问题
I have NXLog shipping my Windows Events to another Logstash machine working fine in just TCP. But I want to encrypt the traffic using a self signed certificate. I think I have a basic understanding of SSL but confused by the NXLog docs. The NXLog om_ssl docs shows:
<Output sslout>
Module om_ssl
Host localhost
Port 23456
CAFile %CERTDIR%/ca.pem
CertFile %CERTDIR%/client-cert.pem
CertKeyFile %CERTDIR%/client-key.pem
KeyPass secret
AllowUntrusted TRUE
OutputType Binary
</Output>
Does the CertKeyFile mean that the NXLog "client" need the Private key used to generate the CAFile? I thought the Logstash "server" would have and protect the private key, and the NXLog "client" would encrypt with the CertFile. And the CertFile would be validated against the CAFile.
回答1:
CertFile and CertKeyFile can be used for client side cert based authentication, i.e. if you want trusted ssl connections. These are optional, if you want only encrypted traffic then leave these out.
CAFile is the certificate used to verify the remote end (server).
来源:https://stackoverflow.com/questions/25294127/using-ssl-to-ship-from-nxlog-to-logstash