How To Send Encrypted Logs Over The TCP/TLS

Overview

This KBA is describing a secure way to set up rsyslog TCP/TLS and emphasizes that a secure logging environment requires more than just encrypting the transmission channel. This KBA provides guidance on how to create a secure logging system using rsyslog's TCP/TLS authentication in a flexible way, which supports a wide range of security policies. This KBA likely goes into further detail about the specific steps and configurations needed to set up rsyslog TCP/TLS securely.

Configurations Steps

The passage provides instructions on how to set up TCP over TLS with syslog-ng. The logs will be received by a CCE logs processor with TCP over TLS support enabled, acting as the server, and will be sent from a client machine with syslog-ng installed. The instructions are as follows:

Generate a self-signed certificate and key on the CCE logs processor. Navigate to /docker/config/ and run the following commands:

• openssl genrsa -out logserver.key 2048

• openssl req -new -key logserver.key -out logserver.csr

• cp logserver.key logserver.key.org

• openssl rsa -in logserver.key.org -out logserver.key

• openssl x509 -req -days 365 -in logserver.csr -signkey logserver.key -out logserver.crt

• If running 5.2.1+ CCE, update the following files:

  • /docker/config/logstash_base_var.yml -> tcp_over_tls: true

  • /docker/scripts/start-process.sh -> tcp_over_tls=True

• If running an older CCE version, modify the file /usr/local/seceon/logstash/conf_d_logs/0001_syslog_input_release.conf to resemble the provided configuration.

The instructions reference a source URL for more information on setting up TCP over TLS with syslog-ng.

Ref: https://www.logzilla.net/configuring-tls-tunnels-in-syslog-ng.html

• Restart cce-logs-processor