server/plugin/graylog-plugin-collector-2.3.1.jar
-/usr/share/graylog-server/plugin/graylog-plugin-enterprise-integration-2.2.0.jar
+/usr/share/graylog-server/plugin/graylog-plugin-enterprise-integration-2.3.1.jar
-/usr/share/graylog-server/plugin/graylog-plugin-map-widget-2.2.0.jar
+/usr/share/graylog-server/plugin/graylog-plugin-map-widget-2.3.1.jar
-/usr/share/graylog-server/plugin/graylog-plugin-pipeline-processor-2.2.0.jar</code>
+/usr/share/graylog-server/plugin/graylog-plugin-pipeline-processor-2.3.1.jar</code>
@@ Zeile 473: / Zeile 451: @@
 </pre></html>
 Der erfolgreiche Start des Servers wird auch in dessen Logdatei protokolliert.
    # less /var/log/mongodb/mongod.log
@@ Zeile 603: / Zeile 581: @@
   Created symlink from /etc/systemd/system/multi-user.target.wants/setra256.service to /etc/systemd/system/setra256.service.
 === automatischer Start des Daemon ===
@@ Zeile 738: / Zeile 714: @@
 Geben wir ein falsches Passwort ein, wird natürlich der Zugang verwehrt.
-   # mongo -u "graylog-user" -p "7h3FBI15n07ar0ckb4and" 127.0.0.1:27017/graylog
+   # mongo -u "graylog-user" -p "7h3FBI15ar0ckb4and" 127.0.0.1:27017/graylog
   MongoDB shell version: 2.6.12
@@ Zeile 1369: / Zeile 1345: @@
 Anschließend informieren wir den **systemd** über unser "updatesicheres" Startscript.
    systemctl daemon-reload
 === Start des Daemon ===
@@ Zeile 2122: / Zeile 2092: @@
 <font style="color: rgb(0, 255, 0)"><b>● </b></font><font style="color: rgb(0, 0, 0)">graylog-server.service - Graylog server
    Loaded: loaded (/usr/lib/systemd/system/graylog-server.service; enabled; vendor preset: disabled)
-   Active: <font style="color: rgb(0, 255, 0)"><b>active (running) </b></font><font style="color: rgb(0, 0, 0)">since Mon 2015-12-28 14:27:40 CET; 6s ago
+   Active: <font style="color: rgb(0, 255, 0)"><b>active (running) </b></font><font style="color: rgb(0, 0, 0)">since Fri 2017-02-17 12:11:05 CET; 33min ago
      Docs: http://docs.graylog.org/
- Main PID: 5057 (graylog-server)
+ Main PID: 2832 (graylog-server)
    CGroup: /system.slice/graylog-server.service
-           ├─5057 /bin/sh /usr/share/graylog-server/bin/graylog-server
+           ├─2832 /bin/sh /usr/share/graylog-server/bin/graylog-server
-           └─5058 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UsePa...
+           └─2833 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+Us...
-Dec 28 14:27:40 vml000117.dmz.nausch.org systemd[1]: Started Graylog server.
+Feb 17 12:11:05 vml000117.dmz.nausch.org systemd[1]: Started Graylog server.
-Dec 28 14:27:40 vml000117.dmz.nausch.org systemd[1]: Starting Graylog server...</font>
+Feb 17 12:11:05 vml000117.dmz.nausch.org systemd[1]: Starting Graylog server...</font>
 </pre></html>
 Der erfolgreiche Start des Servers wird auch in dessen Logdatei protokolliert.
-   # /var/log/elasticsearch/elasticsearch.log
+   # /var/log/graylog-server/server.log
-<code>Dec 28 14:27:40 vml000117.dmz.nausch.org systemd[1]: Started Graylog server.
+<code>2017-02-16T13:05:32.247+01:00 INFO  [CmdLineTool] Loaded plugin: Elastic Beats Input 2.2.0 [org.graylog.plugins.beats.BeatsInputPlugin]
-Dec 28 14:27:40 vml000117.dmz.nausch.org systemd[1]: Starting Graylog server...
+-02-16T13:05:32.250+01:00 INFO  [CmdLineTool] Loaded plugin: Collector 2.2.0 [org.graylog.plugins.collector.CollectorPlugin]
-[root@vml000117 yum.repos.d]# tailf /var/log/graylog-server/server.log
+-02-16T13:05:32.252+01:00 INFO  [CmdLineTool] Loaded plugin: Enterprise Integration Plugin 2.2.0 [org.graylog.plugins.enterprise_integration.EnterpriseIntegrationPlugin]
--12-28T14:27:55.595+01:00 INFO  [discovery] [vml000117] graylog/j4zrCy-gQpqKTAMqM_XGkg
+-02-16T13:05:32.254+01:00 INFO  [CmdLineTool] Loaded plugin: MapWidgetPlugin 2.2.0 [org.graylog.plugins.map.MapWidgetPlugin]
--12-28T14:27:55.609+01:00 INFO  [RestApiService] Enabling CORS for REST API
+-02-16T13:05:32.255+01:00 INFO  [CmdLineTool] Loaded plugin: Pipeline Processor Plugin 2.2.0 [org.graylog.plugins.pipelineprocessor.ProcessorPlugin]
--12-28T14:27:58.627+01:00 WARN  [discovery] [vml000117] waited for 3s and no initial state was set by the discovery
+-02-16T13:05:32.257+01:00 INFO  [CmdLineTool] Loaded plugin: Anonymous Usage Statistics 2.2.0 [org.graylog.plugins.usagestatistics.UsageStatsPlugin]
--12-28T14:27:58.627+01:00 INFO  [node] [vml000117] started
+-02-16T13:05:32.955+01:00 INFO  [CmdLineTool] Running with JVM arguments: -Xms1g -Xmx1g -XX:NewRatio=1 -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnable
--12-28T14:27:59.138+01:00 INFO  [service] [vml000117] detected_master [vml000117][EdAnadZuTiOjxFR7_Kvdrg][vml000117.dmz.nausch.org][inet[/10.0.0.117:9300]], added {[vml000117][EdAnadZuTiOjxFR7_Kvdrg][vml000117.dmz.nausch.org][inet[/10.0.0.117:9300]],}, reason: zen-disco-receive(from master [[vml000117][EdAnadZuTiOjxFR7_Kvdrg][vml000117.dmz.nausch.org][inet[/10.0.0.117:9300]]])
+d -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Dlog4j.configurationFile=file:///etc/graylog/server/log4j2.xml -Djava.library.path=/usr/share/graylog-server/lib/sigar -Dgraylog2.installation_source=rp
--12-28T14:28:05.324+01:00 INFO  [IndexRotationThread] Deflector index <graylog_1> should be rotated, Pointing deflector to new index now!
+m
--12-28T14:28:05.324+01:00 INFO  [Deflector] Cycling deflector to next index now.
+-02-16T13:05:33.487+01:00 INFO  [Version] HV000001: Hibernate Validator null
--12-28T14:28:05.340+01:00 INFO  [Deflector] Cycling from <graylog_1> to <graylog_2>
+-02-16T13:05:39.765+01:00 INFO  [InputBufferImpl] Message journal is enabled.
--12-28T14:28:05.340+01:00 INFO  [Deflector] Creating index target <graylog_2>...
+-02-16T13:05:39.899+01:00 INFO  [NodeId] Node ID: 57cfc6d7-f241-4487-8661-f115d4f70fc8
--12-28T14:28:06.218+01:00 INFO  [Deflector] Waiting for index allocation of <graylog_2>
+-02-16T13:05:40.717+01:00 INFO  [LogManager] Loading logs.
--12-28T14:28:06.335+01:00 INFO  [Deflector] Done!
+-02-16T13:05:40.727+01:00 INFO  [LogManager] Logs loading complete.
--12-28T14:28:06.335+01:00 INFO  [Deflector] Pointing deflector to new target index....
