Return to
Portfolio

110.11. Timestamping (pm_ts)

This module provides support for the Time-Stamp Protocol as defined in RFC 3161. A cryptographic hash value of the log messages is sent over a HTTP or HTTPS channel to a Time-Stamp Authority server which creates a cryptographic Time-Stamp signature to prove that the message existed at that time and to be able to verify its validity at a later time. This may be mandatory for regulatory compliance, financial transactions, and legal evidence.

Note
 This module has been deprecated and will be removed in a future release.

A timestamp request is created for each log message received by this module, and the response is appended to the tsa_response field. The module does not request the certificate to be included in the response as this would greatly increase the size of the responses. The certificate used by the server for creating timestamps should be saved manually for later verification. The module establishes one HTTP connection to the server for the time-stamping by using HTTP Keep-Alive requests and will reconnect if the remote closes the connection.

Note

Since each log message generates a HTTP(S) request to the Time-Stamp server, the message throughput can be greatly affected. It is recommended that only messages of relevant importance are time-stamped through the use of proper filtering rules applied to messages before they reach the pm_ts module instance.

Creating timestamps in batch mode (requesting one timestamp on multiple messages) is not supported at this time.

110.11.1. Configuration

The pm_ts module accepts the following directives in addition to the common module directives. The URL directive is required.

URL

This mandatory directive specifies the URL of the Time-Stamp Authority server. The URL must begin with either http:// for plain HTTP over TCP or https:// for HTTP over SSL.

Digest

This specifies the digest method (hash function) to be used. The SHA1 hash function is used by default. The following message digest methods can be used: md2, md5, mdc2, rmd160, sha, sha1, sha224, sha256, sha384, and sha512. Note that the Time-Stamp server must support the digest method specified.

Fields

This directive accepts a comma-separated list of fields. These fields will be used for calculating the hash value sent to the TSA server. This directive is optional, and the $raw_event field is used if it is not specified.

HTTPSAllowUntrusted

This boolean directive specifies that the connection to the Time-Stamp Authority server should be allowed without certificate verification. If set to TRUE, the connection will be allowed even if the server provides an unknown or self-signed certificate. The default value is FALSE: all Time-Stamp Authority servers must present a trusted certificate.

HTTPSCADir

This specifies the path to a directory containing certificate authority (CA) certificates, which will be used to check the certificate of the remote Time-Stamp Authority server. The certificate filenames in this directory must be in the OpenSSL hashed format. This directive can only be specified if the URL begins with https. A remote’s self-signed certificate (which is not signed by a CA) can also be trusted by including a copy of the certificate in this directory.

HTTPSCAFile

This specifies the path of the certificate of the certificate authority (CA) certificate, which will be used to check the certificate of the remote Time-Stamp Authority server. This directive can only be specified if the URL begins with https. To trust a self-signed certificate presented by the remote (which is not signed by a CA), provide that certificate instead.

HTTPSCertFile

This specifies the path of the certificate file to be used for the SSL handshake. This directive can only be specified if the URL begins with https. If this directive is not specified but the URL begins with https, then an anonymous SSL connection is attempted without presenting a client-side certificate.

HTTPSCertKeyFile

This specifies the path of the certificate key file to be used for the SSL handshake. This directive can only be specified if the URL begins with https. If this directive is not specified but the URL begins with https, then an anonymous SSL connection is attempted without presenting a client-side certificate.

HTTPSCRLDir

This specifies the path to a directory containing certificate revocation lists (CRLs), which will be consulted when checking the certificate of the remote Time-Stamp Authority server. The certificate filenames in this directory must be in the OpenSSL hashed format. This directive can only be specified if the URL begins with https.

HTTPSCRLFile

This specifies the path of the certificate revocation list (CRL) which will be consulted when checking the certificate of the remote Time-Stamp Authority server. This directive can only be specified if the URL begins with https.

HTTPSKeyPass

With this directive, a password can be supplied for the certificate key file defined in HTTPSCertKeyFile. This directive is not needed for passwordless private keys.

HTTPSSSLCipher

This optional directive can be used to set the permitted SSL cipher list, overriding the default. Use the format described in the ciphers(1ssl) man page.

HTTPSSSLCompression

This boolean directive allows you to enable data compression when sending data over the network. The compression mechanism is based on the zlib compression library. If the directive is not specified, it defaults to FALSE (the compression is disabled).

Note
 Some Linux packages (for example, Debian) use the OpenSSL library provided by the OS and may not support the zlib compression mechanism. The module will emit a warning on startup if the compression support is missing. The generic deb/rpm packages are bundled with a zlib-enabled libssl library.
HTTPSSSLProtocol

This directive can be used to set the allowed SSL/TLS protocol(s). It takes a comma-separated list of values which can be any of the following: SSLv2, SSLv3, TLSv1, TLSv1.1, and TLSv1.2. By default, the TLSv1, TLSv1.2, and TLSv1.2 protocols are allowed. Note that the OpenSSL library shipped by Linux distributions may not support SSLv2 and SSLv3, in which case these will not work even if enabled with HTTPSSSSLProtocol.

110.11.2. Fields

The following fields are used by pm_ts.

$TSAResponse (type: binary)

The response for the Time-Stamp request from the server. This does not include the certificate.

110.11.3. Examples

Example 593. Storing Requested Timestamps in a CSV File

With this configuration, NXLog will read BSD Syslog messages from the socket, add timestamps, and then save the messages to file in CSV format.

nxlog.conf [Download file]

  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31


  
<Extension syslog>
    Module          xm_syslog
</Extension>

<Input uds>
    Module          im_uds
    UDS             /dev/log
    Exec            parse_syslog_bsd();
</Input>

<Processor ts>
    Module          pm_ts
    URL             https://tsa-server.com:8080/tsa
    Digest          md5
</Processor>

<Processor csv>
    Module          pm_transformer
    OutputFormat    csv
    CSVOutputFields $facility, $severity, $timestamp, $hostname, \
                    $application, $pid, $message, $tsa_response
</Processor>

<Output file>
    Module          om_file
    File            "/dev/stdout"
</Output>

<Route uds_to_file>
    Path            uds => ts => csv => file
</Route>

← Previous: Format Converter (pm_transformer) | ↑ Up: Processor Modules | ⌂ Home: NXLog User Guide | Next: Output Modules →