Versions Compared

Old Version 3

changes.mady.by.user Customer Success & Engineering

Saved on

compared with

New Version Current

changes.mady.by.user Customer Success & Engineering

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Generating TCP/TLS Logs using syslog-ng

Ref: https://www.logzilla.net/configuring-tls-tunnels-in-syslog-ng.html

Scenario

  1. Logs will be received by CCE logs processor which will have TCP over TLS support enabled. (server)

  2. Logs will be sent from a second machine on which syslog-ng is installed. (client)

Server Side Instruction

Generate self-signed certificate and keyInside cce-

...

Table of Contents

Overview

This KBA is describing a secure way to set up rsyslog TCP/TLS and emphasizes that a secure logging environment requires more than just encrypting the transmission channel. This KBA provides guidance on how to create a secure logging system using rsyslog's TCP/TLS authentication in a flexible way, which supports a wide range of security policies. This KBA likely goes into further detail about the specific steps and configurations needed to set up rsyslog TCP/TLS securely.

Configurations Steps

The passage provides instructions on how to set up TCP over TLS with syslog-ng. The logs will be received by a CCE logs processor with TCP over TLS support enabled, acting as the server, and will be sent from a client machine with syslog-ng installed. The instructions are as follows:

Generate a self-signed certificate and key on the CCE logs processor. Navigate to /docker/config/ and

...

run the

...

following commands:

  • openssl genrsa -out logserver.key 2048

  • openssl req -new -key logserver.key -out logserver.csr

  • cp logserver.key logserver.key.org

  • openssl rsa -in logserver.key.org -out logserver.key

  • openssl x509 -req -days 365 -in logserver.csr -signkey logserver.key -out logserver.crt

...

  • If running 5.2.1+ CCE,

...

  • update the following files:

...

    • /docker/config/logstash_base_var.yml -> tcp_over_tls: true

...

    • /docker/scripts/start-process.sh -> tcp_over_tls=True

...

  • If running an older CCE version, modify the file /usr/local/seceon/logstash/conf_d_logs/0001_syslog_input_release.conf to resemble the

...

input {

#   syslog {

...

  • provided configuration.

The instructions reference a source URL for more information on setting up TCP over TLS with syslog-ng.

Ref: https://www.logzilla.net/configuring-tls-tunnels-in-syslog-ng.html

Code Block
input {

#   syslog {

#      timezone => "America/New_York"

...



     port => 514

...



     type => "syslog"

...



#   }

...



   udp {

...



      port => 514

...



      type => "syslog"

...



      #queue_size => 4000

...



   }

...



   tcp {

...



      port => 514

...



      type => "syslog"

...



      ssl_cert => "/docker/config/logserver.crt"

...



      ssl_key => "/docker/config/logserver.key"

...



      ssl_enable => true

...



      ssl_verify => false

...



   }

...



}

...

  • Restart cce-logs-processor