Dear Evan, AFAIK when TLS is configured, syslog-ng behaves differently, depending on whether we are talking about a source or a destination. A destination will perform subject CN checking to verify whether the server is who it claims to be. In case of a source however no CN checking is performed, only the validity of the certificate and the certificate chain is checked, depending on the peer-verify() option. Despite this, it is possible to define a list for the option trusted-dn() and/or trusted-keys() so that the source will only accept connections from clients with the specified certificate parameters (Distinguished Name - trusted-dn(), SHA-1 fingerprint - trusted-keys()). Best Regards, János -- Janos SZIGETVARI RHCE, License no. 150-053-692 <https://www.redhat.com/rhtapps/verify/?certId=150-053-692> LinkedIn: linkedin.com/in/janosszigetvari __@__˚V˚ Make the switch to open (source) applications, protocols, formats now: - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice - msn -> jabber protocol (Pidgin, Google Talk) - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp Evan Rempel <erempel@uvic.ca> ezt írta (időpont: 2020. máj. 29., P, 17:52):

We are starting to explore laptop logging which means that I have to open up firewalls to public networks as the laptops are moved around. Is there a way to ensure that only computers configured by my organization are able to connect to or send logs to my log server?

I looked at "Mutual authentication using TLS" but if I understand that correctly the client is required to have a IP/hostname that matches the CN of the certificate.

I couldn't find other information but perhaps I am searching for the wrong terms.

-- Evan

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq