Option to ignore tls cert verification (and not require pem file) for syslog tcp+tls

[lrstanley]

Seems when using --skip-ssl-validation, this likely only applies to wss connections and similar, not syslog. For self signed certs on the syslog server, (I think) the only option to connect is to directly specify the pem, which is a bit irritating when testing.

E.g:

$ firehose-to-syslog --api-endpoint=https://api.system.env-cf.domain.com --client-id=firehose-to-syslog --client-secret=<truncated> --skip-ssl-validation --syslog-server=<truncated>:5000 --syslog-protocol=tcp+tls --events Error,HttpStartStop,LogMessage --boltdb-path=bolt-env.db
[...]
[2018-06-01 10:21:24.277801415 -0400 EDT m=+0.030763009] Exception occurred! Message: Unable to connect to syslog server [<truncated>:5000]!
 Details: open : no such file or directory

Should a --skip-tls-validation-syslog or similar be added, specifically for syslog?

[shinji62]

When I never think about that to be honest, but that could be interesting. Only issue the syslog lib that we use do not support Insecure ssl for now.

So not just easy as just adding a flag.

[lrstanley]

https://godoc.org/github.com/RackSec/srslog#DialWithTLSConfig (if this is the lib in mention)

Looks like it supports passing in a TLS config, which you can then pass in an optional InsecureSkipVerify field.

[lrstanley]

I'd submit PR's to fix myself but I don't believe my company has setup any legality rules in regards to public contributions yet :smile:

[shinji62]

@lrstanley lol ! I will fix it. It's just 5am in Japan so I will fix it soon :) Guess I need some sleep, I miss the DialWithTLSConfig function.

[shinji62]

Flag added in the 4.1.0 release.