HMAC Message Integrity Checker (pm_hmac_check)
This module is the pair of pm_hmac to check message integrity.
This module is being phased out and will be removed in a future release. |
To examine the supported platforms, see the list of installation packages. |
Configuration
The pm_hmac_check module accepts the following directives in addition to the common module directives. The CertFile directive is required.
Required directives
The following directives are required for the module to start.
This mandatory directive specifies the path of the certificate file to be used to verify the signature of the initial hash value. |
TLS/SSL directives
The following directives are for configuring secure data transfer via TLS/SSL.
This optional directive specifies the path to a directory containing certificate authority (CA) certificates, which will be used to verify the certificate. The certificate filenames in this directory must be in the OpenSSL hashed format. A remote’s self-signed certificate (which is not signed by a CA) can also be trusted by including a copy of the certificate in this directory. |
|
This optional directive specifies the path of the certificate authority (CA) certificate, which will be used to verify the certificate. To trust a self-signed certificate presented by the remote (which is not signed by a CA), provide that certificate instead. |
|
This optional directive specifies the path to a directory containing certificate revocation lists (CRLs), which will be consulted when checking the certificate. The certificate filenames in this directory must be in the OpenSSL hashed format. |
|
This optional directive specifies the path of the certificate revocation list (CRL), which will be consulted when checking the certificate. |
Optional directives
This directive accepts a comma-separated list of fields.
These fields will be used for calculating the HMAC value.
This directive is optional, and the |
|
This directive sets the hash function.
The following message digest methods can be used: |
Fields
The following fields are used by pm_hmac_check.
$nxlog.hmac_sig
(type: string)-
The signature of nxlog.hmac_initial to be verified with the certificate’s public key. This field is generated by the pm_hmac module.
Examples
This configuration accepts logs in the NXLog Agent Binary format. The HMAC values are checked, then the messages are written to a file.
<Input tcp>
Module im_tcp
ListenAddr 192.168.1.1:1514
InputType Binary
</Input>
<Processor hmac_check>
Module pm_hmac_check
CertFile %CERTDIR%/client-cert.pem
CAFile %CERTDIR%/ca.pem
# CRLFile %CERTDIR%/crl.pem
HashMethod SHA1
</Processor>
<Output file>
Module om_file
File "/var/log/msg"
</Output>
<Route tcp_to_file>
Path tcp => hmac_check => file
</Route>