HMAC Message Integrity Checker (pm_hmac_check)

This module is the pair of pm_hmac to check message integrity.

This module is being phased out and will be removed in a future release.

Configuration

The pm_hmac_check module accepts the following directives in addition to the common module directives. The CertFile directive is required.

Required directives

The following directives are required for the module to start.

CertFile

This mandatory directive specifies the path of the certificate file to be used to verify the signature of the initial hash value.

TLS/SSL directives

The following directives are for configuring secure data transfer via TLS/SSL.

CADir

This optional directive specifies the path to a directory containing certificate authority (CA) certificates, which will be used to verify the certificate. The certificate filenames in this directory must be in the OpenSSL hashed format. A remote’s self-signed certificate (which is not signed by a CA) can also be trusted by including a copy of the certificate in this directory.

CAFile

This optional directive specifies the path of the certificate authority (CA) certificate, which will be used to verify the certificate. To trust a self-signed certificate presented by the remote (which is not signed by a CA), provide that certificate instead.

CRLDir

This optional directive specifies the path to a directory containing certificate revocation lists (CRLs), which will be consulted when checking the certificate. The certificate filenames in this directory must be in the OpenSSL hashed format.

CRLFile

This optional directive specifies the path of the certificate revocation list (CRL), which will be consulted when checking the certificate.

Optional directives

Fields

This directive accepts a comma-separated list of fields. These fields will be used for calculating the HMAC value. This directive is optional, and the $raw_event field will be used if it is not specified.

HashMethod

This directive sets the hash function. The following message digest methods can be used: md2, md5, mdc2, rmd160, sha, sha1, sha224, sha256, sha384, and sha512. The default is md5. This must be the same as the hash method used for creating the HMAC values.

Fields

The following fields are used by pm_hmac_check.

$nxlog.hmac (type: string)

The HMAC value stored in this field is compared against the calculated value. This field is generated by the pm_hmac module.

$nxlog.hmac_initial (type: string)

The initial HMAC value which starts the chain. This is generated by the pm_hmac module.

$nxlog.hmac_sig (type: string)

The signature of nxlog.hmac_initial to be verified with the certificate’s public key. This field is generated by the pm_hmac module.

Examples

Example 1. Verifying Message Integrity

This configuration accepts log messages in the NXLog Agent binary format. The HMAC values are checked, then the messages are written to a file.

nxlog.conf
<Input tcp>
    Module          im_tcp
    ListenAddr      192.168.1.1:1514
    InputType       Binary
</Input>

<Processor hmac_check>
    Module          pm_hmac_check
    CertFile        %CERTDIR%/client-cert.pem
    CAFile          %CERTDIR%/ca.pem
#   CRLFile         %CERTDIR%/crl.pem
    HashMethod      SHA1
</Processor>

<Output file>
    Module          om_file
    File            "/var/log/msg"
</Output>

<Route tcp_to_file>
    Path            tcp => hmac_check => file
</Route>