Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

How to send encrypted logs over TCP to the CCE

Owned by Collect and Control Engine
Last updated: Mar 20, 2023 by Customer Success & Engineering
2 min read

 

 

Overview

This KBA is regarding sending encrypted logs through the TCP over the TLS process to the CCE.

Server SSL Key Creation

The Seceon CCE server name must match the entry in your /home/seceon directory.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout logserver.key -out logserver.crt

You’ll be prompted for the following info.

Country Name (2 letter code):US State or Province Name (full name) [Some-State]:New York Locality Name (eg, city) []:New York City Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bouncy Castles, Inc. Organizational Unit Name (eg, section) []:Ministry of Water Slides Common Name (e.g. server FQDN or YOUR name) []:server FQDN or server_IP_address Email Address[]:admin@your_domain.com

Generating TCP/TLS Logs using syslog-ng:
Ref: https://www.logzilla.net/configuring-tls-tunnels-in-syslog-ng.html

Scenario

  1. Logs will be received by CCE logs-processor/logs-manager which will have TCP over TLS support enabled.

If LTS is enabled, perform the above changes on logs-manager container
1. Go into cce-logs-manager container

otmdoc -s cce-logs-manager

2. Update /docker/config/syslog_base_var.yml -> tcp_over_tls: True

vi docker/config/syslog_base_var.yml

3. Restart the cce-logs-manager container

otmdoc -r cce-logs-manager

To get the certificate to follow the below process:

a) cd syslog/config/

b) ls

You will get a .crt and .key file which you can copy on the /home/seceon and retrieve.

 

If LTS is not enabled, make changes in the cce-logs-processor container

  1. Go into cce-logs-processor container

otmdoc -s cce-logs-processor

2. Update /docker/config/logstash_base_var.yml -> tcp_over_tls: True

vi docker/config/logstash_base_var.yml

3. Restart cce-logs-processor container

otmdoc -r cce-logs-processor

To get the cerificate follow the below process:

a) cd logstash/config/

b) ls

You will get a .crt and .key file which you can copy on the /home/seceon and retrieve.

 

If TCP traffic not receiving at CCE server (syslog server)

  • Verify if any other application listening at port 514 (eg. rsyslog)

  • Stop the application service if any :-
    eg.-systemctl disable rsyslog

 

Verification:

STEP1: Login to UI >> SYSTEM>> LOGS AND FLOWS COLLECTION STATUS .

STEP 2: >> LOGS AND FLOWS COLLECTION STATUS .

STEP 3: >>Inside SOURCE DEVICE IP, IP will reflect.

 

Seceon Inc. All rights reserved. https://www.seceon.com