+-02-16T13:05:40.805+01:00 INFO  [LogManager] Created log for partition [messagejournal,0] in /var/lib/graylog-server/journal with properties {file.delete.delay.ms -> 60000, compact -> false, max.mess
--12-28T14:28:06.531+01:00 INFO  [SystemJobManager] Submitted SystemJob <d4502600-ad66-11e5-8de7-5254005fa52f> [org.graylog2.indexer.ranges.CreateNewSingleIndexRangeJob]
+age.bytes -> 104857600, min.insync.replicas -> 1, segment.jitter.ms -> 0, index.interval.bytes -> 4096, min.cleanable.dirty.ratio -> 0.5, unclean.leader.election.enable -> true, retention.bytes -> 536870
--12-28T14:28:06.537+01:00 INFO  [CreateNewSingleIndexRangeJob] Calculating ranges for index graylog_1.
+, delete.retention.ms -> 86400000, flush.ms -> 60000, segment.bytes -> 104857600, segment.ms -> 3600000, retention.ms -> 43200000, flush.messages -> 1000000, segment.index.bytes -> 1048576}.
--12-28T14:28:06.610+01:00 INFO  [SystemJobManager] Submitted SystemJob <d4557d30-ad66-11e5-8de7-5254005fa52f> [org.graylog2.indexer.SetIndexReadOnlyJob]
+-02-16T13:05:40.806+01:00 INFO  [KafkaJournal] Initialized Kafka based journal at /var/lib/graylog-server/journal
--12-28T14:28:06.658+01:00 INFO  [SystemJobManager] Submitted SystemJob <d461b230-ad66-11e5-8de7-5254005fa52f> [org.graylog2.indexer.ranges.CreateNewSingleIndexRangeJob]
+-02-16T13:05:41.219+01:00 INFO  [InputBufferImpl] Initialized InputBufferImpl with ring size <65536> and wait strategy <BlockingWaitStrategy>, running 2 parallel message handlers.
--12-28T14:28:06.658+01:00 INFO  [Deflector] Done!
+-02-16T13:05:41.271+01:00 INFO  [cluster] Cluster created with settings {hosts=[127.0.01:27017], mode=SINGLE, requiredClusterType=UNKNOWN, serverSelectionTimeout='30000 ms', maxWaitQueueSize=5000}
--12-28T14:28:06.618+01:00 INFO  [CreateNewSingleIndexRangeJob] Calculating ranges for index graylog_2.
+-02-16T13:05:41.394+01:00 INFO  [cluster] No server chosen by ReadPreferenceServerSelector{readPreference=primary} from cluster description ClusterDescription{type=UNKNOWN, connectionMode=SINGLE, ser
--12-28T14:28:06.720+01:00 INFO  [MongoIndexRangeService] Calculated range of [graylog_1] in [182ms].
+verDescriptions=[ServerDescription{address=127.0.01:27017, type=UNKNOWN, state=CONNECTING}]}. Waiting for 30000 ms before timing out
--12-28T14:28:06.807+01:00 INFO  [CreateNewSingleIndexRangeJob] Created ranges for index graylog_1.
+-02-16T13:05:41.497+01:00 INFO  [connection] Opened connection [connectionId{localValue:1, serverValue:1}] to 127.0.01:27017
--12-28T14:28:06.807+01:00 INFO  [SystemJobManager] SystemJob <d4502600-ad66-11e5-8de7-5254005fa52f> [org.graylog2.indexer.ranges.CreateNewSingleIndexRangeJob] finished in 269ms.
+-02-16T13:05:41.504+01:00 INFO  [cluster] Monitor thread successfully connected to server with description ServerDescription{address=127.0.01:27017, type=STANDALONE, state=CONNECTED, ok=true, version
--12-28T14:28:06.879+01:00 INFO  [MongoIndexRangeService] Calculated range of [graylog_2] in [180ms].
+=ServerVersion{versionList=[2, 6, 12]}, minWireVersion=0, maxWireVersion=2, maxDocumentSize=16777216, roundTripTimeNanos=1297292}
--12-28T14:28:06.930+01:00 INFO  [CreateNewSingleIndexRangeJob] Created ranges for index graylog_2.
+-02-16T13:05:41.527+01:00 INFO  [connection] Opened connection [connectionId{localValue:2, serverValue:2}] to 127.0.01:27017
--12-28T14:28:06.931+01:00 INFO  [SystemJobManager] SystemJob <d461b230-ad66-11e5-8de7-5254005fa52f> [org.graylog2.indexer.ranges.CreateNewSingleIndexRangeJob] finished in 312ms.
+-02-16T13:05:42.486+01:00 INFO  [node] [graylog-57cfc6d7-f241-4487-8661-f115d4f70fc8] version[2.4.4], pid[2500], build[fcbb46d/2017-01-03T11:33:16Z]
--12-28T14:28:08.315+01:00 INFO  [RestApiService] Adding security context factory: <org.graylog2.security.ShiroSecurityContextFactory@79ffbf1a>
+-02-16T13:05:42.486+01:00 INFO  [node] [graylog-57cfc6d7-f241-4487-8661-f115d4f70fc8] initializing ...
--12-28T14:28:08.354+01:00 INFO  [RestApiService] Started REST API at <http://127.0.0.1:12900/>
+-02-16T13:05:42.498+01:00 INFO  [plugins] [graylog-57cfc6d7-f241-4487-8661-f115d4f70fc8] modules [], plugins [graylog-monitor], sites []
--12-28T14:28:08.355+01:00 INFO  [ServiceManagerListener] Services are healthy
+-02-16T13:05:46.715+01:00 INFO  [node] [graylog-57cfc6d7-f241-4487-8661-f115d4f70fc8] initialized
--12-28T14:28:08.357+01:00 INFO  [ServerBootstrap] Services started, startup times in ms: {InputSetupService [RUNNING]=5, OutputSetupService [RUNNING]=32, BufferSynchronizerService [RUNNING]=33, MetricsReporterService [RUNNING]=36, JournalReader [RUNNING]=45, KafkaJournal [RUNNING]=45, PeriodicalsService [RUNNING]=304, IndexerSetupService [RUNNING]=4286, RestApiService [RUNNING]=13364}
+-02-16T13:05:46.885+01:00 INFO  [ProcessBuffer] Initialized ProcessBuffer with ring size <65536> and wait strategy <BlockingWaitStrategy>.
--12-28T14:28:08.360+01:00 INFO  [ServerBootstrap] Graylog server up and running.
+-02-16T13:05:50.440+01:00 INFO  [RulesEngineProvider] No static rules file loaded.
--12-28T14:28:08.361+01:00 INFO  [InputSetupService] Triggering launching persisted inputs, node transitioned from Uninitialized [LB:DEAD] to Running [LB:ALIVE]</code>
+-02-16T13:05:50.926+01:00 WARN  [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
+-02-16T13:05:50.936+01:00 INFO  [OutputBuffer] Initialized OutputBuffer with ring size <65536> and wait strategy <BlockingWaitStrategy>.
+-02-16T13:05:51.353+01:00 WARN  [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
+-02-16T13:05:51.439+01:00 WARN  [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
+-02-16T13:05:51.546+01:00 WARN  [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
+-02-16T13:05:51.686+01:00 WARN  [GeoIpResolverEngine] GeoIP database file does not exist: /etc/graylog/server/GeoLite2-City.mmdb
+-02-16T13:05:52.601+01:00 INFO  [RoleServiceImpl] Admin role is missing or invalid, re-adding it as a built-in role.
+-02-16T13:05:52.779+01:00 INFO  [RoleServiceImpl] Reader role is missing or invalid, re-adding it as a built-in role.
+-02-16T13:05:53.824+01:00 INFO  [connection] Opened connection [connectionId{localValue:3, serverValue:3}] to 127.0.01:27017
+-02-16T13:05:54.030+01:00 INFO  [ServerBootstrap] Graylog server 2.2.0+d9681cb starting up
+-02-16T13:05:54.031+01:00 INFO  [ServerBootstrap] JRE: Oracle Corporation 1.8.0_121 on Linux 3.10.0-514.6.1.el7.x86_64
+-02-16T13:05:54.031+01:00 INFO  [ServerBootstrap] Deployment: rpm
+-02-16T13:05:54.031+01:00 INFO  [ServerBootstrap] OS: CentOS Linux 7 (Core) (centos)
+-02-16T13:05:54.032+01:00 INFO  [ServerBootstrap] Arch: amd64
+-02-16T13:05:54.050+01:00 WARN  [DeadEventLoggingListener] Received unhandled event of type <org.graylog2.plugin.lifecycles.Lifecycle> from event bus <AsyncEventBus{graylog-eventbus}>
+-02-16T13:05:54.129+01:00 INFO  [PeriodicalsService] Starting 26 periodicals ...</code>
+Mit einer Abfrage der geöffneten Ports, sehen wir unsere neu definierten Ports, wie z.B. den Port **9000** des JAVA-Prozesses, der die WEB-GUI bedient.
+   # netstat -tulpen
+<code>Active Internet connections (only servers)
+Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
+tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          33371      3352/master
+tcp        0      0 127.0.0.1:27017         0.0.0.0:*               LISTEN      184        18750      1172/mongod
+tcp6       0      0 127.0.0.1:9200          :::*                    LISTEN      996        18406      1129/java
+tcp6       0      0 ::1:9200                :::*                    LISTEN      996        19313      1129/java
+tcp6       0      0 127.0.0.1:9300          :::*                    LISTEN      996        19239      1129/java
+tcp6       0      0 ::1:9300                :::*                    LISTEN      996        19234      1129/java
+tcp6       0      0 127.0.0.1:9350          :::*                    LISTEN      995        31315      2833/java
+tcp6       0      0 ::1:9350                :::*                    LISTEN      995        31818      2833/java
+tcp6       0      0 10.0.0.117:9000         :::*                    LISTEN      995        31876      2833/java
+udp6       0      0 :::10514                :::*                                995        31584      2833/java</code>
 === automatischer Start des Daemon ===
 Damit der Daemon beim Hochfahren unseres Servers automatisch gestartet wird, nutzen wir folgenden Befehl.
@@ Zeile 2181: / Zeile 2180: @@
   enabled
-==== graylog v2 - WEB-GUI ====
+==== Apache Reverse-Proxy ====
-=== Apache Reverse-Proxy ===
 Da der **graylog-web**-Daemon __ohne__ Root-Rechte gestartet wird, können wir nur unprivilegierte Ports (Ports größer als 1024) definieren. Da wir aber die Graylog-Web-GUI auch von außen, über einen TLS geschützten Transportkanal ansprechen wollen, nutzen wir einen Apache-vHOST als Reverse-Proxy.
 Dazu legen wir uns folgende vHOST-Datei an.
    # vim /etc/httpd/conf.d/graylog.conf
 <file apache /etc/httpd/conf.d/graylog.conf>#
-# Django : 2015-12-28
+# Django : 2017-02-14
 #          vHost graylog
 #
+# Variablen der Hostvariablen
+Define vhost graylog
+Define errors_log logs/${vhost}_error.log
+Define access_log logs/${vhost}_access.log
+Define ssl_log logs/${vhost}_ssl_request.lo
-<VirtualHost 10.0.0.117:80>
+<VirtualHost 10.0.0.97:80>
     ServerAdmin webmaster@nausch.org
-    ServerName graylog.nausch.org
+    ServerName ${vhost}.nausch.org
     RewriteEngine on
@@ Zeile 2203: / Zeile 2208: @@
     # Welche Logdateien sollen beschrieben werden
-    CustomLog logs/graylog_access.log combined
+    SetEnvIf Remote_Addr "10\.0\.0\.20" dontlog
-    ErrorLog  logs/graylog_error.log
+    ErrorLog  ${errors_log}
-</VirtualHost>
+    CustomLog ${access_log} combined env=!dontlog
-<VirtualHost 10.0.0.117:443>
+</VirtualHost>
-    ServerAdmin webmaster@nausch.org
+<VirtualHost 10.0.0.97:443>
-    ServerName graylog.nausch.org
+    ServerAdmin webmaster@nausch.org
-    ServerPath /
+    ServerName ${vhost}.nausch.org
+    ServerPath /
     # Wer soll Zugriff auf die Webseite(n) bekommen?
     <Proxy *>
         Options +FollowSymLinks +Multiviews -Indexes
         AllowOverride None
@@ Zeile 2220: / Zeile 2226: @@
         AuthLDAPUrl ldaps://openldap.dmz.nausch.org:636/ou=People,dc=nausch,dc=org?uid
         AuthLDAPBindDN cn=Technischer_User,dc=nausch,dc=org
-        AuthLDAPBindPassword "e1n531f!D4xIi57n393I1354u!"
+        AuthLDAPBindPassword "e1n531f!D4xIi57n38103034u!"
         AuthLDAPBindAuthoritative on
-        Require ldap-user django icinga2
+        Require ldap-user graylog-admin
     </Proxy>
     # Welcher Inhalt soll angezeigt bzw. auf welchen Server sollen die HTTP-Requests weitergeleitet werden?
     ProxyRequests Off
-    ProxyPreserveHost On
+    ProxyPass / https://10.0.0.117/
-    ProxyPass / http://127.0.0.1:9000/
+    ProxyPassReverse / https://10.0.0.117/
-    ProxyPassReverse / http://127.0.0.1:9000/
+    <Location />
+        RequestHeader set X-Graylog-Server-URL "https://graylog.nausch.org/api/"
+        ProxyPass  http://10.0.0.117:9000/
+        ProxyPassReverse http://10.0.0.117:9000/
+    </Location>
+    <Location /api/>
+        ProxyPass http://10.0.0.117:9000/api/
+        ProxyPassReverse http://10.0.0.117:9000/api/
+    </Location>
     # Welche Logdateien sollen beschrieben werden
-    CustomLog logs/graylog_access.log combined
+    SetEnvIf Remote_Addr "10\.0\.0\.20" dontlog
-    ErrorLog  logs/graylog_error.log
+    ErrorLog  ${errors_log}
+    CustomLog ${access_log} combined env=!dontlog
+    CustomLog ${ssl_log} "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
     # Absicherung der Übertragung mit Hilfe von TLS
-    # Konfiguration bei Verwendung von mod_gnutls
+    # Django : 2015-10-04 - TLS-Verschlüsselung mit Hilfe von mod_ssl
-    <IfModule !mod_ssl.c>
+    SSLEngine on
-        <IfModule mod_gnutls.c>
+    # Definition der anzubietenden Protokolle
-            # Django : 2015-10-29 - TLS-Verschlüsselung mit Hilfe von mod_gnutls
+    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
-            GnuTLSEnable on
+    # Definition der Cipher
-            # Definition der anzubietenden Protokolle und Ciphers
+    SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384
-            GnuTLSPriorities PFS:-VERS-TLS-ALL:+VERS-TLS1.2:-ARCFOUR-128:+COMP-NULL:+CURVE-SECP384R1:+CURVE-SECP521R1
+    # Schlüsseldatei, mit der der CSR erstellt wurde
-            # Schlüsseldatei, mit der der CSR erstellt wurde
+    SSLCertificateKeyFile /etc/pki/tls/private/graylog.nausch.org.serverkey.pem
-            GnuTLSKeyFile /etc/pki/tls/private/graylog.nausch.org.serverkey.pem
+    # Zertifikatsdatei, die von der CA signiert wurde
-            # Zertifikatsdatei inkl. ggf. notwendiger Zwischen- und Root-Zertifikaten
+    SSLCertificateFile /etc/pki/tls/certs/graylog.nausch.org.certificate_161118.pem
-            # 1) Server-Zertifikat, 2) Intermediate-Root-Zertifikat und 3) Root-Zertifikat der CA
+    # Zertifikatsdatei des bzw. der Intermediate-Zertifikate(s)
-            GnuTLSCertificateFile /etc/pki/tls/certs/graylog.nausch.org.certificatechain_150612.pem
+    SSLCertificateChainFile /etc/pki/tls/certs/AlphaSSL_Intermediate.certificate.pem
-            # Definition der Schlüssellänge für DHE und ECDHE
+    # Änderung der Cipherorder der Clients verneinen
-            # DHE Schlüssel mit einer Schlüssellänge von 4096 Bit verwenden; dieser wird 1x pro Tag via cronjob
+    SSLHonorCipherOrder on
-            # (/etc/cron.daily/edh_keygen) neu generiert und der Neustart des nginx-Daemon veranlasst!
