This KBA is describing a secure way to set up rsyslog TCP/TLS and emphasizes that a secure logging environment requires more than just encrypting the transmission channel. This KBA provides guidance on how to create a secure logging system using rsyslog's TCP/TLS authentication in a flexible way, which supports a wide range of security policies. This KBA likely goes into further detail about the specific steps and configurations needed to set up rsyslog TCP/TLS securely.
The passage provides instructions on how to set up TCP over TLS with syslog-ng. The logs will be received by a CCE logs processor with TCP over TLS support enabled, acting as the server, and will be sent from a client machine with syslog-ng installed. The instructions are as follows:
Generate a self-signed certificate and key on the CCE logs processor. Navigate to /docker/config/ and run the following commands:
openssl genrsa -out logserver.key 2048
openssl req -new -key logserver.key -out logserver.csr
cp logserver.key logserver.key.org
openssl rsa -in logserver.key.org
-out logserver.key
openssl x509 -req -days 365 -in logserver.csr -signkey logserver.key -out logserver.crt
If running 5.2.1+ CCE, update the following files:
/docker/config/logstash_base_var.yml -> tcp_over_tls: true
/docker/scripts/start-process.sh -> tcp_over_tls=True
If running an older CCE version, modify the file /usr/local/seceon/logstash/conf_d_logs/0001_syslog_input_release.conf
to resemble the provided configuration.
The instructions reference a source URL for more information on setting up TCP over TLS with syslog-ng.
Ref: https://www.logzilla.net/configuring-tls-tunnels-in-syslog-ng.html
input { # syslog { # timezone => "America/New_York" # port => 514 # type => "syslog" # } udp { port => 514 type => "syslog" #queue_size => 4000 } tcp { port => 514 type => "syslog" ssl_cert => "/docker/config/logserver.crt" ssl_key => "/docker/config/logserver.key" ssl_enable => true ssl_verify => false } } |
Restart cce-logs-processor