rsyslog with TLS encryption help?
 

I'm following this document: -

http://www.rsyslog.com/doc/rsyslog_tls.html

but having a little trouble creating the certificates. The above document seems to imply that you need fully qualified domain names for each machine for the certificates to work. Is this true? I only have IP addresses to work with. Can I encrypt rsyslog traffic for machines with just IP addresses?

You only need the certificate on the destination (server) machine. Your self signed certificate can use an internally generated fqdn as long as your internal dns resolves it. If you're setting this up, maybe consider dropping your logs to somewhere like loggly.com instead where they'll be more useful to you.

Okay, here's where I am.

On the server, I've generated the self-signed ca.pem file after creating the private key file ca-key.pem. When generating the ca.pem file, I've used the $HOSTNAME of the server as the Common Name for the certificate and added this to /etc/hosts: -
I can ping this, obviously, so that should be okay as h8ck3rs stated above - if I understand correctly.

Now, I understand that I have to create *another* private key file for the machine (server) itself as each machine also needs a machine certificate. To generate this, I need the initial private key (ca-key.pem) and the self-signed CA (ca.pem) to do this.
If I get this correctly, the Common Name for the machine certificate on the server has to match the entry I put in /etc/hosts above. So at the end of generating the machine certificates for the server, I end up with machine-key.pem and machine-ca.pem.

Machine certificates (machine-key.pem and machine-ca.pem) need to be generated from the ca-key.pem and ca.pem files for each machine (be it client or server).

How am I doing so far?