+    # TLS 1.0 Kompremmierung deaktivieren (CRIME attacks)
-            GnuTLSDHFile /etc/pki/tls/private/dh_4096.pem
+    SSLCompression off
-            # Session-Tickets für Clients nicht anbieten (dieser könnte versuchen über Tickets die Session zu cachen).
+    # Online Certificate Status Protocol stapling zum Prüfen des Gültigkeitsstatus des Serverzertifikats.
-            GnuTLSSessionTickets off
+    SSLUseStapling on
-        </IfModule>
+    SSLStaplingResponderTimeout 5
-    </IfModule>
+    SSLStaplingReturnResponderErrors off
-    # Konfiguration bei Verwendung von mod_ssl
-    <IfModule mod_ssl.c>
-        <IfModule !mod_gnutls.c>
-           # Django : 2015-10-04 - TLS-Verschlüsselung mit Hilfe von mod_ssl
-            SSLEngine on
-            # Definition der anzubietenden Protokolle
-            SSLProtocol All -SSLv2 -SSLv3
-            # Definition der Cipher
-            SSLCipherSuite "AES256+EECDH +AEAD"
-            # Schlüsseldatei, mit der der CSR erstellt wurde
-            SSLCertificateKeyFile /etc/pki/tls/private/graylog.nausch.org.serverkey.pem
-            # Zertifikatsdatei, die von der CA signiert wurde
-            SSLCertificateFile /etc/pki/tls/certs/graylog.nausch.org.certificate_150612.pem
-            # Zertifikatsdatei des bzw. der Intermediate-Zertifikate(s)
-            SSLCertificateChainFile /etc/pki/tls/certs/CAcert_class3.pem
-            # Änderung der Cipherorder der Clienets verneinen
-            SSLHonorCipherOrder on
-            # TLS 1.0 Kompremmierung deaktivieren (CRIME attacks)
-            SSLCompression off
-        </IfModule>
-    </IfModule>
-    # special stuff ###
     # HTTP Strict Transport Security (HSTS), bei dem der Server dem Client im HTTP-Header mitteilt,
     # dass dieser nur noch verschlüsselt mit dem Server kommunizieren soll.
-    Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
+    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
     # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
@@ Zeile 2288: / Zeile 2283: @@
     # this particular website if it was disabled by the user.
     # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
-    Header set X-XSS-Protection "1; mode=block"
+    Header always set X-Xss-Protection "1; mode=block"
     # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
@@ Zeile 2296: / Zeile 2291: @@
     # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
     # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
-    Header set X-Content-Type-Options nosniff
+    # Sofern die Datei auch den entsprechenden MIME-Typ "text/css" entspricht, soll der Browser
+    # CSS-Dateien nur als CSS interprätieren.
+    Header always set X-Content-Type-Options nosniff
     # config to don't allow the browser to render the page inside an frame or iframe
@@ Zeile 2302: / Zeile 2299: @@
     # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
     # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
-    header set X-Frame-Options SAMEORIGIN
+    header always set X-Frame-Options DENY
+    # hide server header (apache and php version)
+    Header always unset Server
+    # Only allow JavaScript from the same domain to be run.
+    # don't allow inline JavaScript to run.
+    Header always set X-Content-Security-Policy "allow 'self';"
+    # Add Secure and HTTP only attributes to cookies
+    Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
+    # prevent Clickjacking Attack
+    Header always set X-Frame-Options "SAMEORIGIN"
+    # hkpk-stuff
+    Header always set Public-Key-Pins "pin-sha256=\"nMiOpb6vUnjCoWCkPZkDaG4D8SNWzFTsQf2ZfruLno0=\"; pin-sha256=\"INhxSQ38nCS6ijaAAyo4xAhAZj9xeL3X4ak+GGiM2fo=\"; max-age=2592000; report-uri=\"https://nausch.report-uri.io/r/default/hpkp/enforce\""
 </VirtualHost>
 </file>
@@ Zeile 2315: / Zeile 2327: @@
    # systemctl restart httpd.service
-=== /etc/graylog/web/web.conf ===
-Die installationsspezifische kundenindividuelle Konfiguration der **graylog-web GUI** wird über dessen Konfigurationsdatei //**/etc/graylog/web/web.conf**// vorgenommen.
-Wie schon bei der Konfiguration des **[[centos:web_c7:graylog#etc_graylog_server_serverconf|graylog-servers]]** erstellen wir uns, vor der Bearbeitung der Konfigurationsdatei, noch einen **Passwort-Hash**, mit dem die Nutzerpassworte verschlüsselt werden. Diesen hash-Wert erstellen wir wie folgt:
-   # pwgen -N 1 -s 128
-  KM2OhCgRuTJe9f7bOr0uOtGcX45TB5kmF4L4Ty44bRUlu1y2qh0eDbs613Bv4QFk0ftGzuASpSW5DDBqpSKIlcdI39WdVHBSo33AoPZgKiABd7G7FduhKIMZVjiE7lod
-Diese beiden Werte hinterlegen wir nun in der Konfigurationsdatei unseres **graylog-web**-Daemon und passen anschließend die Konfigurationsoptionen unserer Umgebung an. Änderungen an den Default-Werten sind mit **Django : <Zeitstempel>** gekennzeichnet
-   # vim /etc/graylog/web/web.conf
-<file bash /etc/graylog/web/web.conf># graylog2-server REST URIs (one or more, comma separated) For example: "http://127.0.0.1:12900/,http://127.0.0.1:12910/"
-# Django : 2015-12-28
-# default: graylog2-server.uris=""
-graylog2-server.uris="http://127.0.0.1:12900/"
-# Learn how to configure custom logging in the documentation:
-#    http://docs.graylog.org/en/latest/pages/installation.html#manual-setup-graylog-web-interface-on-linux
-# Secret key
-# ~~~~~
-# The secret key is used to secure cryptographics functions. Set this to a long and randomly generated string.
-# If you deploy your application to several instances be sure to use the same key!
-# Generate for example with: pwgen -N 1 -s 96
-# Django : 2015-12-28
-# default: application.secret=""
-application.secret="KM2OhCgRuTJe9f7bOr0uOtGcX45TB5kmF4L4Ty44bRUlu1y2qh0eDbs613Bv4QFk0ftGzuASpSW5DDBqpSKIlcdI39WdVHBSo33AoPZgKiABd7G7FduhKIMZVjiE7lod"
-# Web interface timezone
-# Graylog stores all timestamps in UTC. To properly display times, set the default timezone of the interface.
-# If you leave this out, Graylog will pick your system default as the timezone. Usually you will want to configure it explicitly.
-# timezone="Europe/Berlin"
-# Django : 2015-12-28
-# default: unset
-timezone="Europe/Berlin"
-# Message field limit
-# Your web interface can cause high load in your browser when you have a lot of different message fields. The default
-# limit of message fields is 100. Set it to 0 if you always want to get all fields. They are for example used in the
-# search result sidebar or for autocompletion of field names.
-field_list_limit=100
-# Use this to run Graylog with a path prefix
-#application.context=/graylog2
-# You usually do not want to change this.
-application.global=lib.Global
-# Global timeout for communication with Graylog server nodes; default: 5s
-#timeout.DEFAULT=5s
-# Accept any server certificate without checking for validity; required if using self-signed certificates.
-# Default: true
-# graylog2.client.accept-any-certificate=true
-</file>
-=== Start des Daemon ===
-Nun ist es an der Zeit den die Web-GUI **graylog-web** zu starten.
-   # systemctl start graylog-web.service
-Den Serverstatus können wir wie folgt abfragen.
