Generating TCP/TLS Logs using syslog-ng
Ref: https://www.logzilla.net/configuring-tls-tunnels-in-syslog-ng.html
Scenario
Logs will be received by CCE logs processor which will have TCP over TLS support enabled. (server)
Logs will be sent from a second machine on which syslog-ng is installed. (client)
Server Side Instruction
Generate self-signed certificate and keyInside cce-
...
Table of Contents |
---|
Overview
This KBA is describing a secure way to set up rsyslog TCP/TLS and emphasizes that a secure logging environment requires more than just encrypting the transmission channel. This KBA provides guidance on how to create a secure logging system using rsyslog's TCP/TLS authentication in a flexible way, which supports a wide range of security policies. This KBA likely goes into further detail about the specific steps and configurations needed to set up rsyslog TCP/TLS securely.
Configurations Steps
The passage provides instructions on how to set up TCP over TLS with syslog-ng. The logs will be received by a CCE logs processor with TCP over TLS support enabled, acting as the server, and will be sent from a client machine with syslog-ng installed. The instructions are as follows:
Generate a self-signed certificate and key on the CCE logs processor. Navigate to /docker/config/ and
...
run the
...
following commands:
openssl genrsa -out logserver.key 2048
openssl req -new -key logserver.key -out logserver.csr
cp logserver.key
logserver.key.org
openssl rsa -in
logserver.key.org
-out logserver.keyopenssl x509 -req -days 365 -in logserver.csr -signkey logserver.key -out logserver.crt
...
If running 5.2.1+ CCE,
...
update the following files:
...
/docker/config/logstash_base_var.yml -> tcp_over_tls: true
...
/docker/scripts/start-process.sh -> tcp_over_tls=True
...
If running an older CCE version, modify the file
/usr/local/seceon/logstash/conf_d_logs/0001_syslog_input_release.conf
to resemble the
...
input {
# syslog {
...
provided configuration.
The instructions reference a source URL for more information on setting up TCP over TLS with syslog-ng.
Ref: https://www.logzilla.net/configuring-tls-tunnels-in-syslog-ng.html
Code Block |
---|
input { # syslog { # timezone => "America/New_York" |
...
# port => 514 |
...
# type => "syslog" |
...
# } |
...
udp { |
...
port => 514 |
...
type => "syslog" |
...
#queue_size => 4000 |
...
} |
...
tcp { |
...
port => 514 |
...
type => "syslog" |
...
ssl_cert => "/docker/config/logserver.crt" |
...
ssl_key => "/docker/config/logserver.key" |
...
ssl_enable => true |
...
ssl_verify => false |
...
} |
...
} |
...
Restart cce-logs-processor