This KBA is regarding sending encrypted logs through the TCP over the TLS process to the CCE.
The Seceon CCE server name must match the entry in your /home/seceon directory.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout logserver.key -out logserver.crt |
You’ll be prompted for the following info.
Country Name (2 letter code):US State or Province Name (full name) [Some-State]:New York Locality Name (eg, city) []:New York City Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bouncy Castles, Inc. Organizational Unit Name (eg, section) []:Ministry of Water Slides Common Name (e.g. server FQDN or YOUR name) []:server FQDN or server_IP_address Email Address[]:admin@your_domain.com |
Generating TCP/TLS Logs using syslog-ng:
Ref: https://www.logzilla.net/configuring-tls-tunnels-in-syslog-ng.html
Scenario
Logs will be received by CCE logs-processor/logs-manager which will have TCP over TLS support enabled.
If LTS is enabled, perform the above changes on logs-manager container
1. Go into cce-logs-manager container
otmdoc -s cce-logs-manager
2. Update /docker/config/syslog_base_var.yml -> tcp_over_tls: True
vi docker/config/syslog_base_var.yml
3. Restart the cce-logs-manager container
otmdoc -r cce-logs-manager
To get the certificate to follow the below process:
a) cd syslog/config/
b) ls
You will get a .crt and .key file which you can copy on the /home/seceon and retrieve.
If LTS is enabled, perform the above changes on logs-manager container
1. Go into cce-logs-manager container
otmdoc -s cce-logs-manager
2. Update /docker/config/syslog_base_var.yml -> tcp_over_tls: True
vi docker/config/syslog_base_var.yml
3. Restart the cce-logs-manager container
otmdoc -r cce-logs-manager
To get the certificate to follow the below process:
a) cd syslog/config/
b) ls
You will get a .crt and .key file which you can copy on the /home/seceon and retrieve.
If LTS is not enabled, make changes in the cce-logs-processor container
otmdoc -s cce-logs-processor 2. Update 3. Restart cce-logs-processor container otmdoc -r cce-logs-processor To get the cerificate follow the below process: a) cd logstash/config/ b) ls You will get a .crt and .key file which you can copy on the /home/seceon and retrieve. |
If TCP traffic not receiving at CCE server (syslog server)
|
STEP1: Login to UI >> SYSTEM>> LOGS AND FLOWS COLLECTION STATUS .
STEP 2: >> LOGS AND FLOWS COLLECTION STATUS .
STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.