-   # systemctl status graylog-web.service
-<html><pre class="code">
-<font style="color: rgb(0, 255, 0)"><b>● </b></font><font style="color: rgb(0, 0, 0)">graylog-web.service - Graylog web interface
-   Loaded: loaded (/usr/lib/systemd/system/graylog-web.service; enabled; vendor preset: disabled)
-   Active: <font style="color: rgb(0, 255, 0)"><b>active (running) </b></font><font style="color: rgb(0, 0, 0)">since Mon 2015-12-28 15:21:52 CET; 11s ago
-     Docs: http://docs.graylog.org/
- Main PID: 8767 (graylog-web)
-   CGroup: /system.slice/graylog-web.service
-           ├─8767 /bin/sh /usr/share/graylog-web/bin/graylog-web
-           └─8768 java -Xms1024m -Xmx1024m -XX:ReservedCodeCacheSize=128m -Dconfig.file=/etc/graylog/web/web.conf -Dlogger.file=/etc/graylog/web/logback.xml -Dpidfile.path=/dev/...
-Dec 28 15:21:52 vml000117.dmz.nausch.org systemd[1]: Started Graylog web interface.
-Dec 28 15:21:52 vml000117.dmz.nausch.org systemd[1]: Starting Graylog web interface...
-Dec 28 15:21:53 vml000117.dmz.nausch.org graylog-web[8767]: Play server process ID is 8768</font>
-</pre></html>
-Der erfolgreiche Start des Servers wird auch in dessen Logdatei protokolliert.
-   # /var/log/graylog-web/application.log
-<code>2015-12-28T15:21:56.752+01:00 - [INFO] - from play in main
-Application started (Prod)
--12-28T15:21:56.812+01:00 - [INFO] - from play in main
-Listening for HTTP on /10.0.0.117:9000</code>
-=== automatischer Start des Daemon ===
-Damit der Daemon beim Hochfahren unseres Servers automatisch gestartet wird, nutzen wir folgenden Befehl.
-   # systemctl enable graylog-web.service
-  Created symlink from /etc/systemd/system/multi-user.target.wants/graylog-web.service to /usr/lib/systemd/system/graylog-web.service.
-Wollen wir wissen, ob die Autostartfunktion bereits gesetzt ist, verwenden wir diesen Aufruf.
-   # systemctl is-enabled graylog-web.service
-  enabled
 ==== Paketfilter/Firewall  ====
-=== graylog-web ===
+=== graylog v2 WEB-GUI ===
 Unter **CentOS 7** wird als Standard-Firewall die dynamische **firewalld** verwendet. Ein großer Vorteil der dynamischen Paketfilterregeln ist unter anderem, dass zur Aktivierung der neuen Firewall-Regel(n) nicht der Daemon durchgestartet werden muss und somit alle aktiven Verbindungen kurz getrennt werden. Sondern unsere Änderungen können **//on-the-fly//** aktiviert oder auch wieder deaktiviert werden.
@@ Zeile 2440: / Zeile 2356: @@
    # ps aux | grep graylog-server
-<code bash>graylog   1382  0.0  0.0 113116  1404 ?        Ss    2015   0:00 /bin/sh /usr/share/graylog-server/bin/graylog-server
+<code bash>graylog   2832  0.0  0.0 113120  1368 ?        Ss   12:11   0:00 /bin/sh /usr/share/graylog-server/bin/graylog-server
-graylog   1391  3.4 17.4 3875072 1396880 ?     Sl    2015 190:29 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -jar -Dlog4j.configuration=file:///etc/graylog/server/log4j.xml -Djava.library.path=/usr/share/graylog-server/lib/sigar -Dgraylog2.installation_source=rpm /usr/share/graylog-server/graylog.jar server -f /etc/graylog/server/server.conf -np</code>
+graylog   2833  7.1 13.2 3874092 1087156 ?     Sl   12:11   4:39 /usr/bin/java -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -jar -Dlog4j.configurationFile=file:///etc/graylog/server/log4j2.xml -Djava.library.path=/usr/share/graylog-server/lib/sigar -Dgraylog2.installation_source=rpm /usr/share/graylog-server/graylog.jar server -f /etc/graylog/server/server.conf -np
+root      3965  0.0  0.0 112648   924 pts/0    R+   13:16   0:00 grep --color=auto graylog-server</code>
 Somit können wir keine bei der Definition von **[[https://graylog.nausch.org/system/inputs|Eingangskanälen]]** (Inputs) keine dieser privilegierte Ports direkt ansprechen. Bei vielen Netzwerkgeräten, wie Router, Switche oder Telefone kann man bei der Definition des Syslog-Dienstes nur den Namen bzw. IP-Adresse des Zielservers angeben, nicht aber die den vordefinierten Port **514**.
@@ Zeile 2475: / Zeile 2392: @@
 Nachdem wir unseren graylog-Server erfolgreich vorbereitet haben, werden wir nun unsere Linux-Hosts so konfigurieren, dass diese ihre syslog-Meldungen zu unserem zentralem syslog-/graylog-Server senden.
-Das Weiterleiten der Syslogmeldungen ist nicht sonderlich schwer zu konfigurieren. Das Wichtigste das es zu beachten gibt, ist, dass die Meldungen gemäß dem **[[https://www.ietf.org/rfc/rfc5424.txt|RFC 5424]]** formatiert werden.
+Das Weiterleiten der Syslogmeldungen ist nicht sonderlich schwer zu konfigurieren. Das Wichtigste das es zu beachten gibt, ist, dass die Meldungen gemäss dem **[[https://www.ietf.org/rfc/rfc5424.txt|RFC 5424]]**, insbesondere ist darauf zu achten dass die Meldungen dem **[[http://www.rsyslog.com/tag/rfc5424/|RSYSLOG_SyslogProtocol23Format]]** entsprechend formatiert werden.
 ==== UDP ====
@@ Zeile 2498: / Zeile 2415: @@
 #*.* @@remote-host:514
 #
-# Django : 2015-06-12
+# Django : 2017-02-14
 $template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
-*.* @10.0.0.117:514;GRAYLOGRFC5424
+*.* @10.0.0.117:514;RSYSLOG_SyslogProtocol23Format
 #
 # ### end of the forwarding rule ###</code>
@@ Zeile 2528: / Zeile 2445: @@
 #*.* @@remote-host:514
 #
-# Django : 2015-06-12
+# Django : 2017-02-14
 $template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
-*.* @@10.0.0.117:514;GRAYLOGRFC5424
+*.* @@10.0.0.117:514;RSYSLOG_SyslogProtocol23Format
 #
 # ### end of the forwarding rule ###</code>
@@ Zeile 2699: / Zeile 2616: @@
 -rw-r--r--. 1 root root 3 Jan  3 19:40 serial</code>
+<code>/etc/pki/CA
+├── certs
+├── crl
+├── csrs
+├── index.txt
+├── newcerts
+├── private
+└── serial</code>
+Die CA-Konfigurationsdatei passen wir noch unseren Wünschen entsprechend an.
+   # vim /etc/pki/tls/openssl.cnf
+<file bash /etc/pki/tls/openssl.cnf>#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+[ new_oids ]
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+####################################################################
+[ CA_default ]
+dir		= /etc/pki/CA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+# Django : 2017-02-14
+# default: certificate  = $dir/cacert.pem       # The CA certificate
+certificate     = $dir/certs/root-ca.certifikate.pem
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+# Django : 2017-02-14
+# default: private_key	= $dir/private/cakey.pem   # The private key
+private_key	= $dir/private/root-ca.key.pem
+RANDFILE	= $dir/private/.rand	# private random number file
+x509_extensions	= usr_cert		# The extentions to add to the cert
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+# Extension copying option: use with caution.
+# copy_extensions = copy
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+default_days	= 365			# how long to certify for
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# use SHA-256 by default
+preserve	= no			# keep passed DN ordering
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+####################################################################
+[ req ]
+default_bits		= 2048
+default_md		= sha256
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+# req_extensions = v3_req # The extensions to add to a certificate request
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_default		= XX
+countryName_min			= 2
+countryName_max			= 2
+stateOrProvinceName		= State or Province Name (full name)
+#stateOrProvinceName_default	= Default Province
+localityName			= Locality Name (eg, city)
+localityName_default		= Default City
+.organizationName		= Organization Name (eg, company)
+.organizationName_default	= Default Company Ltd
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+organizationalUnitName		= Organizational Unit Name (eg, section)
+#organizationalUnitName_default	=
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+emailAddress			= Email Address
+emailAddress_max		= 64
+# SET-ex3			= SET extension number 3
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+unstructuredName		= An optional company name
+[ usr_cert ]
+# These extensions are added when 'ca' signs a request.
