Overview:
This KBA is regarding sending encrypted logs through the TCP over TLS process to the CCE.
Process:
Generating TCP/TLS Logs using syslog-ng
Ref: https://www.logzilla.net/configuring-tls-tunnels-in-syslog-ng.html
Scenario
Logs will be received by CCE logs-processor/logs-manager which will have TCP over TLS support enabled.
If LTS is enabled, perform the above changes on logs-manager container
1. Go into cce-logs-manager container
otmdoc -s cce-logs-manager
2. Update /docker/config/syslog_base_var.yml -> tcp_over_tls: True
vi docker/config/syslog_base_var.yml
3. Restart cce-logs-manager container
otmdoc -r cce-logs-manager
To get the cerificate follow the below process:
a) cd syslog/config/
b) ls
You will get a .crt and .key file which you can copy on the /home/seceon and retrieve.
If LTS is not enabled, make changes in the cce-logs-processor container
Go into cce-logs-processor container
otmdoc -s cce-logs-processor
2. Update /docker/config/logstash_base_var.yml -> tcp_over_tls: True
vi docker/config/logstash_base_var.yml
3. Restart cce-logs-processor container
otmdoc -r cce-logs-processor
To get the cerificate follow the below process:
a) cd logstash/config/
b) ls
You will get a .crt and .key file which you can copy on the /home/seceon and retrieve.
If TCP traffic not receiving at CCE server (syslog server)
Verify if any other application listening at port 514 (eg. rsyslog)
Stop the application service if any :-
eg.-systemctl disable rsyslog
Verification:
STEP1: Login to UI >> SYSTEM>> LOGS AND FLOWS COLLECTION STATUS .
STEP 2: >> LOGS AND FLOWS COLLECTION STATUS .
STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.