The in_secure_forward input plugin accepts messages via SSL with authentication (cf. out_secure_forward).
NOTE: This document doesn't describe all parameters. If you want to know full features, check the Further Reading section.
in_secure_forward is not included in either td-agent package or fluentd gem. In order to install it, please refer to the Plugin Management article.
This section provides some example configurations for in_secure_forward.
<source>
type secure_forward
shared_key secret_string
self_hostname server.fqdn.local # This fqdn is used as CN (Common Name) of certificates
cert_auto_generate yes # This parameter MUST be specified
</source>
<source>
type secure_forward
shared_key secret_string
self_hostname server.fqdn.local
cert_auto_generate yes
authentication yes # Deny clients without valid username/password
<user>
username tagomoris
password foobar012
</user>
<user>
username frsyuki
password yakiniku
</user>
</source>
<source>
type secure_forward
shared_key secret_string
self_hostname server.fqdn.local
cert_auto_generate yes
allow_anonymous_source no # Allow to accept from nodes of <client>
<client>
host 192.168.10.30
# network address (ex: 192.168.10.0/24) NOT Supported now
</client>
<client>
host your.host.fqdn.local
# wildcard (ex: *.host.fqdn.local) NOT Supported now
</client>
</source>
You can use the username/password check and client check together:
<source>
type secure_forward
shared_key secret_string
self_hostname server.fqdn.local
cert_auto_generate yes
allow_anonymous_source no # Allow to accept from nodes of <client>
authentication yes # Deny clients without valid username/password
<user>
username tagomoris
password foobar012
</user>
<user>
username frsyuki
password sukiyaki
</user>
<user>
username repeatedly
password sushi
</user
<client>
host 192.168.10.30 # allow all users to connect from 192.168.10.30
</client>
<client>
host 192.168.10.31
users tagomoris,frsyuki # deny repeatedly from 192.168.10.31
</client>
<client>
host 192.168.10.32
shared_key less_secret_string # limited shared_key for 192.168.10.32
users repeatedly # and repeatedly only
</client>
</source>
Please refer to the Secure Sender-Receiver Setup sample documentation.
This parameter is required. Its value must be secure_forward.
The default value is 24284.
The default value is 0.0.0.0.
Default value of the auto-generated certificate common name (CN).
Optional shared key.
Accept keepalive connection. The default value is true.
Accept connections from unknown hosts.
Require password authentication. The default value is false.
Auto-generate the CA (see the generate_* parameters below). The default value is false.
If cert_auto_generate is false, cert_file_path must be set.
The byte length of the auto-generated private key. The default value is 2048.
The country of the auto-generated certificate. The default value is "US".
The state of the auto-generated certificate. The default value is "CA".
The locality of the auto-generated certificate. The default value is "Mountain View".
The common name of the auto-generated certificate. The default value is the value of self_hostname.
The path to the cert file. If this is not set, cert_auto_generate must be set to true.
The path to the private key file used with the cert file located at cert_file_path.
The optional passphrase for the private key file found in private_key_file.
The number of bytes read per nonblocking read. The default value is 8MB=810241024 bytes.
The interval between the non-blocking reads, in milliseconds. The default value is 50.
The interval between SSL reconnects in milliseconds. The default value is 200.
INCLUDE: _buffer_parameters
INCLUDE: _log_level_params