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+basicConstraints=CA:FALSE
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+# This is OK for an SSL server.
+# nsCertType			= server
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+# For normal client use this is typical
+# nsCertType = client, email
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+# Copy subject details
+# issuerAltName=issuer:copy
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+[ v3_req ]
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+[ v3_ca ]
+# Extensions for a typical CA
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+# Some might want this also
+# nsCertType = sslCA, emailCA
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+basicConstraints=CA:FALSE
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+# This is OK for an SSL server.
+# nsCertType			= server
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+# For normal client use this is typical
+# nsCertType = client, email
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+# Copy subject details
+# issuerAltName=issuer:copy
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+####################################################################
+[ tsa ]
+default_tsa = tsa_config1	# the default TSA section
+[ tsa_config1 ]
+# These are used by the TSA reply generation only.
+dir		= ./demoCA		# TSA root directory
+serial		= $dir/tsaserial	# The current serial number (mandatory)
+crypto_device	= builtin		# OpenSSL engine to use for signing
+signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
+					# (optional)
+certs		= $dir/cacert.pem	# Certificate chain to include in reply
+					# (optional)
+signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
+default_policy	= tsa_policy1		# Policy if request did not specify it
+					# (optional)
+other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+digests		= sha1, sha256, sha384, sha512	# Acceptable message digests (mandatory)
+accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+clock_precision_digits  = 0	# number of digits after dot. (optional)
+ordering		= yes	# Is ordering defined for timestamps?
+				# (optional, default: no)
+tsa_name		= yes	# Must the TSA name be included in the reply?
+				# (optional, default: no)
+ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+				# (optional, default: no)</file>
 === privaten Schlüssel und selbstsigniertes Root CA Zertifikat erstellen ===
 Als erstes werden wir uns nun den privaten Schlüssel unserer Root CA generieren, in zugehöriges Zertifikat erzeugen und dieses mit dem privaten Schlüssel der CA unterschreiben; all das passiert bei nachfolgendem Befehlsaufruf. Zur besseren Unterscheidung sind die Eingaben sowohl kursiv und fett gedruckt in der Farbe <html><font style="color: rgb(0, 0, 255)"><i><b>blau</b></i></font></html> und die Rückmeldungen in der Farbe <html><font style="color: rgb(102, 102, 102)"><b>grau</b></font></html> gekennzeichnet.
@@ Zeile 2730: / Zeile 3015: @@
 <font style="color: rgb(102, 102, 102)">Email Address []:</font><font style="color: rgb(0, 0, 255)"><b><i>ca-admin@nausch.org</i></b></font>
 </pre></html>
+Sowohl Zertifikat und der Schlüssel des gerade erzeugten Root Zertifikates liegen nun in unserem CA-Systemverzeichnis.
+<code>/etc/pki/CA
+├── certs
+│   └── root-ca.certifikate.pem
+├── crl
+├── csrs
+├── index.txt
+├── newcerts
+├── private
+│   └── root-ca.key.pem
+└── serial</code>
 === privaten Schlüssel der Root CA schützen ===
@@ Zeile 2955: / Zeile 3252: @@
 <html><pre class="code">
 <font style="color: rgb(0, 0, 0)"># </font><font style="color: rgb(0, 0, 255)"><b><i>openssl pkcs8 -topk8 -in /etc/pki/tls/private/graylog-server.dmz.nausch.org.key.pem \
-          -inform pem -out /etc/pki/tls/private/graylog-server.dmz.nausch.org.key_pk8.pem -outform pem -nocrypt</i></b></font>
+          -inform pem -out /etc/pki/tls/private/graylog-server.dmz.nausch.org.key_pk8.pem \
+          -outform pem -nocrypt</i></b></font>
 </pre></html>
@@ Zeile 3157: / Zeile 3455: @@
 </pre></html>
-=== erstellte Zertifikat dem gralog-server zur Verfügung stellen ===
+=== erstellte Zertifikat dem graylog-server zur Verfügung stellen ===
 Als letzten Schritt stellen wir nun das gerade erzeugte Server-Zertifikat dem graylog-server zur Verfügung. Hierzu kopieren wir einfach das gerade generierte Zertifikat an Ort und Stelle.
    # cp /etc/pki/CA/certs/graylog-server.dmz.nausch.org.certificate.pem /etc/pki/tls/certs/
@@ Zeile 3652: / Zeile 3950: @@
 kY+Z9s9+By5IVw==
 -----END CERTIFICATE-----</code>
 === erstellte Zertifikat dem rsyslog-Daemon auf dem Clientrechner zur Verfügung stellen ===
-Als letzten Schritt stellen wir nun das gerade erzeugte Server-Zertifikat dem graylog-server zur Verfügung. Entweder kopieren wir das Zertifikat via **scp** auf den Clientrechner oder wir legen das BASE64 kodierte Zertifikat direkt mit dem Editor unserer Wahl auf dem Client Host ab.
+Als letzten Schritt stellen wir nun das gerade erzeugte Server-Zertifikat dem rsyslog-Daemon auf dem Client-Rechner zur Verfügung. Entweder kopieren wir das Zertifikat via **scp** auf den Clientrechner oder wir legen das BASE64 kodierte Zertifikat direkt mit dem Editor unserer Wahl auf dem Client Host ab.
    # vim /etc/pki/tls/certs/rsyslog.vml000037.dmz.nausch.org.certificate.pem
@@ Zeile 3694: / Zeile 3993: @@
 kY+Z9s9+By5IVw==
 -----END CERTIFICATE-----</code>
+=== Ein Zertifikat revoken ===
+Will man ein ausgestelltes Zertifikat zurückziehen (revoken) nutzen wir ebenfalls das Programm **openssl**.
+   # openssl ca -revoke /etc/pki/CA/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem
+  Using configuration from /etc/pki/tls/openssl.cnf
+  Enter pass phrase for /etc/pki/CA/private/root-ca.key.pem:
+  Revoking Certificate 02.
+  Data Base Updated
 ===== Konfiguration graylog-server =====
@@ Zeile 3840: / Zeile 4149: @@
 # The imjournal module bellow is now used as a message source instead of imuxsock.
 $ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
-$ModLoad imjournal # provides access to the systemd journal
+# Django : 2017-09-26
+# default: $ModLoad imjournal # provides access to the systemd journal
 #$ModLoad imklog # reads kernel messages (the same are read from journald)
 #$ModLoad immark  # provides --MARK-- message capability
@@ Zeile 3870: / Zeile 4180: @@
 # Turn off message reception via local log socket;
 # local messages are retrieved through imjournal now.
-$OmitLocalLogging on
+# Django : 2017-09-26
+# default: $OmitLocalLogging on
 # File to store the position in the journal
-$IMJournalStateFile imjournal.state
+# Django : 2017-09-26
+# default: $IMJournalStateFile imjournal.state
 # Django : 2016-01-03 - certificate files for TLS
@@ Zeile 3940: / Zeile 4252: @@
 # Django : 2016-01-03
 $template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
-*.* @@10.0.0.117:6514;GRAYLOGRFC5424
+*.* @@10.0.0.117:6514;RSYSLOG_SyslogProtocol23Format
 #
 # ### end of the forwarding rule ###</file>
@@ Zeile 3960: / Zeile 4272: @@
 Alles in allem können wir feststellen, dass mit einem überschaubaren Aufwand, die Kommunikation zwischen den rsyslog-Clients und unserem graylog-server sicher und nur noch von authorisierten Quellen gestattet werden kann.
