Encrypting syslog with TLS

Objective: Secure remote logging on syslog servers by encrypting it with TLS.

Syslog traffic can be encrypted using TLS/SSL, which provides mutual authentication between the remote server and the clients, thereby preventing man-in-the-middle attacks. The following steps show how to accomplish this.

Please ensure that:

1. Port 6514 outbound is open on your firewall and the network as it is used by TLS for communication.
2. gnuTLS is installed on both the clients and the remote server since we are using GTLS driver.
3. Under no circumstance a third party accesses the certificate keys.

Procedure:

1. Create a self-signed certificate )

   Below are the steps to create a self-signed certificate with gnuTLS on the remote syslog server.

   1. Generate a private key using this command:
      certtool --generate-privkey --outfile ca-key.pem
   2. Set the file inaccessible to anyone other than the root user.
      chmod 400 ca-key.pem
   3. Use the following command to create the self-signed CA certificate:
      certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem

      Fill in the details appropriately, when prompted. The Certificate Authority (CA) is now set up.

2. Generate machine certificate for every machine.

   1. Generate a private key and store it in the key.pem file.
      certtool --generate-privkey --outfile key.pem --bits 2048
   2. Create the machine certificate using the following command. The name of the file request.pem, is specific to the machine. For example, if your machine is server1, the file may be named as server1-request.pem.
      certtool --generate-request --load-privkey key.pem --outfile request.pem
   3. Sign the machine certificate using the private key of the CA with the following command
      certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem

      Fill in the details as necessary, when prompted.

3. Distributing the certificates

   1. The following files need to be copied into all the server and client machines:

      1. a copy of ca.pem
      2. cert.pem
      3. Key.pem

      Create a directory on the root server to store these keys.

      These files should be inaccessible to any user except the root user.

   Your request for a demo has been submitted successfully
   Our support technicians will get back to you at the earliest.

   Hi,

   I know the importance of monitoring syslogs. Can you tell me how to automate the process with a log management tool?
   I'm from     and you can contact me at
     .

   By clicking 'Submit', you agree to processing of personal data according to the Privacy Policy.

4. Configure the remote server to communicate over TCP using TLS certificates

   1. Create a new configuration file /etc/rsyslog.d/logserver.conf, with the code given below:
      module(load="imuxsock") # local messages
module(load="imtcp" # TCP listener
StreamDriver.Name="gtls"
StreamDriver.Mode="1" # run driver in TLS-only mode
StreamDriver.Authmode="anon"
)
# make gtls driver the default and set certificate files global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/path/to/contrib/gnutls/ca.pem"
DefaultNetstreamDriverCertFile="/path/to/contrib/gnutls/cert.pem"
DefaultNetstreamDriverKeyFile="/path/to/contrib/gnutls/key.pem"
)
# start up listener at port 6514
input( type="imtcp"
port="6514"
)


5. Configure the client machines so that they send logs only when the server identity is verified

   1. Create a new file /etc/rsyslog.d/logclient.conf with the following code:
      global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/path/to/contrib/gnutls/ca.pem"
DefaultNetstreamDriverCertFile="/path/to/contrib/gnutls/cert.pem"
DefaultNetstreamDriverKeyFile="/path/to/contrib/gnutls/key.pem"
)
# set up the action for all messages action(
type="omfwd"
target="central.example.net"
protocol="tcp"
port="6514"
StreamDriver="gtls"
StreamDriverMode="1"
# run driver in TLS-only mode StreamDriverAuthMode="x509/name"
StreamDriverPermittedPeers="central.example.net"
)


This sets up your system for encrypted transmission of syslogs.

EventLog Analyzer, a comprehensive log management solution collects, analyzes, correlates, searches, and archives log data from devices across the network. The solution ensures security of log data while collection and transmission by employing different security protocols. Check out more about EventLog Analyzer here.