Generating TCP/TLS Logs using syslog-ng
Ref: https://www.logzilla.net/configuring-tls-tunnels-in-syslog-ng.html
Scenario
Logs will be received by CCE logs processor which will have TCP over TLS support enabled. (server)
Logs will be sent from a second machine on which syslog-ng is installed. (client)
Server Side Instruction
Generate self-signed certificate and keyInside cce-
logs-processor go into /docker/config/ and inside run the following
openssl genrsa -out logserver.key 2048
openssl req -new -key logserver.key -out logserver.csr
cp logserver.key logserver.key.org
openssl rsa -in logserver.key.org -out logserver.key
openssl x509 -req -days 365 -in logserver.csr -signkey logserver.key -out logserver.crt
In case your running 5.2.1+ CCE,
update /docker/config/logstash_base_var.yml -> tcp_over_tls: true
update /docker/scripts/start-process.sh -> tcp_over_tls=True
In case your running older CCE , modify /usr/local/seceon/logstash/conf_d_logs/0001_syslog_input_release.conf to resemble the following
input {
# syslog {
# timezone => "America/New_York"
# port => 514
# type => "syslog"
# }
udp {
port => 514
type => "syslog"
#queue_size => 4000
}
tcp {
port => 514
type => "syslog"
ssl_cert => "/docker/config/logserver.crt"
ssl_key => "/docker/config/logserver.key"
ssl_enable => true
ssl_verify => false
}
}
i. Restart cce-logs-processor