+==== Zertifikatsgenerierung und Clientkonfiguration ====
+==== Zertifikatserstellung optimieren ====
+Um nun bei der Generierung der Zertifikats-Requests und der Erstellung der zugehörigen Zertifikate nicht jedesmal die benötigten Angaben erneut eintippen zu müssen werden wir nun die wiederkehrenden Informationen in der Konfigurationsdatei //**/etc/pki/tls/openssl.cnf**// hinterlegen.
+   # vim /etc/pki/tls/openssl.cnf
+<file bash /etc/pki/tls/openssl.cnf>#
+# OpenSSL example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
+RANDFILE		= $ENV::HOME/.rnd
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
+oid_section		= new_oids
+# To use this configuration file with the "-extfile" option of the
+# "openssl x509" utility, name here the section containing the
+# X.509v3 extensions to use:
+# extensions		=
+# (Alternatively, use a configuration file that has only
+# X.509v3 extensions in its main [= default] section.)
+[ new_oids ]
+# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
+# Add a simple OID like this:
+# testoid1=1.2.3.4
+# Or use config file substitution like this:
+# testoid2=${testoid1}.5.6
+# Policies used by the TSA examples.
+tsa_policy1 = 1.2.3.4.1
+tsa_policy2 = 1.2.3.4.5.6
+tsa_policy3 = 1.2.3.4.5.7
+####################################################################
+[ ca ]
+default_ca	= CA_default		# The default ca section
+####################################################################
+[ CA_default ]
+dir		= /etc/pki/CA		# Where everything is kept
+certs		= $dir/certs		# Where the issued certs are kept
+crl_dir		= $dir/crl		# Where the issued crl are kept
+database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir/newcerts		# default place for new certs.
+# Django : 2017-02-14
+# default: certificate	= $dir/cacert.pem 	# The CA certificate
+certificate	= $dir/certs/root-ca.certifikate.pem
+serial		= $dir/serial 		# The current serial number
+crlnumber	= $dir/crlnumber	# the current crl number
+					# must be commented out to leave a V1 CRL
+crl		= $dir/crl.pem 		# The current CRL
+# Django : 2017-02-14
+# default: private_key	= $dir/private/cakey.pem   # The private key
+private_key	= $dir/private/root-ca.key.pem
+RANDFILE	= $dir/private/.rand	# private random number file
+x509_extensions	= usr_cert		# The extentions to add to the cert
+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+# Extension copying option: use with caution.
+# copy_extensions = copy
+# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
+# so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
+# crl_extensions	= crl_ext
+# Django : 2017-02-14
+# default: default_days	= 365			# how long to certify for
+default_days	= 10950
+default_crl_days= 30			# how long before next CRL
+default_md	= sha256		# use SHA-256 by default
+preserve	= no			# keep passed DN ordering
+# A few difference way of specifying how similar the request should look
+# For type CA, the listed attributes must be the same, and the optional
+# and supplied fields are just that :-)
+policy		= policy_match
+# For the CA policy
+[ policy_match ]
+countryName		= match
+stateOrProvinceName	= match
+organizationName	= match
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+# For the 'anything' policy
+# At this point in time, you must list all acceptable 'object'
+# types.
+[ policy_anything ]
+countryName		= optional
+stateOrProvinceName	= optional
+localityName		= optional
+organizationName	= optional
+organizationalUnitName	= optional
+commonName		= supplied
+emailAddress		= optional
+####################################################################
+[ req ]
+# Django : 2017-02-14
+# default: default_bits		= 2048
+default_bits		= 4096
+default_md		= sha256
+default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+# This sets a mask for permitted string types. There are several options.
+# default: PrintableString, T61String, BMPString.
+# pkix	 : PrintableString, BMPString (PKIX recommendation before 2004)
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
+# MASK:XXXX a literal mask value.
+# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
+string_mask = utf8only
+# req_extensions = v3_req # The extensions to add to a certificate request
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+# Django : 2017-02-14
+# default: countryName_default		= XX
+countryName_default		= DE
+countryName_min			= 2
+countryName_max			= 2
+stateOrProvinceName		= State or Province Name (full name)
+# Django : 2017-02-14
+# default: #stateOrProvinceName_default	= Default Province
+stateOrProvinceName_default	= Bayern
+localityName			= Locality Name (eg, city)
+# Django : 2017-02-14
+# default: localityName_default		= Default City
+localityName_default		= Pliening
+.organizationName		= Organization Name (eg, company)
+# Django : 2017-02-14
+# default: 0.organizationName_default	= Default Company Ltd
+.organizationName_default	= nausch.org
+# we can do this but it is not needed normally :-)
+#1.organizationName		= Second Organization Name (eg, company)
+#1.organizationName_default	= World Wide Web Pty Ltd
+organizationalUnitName		= Organizational Unit Name (eg, section)
+# Django : 2017-02-14
+# default: #organizationalUnitName_default	=
+organizationalUnitName_default	= IT-Monitoring
+commonName			= Common Name (eg, your name or your server\'s hostname)
+commonName_max			= 64
+emailAddress			= Email Address
+emailAddress_max		= 64
+# Django : 2017-02-14
+# default: unset
+emailAddress_default		= graylog-admin@nausch.org
+# SET-ex3			= SET extension number 3
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
+unstructuredName		= An optional company name
+[ usr_cert ]
+# These extensions are added when 'ca' signs a request.
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+basicConstraints=CA:FALSE
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+# This is OK for an SSL server.
+# nsCertType			= server
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+# For normal client use this is typical
+# nsCertType = client, email
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+# Copy subject details
+# issuerAltName=issuer:copy
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+# This is required for TSA certificates.
+# extendedKeyUsage = critical,timeStamping
+[ v3_req ]
+# Extensions to add to a certificate request
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+[ v3_ca ]
+# Extensions for a typical CA
+# PKIX recommendation.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+# This is what PKIX recommends but some broken software chokes on critical
+# extensions.
+#basicConstraints = critical,CA:true
+# So we do this instead.
+basicConstraints = CA:true
+# Key usage: this is typical for a CA certificate. However since it will
+# prevent it being used as an test self-signed certificate it is best
+# left out by default.
+# keyUsage = cRLSign, keyCertSign
+# Some might want this also
+# nsCertType = sslCA, emailCA
+# Include email address in subject alt name: another PKIX recommendation
+# subjectAltName=email:copy
+# Copy issuer details
+# issuerAltName=issuer:copy
+# DER hex encoding of an extension: beware experts only!
+# obj=DER:02:03
+# Where 'obj' is a standard or added object
+# You can even override a supported extension:
+# basicConstraints= critical, DER:30:03:01:01:FF
+[ crl_ext ]
+# CRL extensions.
+# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
+# issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+[ proxy_cert_ext ]
+# These extensions should be added when creating a proxy certificate
+# This goes against PKIX guidelines but some CAs do it and some software
+# requires this to avoid interpreting an end user certificate as a CA.
+basicConstraints=CA:FALSE
+# Here are some examples of the usage of nsCertType. If it is omitted
+# the certificate can be used for anything *except* object signing.
+# This is OK for an SSL server.
+# nsCertType			= server
+# For an object signing certificate this would be used.
+# nsCertType = objsign
+# For normal client use this is typical
+# nsCertType = client, email
+# and for everything including object signing:
+# nsCertType = client, email, objsign
+# This is typical in keyUsage for a client certificate.
+# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+# This will be displayed in Netscape's comment listbox.
+nsComment			= "OpenSSL Generated Certificate"
+# PKIX recommendations harmless if included in all certificates.
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+# This stuff is for subjectAltName and issuerAltname.
+# Import the email address.
+# subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move
+# Copy subject details
+# issuerAltName=issuer:copy
+#nsCaRevocationUrl		= http://www.domain.dom/ca-crl.pem
+#nsBaseUrl
+#nsRevocationUrl
+#nsRenewalUrl
+#nsCaPolicyUrl
+#nsSslServerName
+# This really needs to be in place for it to be a proxy certificate.
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
+####################################################################
+[ tsa ]
+default_tsa = tsa_config1	# the default TSA section
+[ tsa_config1 ]
+# These are used by the TSA reply generation only.
