- OS Support
- Enterprise Edition Reference Manual
- 136. Man Pages
- 137. Configuration
- 138. Language
- 139. Extension Modules
- 140. Input Modules
- 141. Processor Modules
- 141.1. Blocker (pm_blocker)
- 141.2. Buffer (pm_buffer)
- 141.3. Event Correlator (pm_evcorr)
- 141.4. Filter (pm_filter)
- 141.5. HMAC message integrity (pm_hmac)
- 141.6. HMAC message integrity checker (pm_hmac_check)
- 141.7. De-duplicator (pm_norepeat)
- 141.8. Null (pm_null)
- 141.9. Pattern matcher (pm_pattern)
- 141.10. Format converter (pm_transformer)
- 141.11. Timestamping (pm_ts)
- 142. Output Modules
- NXLog Manager
- NXLog Add-Ons
In order to protect log data, this module provides cryptographic checksumming on log messages using the HMAC algorithm with a specific hash function. Messages protected this way cannot be altered, deleted, or inserted without detection. A separate verification procedure using the pm_hmac_check module is necessary for the receiver.
|This module has been deprecated and will be removed in a future release.|
|To examine the supported platforms, see the list of installer packages in the Available Modules chapter.|
When the module starts, it creates an initial random hash value which
is signed with the private key and stored in
field. As messages pass through the module, it calculates a hash value
using the previous hash value, the initial hash value, and the
fields of the log message. This calculated
value is added to the log message as a new field called
and can be used to later verify the integrity of the message.
|If the attacker can insert messages at the source, this module will add a HMAC value and the activity will go unnoticed. This method only secures messages that are already protected with a HMAC value.|
|For this method to work more securely, the private key should be protected by a password and the password should not be stored with the key (the configuration file should not contain the password). This will force the agent to prompt for the password when it is started.|
This mandatory directive specifies the path of the private key file to be used to sign the initial hash value.
This directive accepts a comma-separated list of fields. These fields will be used for calculating the HMAC value. This directive is optional, and the
$raw_eventfield will be used if it is not specified.
This directive sets the hash function. The following message digest methods can be used:
sha512. The default is
This specifies the password of the CertKeyFile.
The following fields are used by pm_hmac.
The digest value calculated from the log message fields.
The initial HMAC value which starts the chain.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 <Input uds> Module im_uds UDS /dev/log </Input> <Processor hmac> Module pm_hmac CertKeyFile %CERTDIR%/client-key.pem KeyPass secret HashMethod SHA1 </Processor> <Output tcp> Module om_tcp Host 192.168.1.1:1514 OutputType Binary </Output> <Route uds_to_tcp> Path uds => hmac => tcp </Route>