+dir		= ./demoCA		# TSA root directory
+serial		= $dir/tsaserial	# The current serial number (mandatory)
+crypto_device	= builtin		# OpenSSL engine to use for signing
+signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
+					# (optional)
+certs		= $dir/cacert.pem	# Certificate chain to include in reply
+					# (optional)
+signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
+default_policy	= tsa_policy1		# Policy if request did not specify it
+					# (optional)
+other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
+digests		= sha1, sha256, sha384, sha512	# Acceptable message digests (mandatory)
+accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
+clock_precision_digits  = 0	# number of digits after dot. (optional)
+ordering		= yes	# Is ordering defined for timestamps?
+				# (optional, default: no)
+tsa_name		= yes	# Must the TSA name be included in the reply?
+				# (optional, default: no)
+ess_cert_id_chain	= no	# Must the ESS cert id chain be included?
+				# (optional, default: no)</file>
+==== Bearbeitungsschritte bei neunen rsyslog Clients ====
+Bei einem neune Client, den wir an unseren graylog Server anbinden wollen, sind nun zusammengefasst folgende Schritte nötig (im nachfolgenden Beispiel für Host vml000137):
+  * auf dem **graylog** Server:
+    - Schlüssel für den rsyslog-Client erzeugen <code> # openssl genrsa -out /etc/pki/tls/clientkey.pem -aes256 4096</code>
+    - Passphrase des gerade erzeiugten Client-Schlüssels entfernen <code> # openssl rsa -in /etc/pki/tls/clientkey.pem -out /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.key.pem</code>
+    - Schlüssel mit passphrase vernichten <code> # shred -u /etc/pki/tls/clientkey.pem</code>
+    - Schlüssel auf den Clientrechner transferieren <code> # cat /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.key.pem</code><code> # vim /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.key.pem</code>
+    - Zertificatsrequest erzeugen <code> # openssl req -new -key /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.key.pem \
+           -out /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.csr.pem -nodes</code>
+    - Zertifikatsrequest der eigenen CA vorlegen. <code> # cp -a /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.csr.pem \
+            /etc/pki/CA/csrs/ </code>
+    - Zertifikatsrequest durch die CA bearbeiten und Zertifikat erzeugen. <code> # openssl ca -in /etc/pki/CA/csrs/rsyslog.vml000137.dmz.nausch.org.csr.pem \
+           -out /etc/pki/CA/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem</code>
+    - Zertifikat ausgeben und auf den Client-/rsyslog-Host transferieren.<code> # cat /etc/pki/CA/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem</code><code> # vim /etc/pki/CA/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem</code>
+    - Clientzertifikat dem graylog Server bekannt machden. <code> # cp /etc/pki/CA/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem \
+           /etc/pki/tls/graylog-client-certs/</code>
+    - Root CA Zertifikat dem Client zur Verfügung stellen. <code> # cat /etc/pki/CA/certs/root-ca.certifikate.pem</code><code> # vim /etc/pki/CA/certs/root-ca.certifikate.pem</code>
+    - **rsyslog-gnutls** auf dem Client installieren. <code> # yum install rsyslog-gnutls -y</code>
+    - originale rsyslog-Konfigurationsdatei sichern. <code> # cp -a /etc/rsyslog.conf /etc/rsyslog.conf.orig</code>
+    - rsyslog konfigurieren. <code> # vim /etc/rsyslog.conf</code><file bash /etc/rsyslog.conf># rsyslog configuration file
+# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
+# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
+#### MODULES ####
+# Django : 2017-2-14
+# default: unset
+$DefaultNetstreamDriver gtls #make gtls driver the default
+# The imjournal module bellow is now used as a message source instead of imuxsock.
+$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
+# Django : 2017-09-26
+# default: $ModLoad imjournal # provides access to the systemd journal
+#$ModLoad imklog # reads kernel messages (the same are read from journald)
+#$ModLoad immark  # provides --MARK-- message capability
+# Provides UDP syslog reception
+#$ModLoad imudp
+#$UDPServerRun 514
+# Provides TCP syslog reception
+#$ModLoad imtcp
+#$InputTCPServerRun 514
+#### GLOBAL DIRECTIVES ####
+# Where to place auxiliary files
+$WorkDirectory /var/lib/rsyslog
+# Use default timestamp format
+$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+# File syncing capability is disabled by default. This feature is usually not required,
+# not useful and an extreme performance hit
+#$ActionFileEnableSync on
+# Include all config files in /etc/rsyslog.d/
+$IncludeConfig /etc/rsyslog.d/*.conf
+# Turn off message reception via local log socket;
+# local messages are retrieved through imjournal now.
+# Django : 2017-09-26
+# default: $OmitLocalLogging on
+# File to store the position in the journal
+# Django : 2017-09-26
+# default: $IMJournalStateFile imjournal.state
+# Django : 2017-02-14 - certificate files for TLS
+# default: unset
+$DefaultNetstreamDriverCAFile   /etc/pki/ca-trust/source/anchors/root-ca.nausch.org.pem
+$DefaultNetstreamDriverCertFile /etc/pki/tls/certs/rsyslog.vml000137.dmz.nausch.org.certificate.pem
+$DefaultNetstreamDriverKeyFile  /etc/pki/tls/private/rsyslog.vml000137.dmz.nausch.org.key.pem
+$ActionSendStreamDriverAuthMode x509/name
+$ActionSendStreamDriverPermittedPeer graylog-server.dmz.nausch.org
+#          run driver in TLS-only mode
+$ActionSendStreamDriverMode 1
+#### RULES ####
+# Log all kernel messages to the console.
+# Logging much else clutters up the screen.
+#kern.*                                                 /dev/console
+# Log anything (except mail) of level info or higher.
+# Don't log private authentication messages!
+*.info;mail.none;authpriv.none;cron.none                /var/log/messages
+# The authpriv file has restricted access.
+authpriv.*                                              /var/log/secure
+# Log all the mail messages in one place.
+mail.*                                                  -/var/log/maillog
+# Log cron stuff
+cron.*                                                  /var/log/cron
+# Everybody gets emergency messages
+*.emerg                                                 :omusrmsg:*
+# Save news errors of level crit and higher in a special file.
+uucp,news.crit                                          /var/log/spooler
+# Save boot messages also to boot.log
+local7.*                                                /var/log/boot.log
+# ### begin forwarding rule ###
+# The statement between the begin ... end define a SINGLE forwarding
+# rule. They belong together, do NOT split them. If you create multiple
+# forwarding rules, duplicate the whole block!
+# Remote Logging (we use TCP for reliable delivery)
+#
+# An on-disk queue is created for this action. If the remote host is
+# down, messages are spooled to disk and sent when it is up again.
+#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
+#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
+#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
+#$ActionQueueType LinkedList   # run asynchronously
+#$ActionResumeRetryCount -1    # infinite retries if host is down
+# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
+#*.* @@remote-host:514
+#
+# Django : 2017-02-14
+$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
+*.* @10.0.0.117:6514;RSYSLOG_SyslogProtocol23Format
+#
+# ### end of the forwarding rule ###</file>
+    - rsyslog-Daemon neu starten zum Aktivieren der Konfigurationsänderung.<code> # systemctl restart rsyslog.service</code>
+<WRAP center round important 90%>
+**FAZIT**:
+Mit Hilfe dieser 14 Bearbeitungsschritte kann nicht nur der Übertragungsweg zwischen rsyslog-client und graylog-server abgesichert und sondern auch der Zugriff des Clients auf den zentralen syslog-server geregelt werden.
+Mit einfachen Boardmitteln unseres CentOS 7 Servers kann somit ein wesentlicher Beitrag zur Vertraulichkeit und Integrität von syslog-informationen geleistet werden und ein ungesicherte und ungeschützte Übertragung von sensitiven syslog-Informationen sollten der Vergangenheit angehören. Auch wenn der ungeübten Admin diesen Umstand bis jetzt erfolgreich verdrängte!
+</WRAP>
 ====== Links ======
@@ Zeile 3966: / Zeile 4800: @@
   * **[[http://dokuwiki.nausch.org/doku.php/|Zurück zur Startseite]]**
-~~DISCUSSION~~