Encrypting syslog with TLS
Last updated on:In this page
Objective
Secure remote logging on syslog servers by encrypting it with TLS.
Syslog traffic can be encrypted using TLS/SSL, which provides mutual authentication between the remote server and the clients, thereby preventing man-in-the-middle attacks. The following steps show how to accomplish this.
Please ensure that:
- Port 6514 outbound is open on your firewall and the network as it is used by TLS for communication.
- gnuTLS is installed on both the clients and the remote server since we are using GTLS driver.
- Under no circumstance a third party accesses the certificate keys.
Steps to encrypt syslog with TLS
Create a self-signed certificate
Below are the steps to create a self-signed certificate with gnuTLS on the remote syslog server.
- Generate a private key using this command:
certtool --generate-privkey --outfile ca-key.pem - Set the file inaccessible to anyone other than the root user.
chmod 400 ca-key.pem - Use the following command to create the self-signed CA certificate:
certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem
Fill in the details appropriately, when prompted. The Certificate Authority (CA) is now set up.
Generate machine certificate for every machine
- Generate a private key and store it in the key.pem file.
certtool --generate-privkey --outfile key.pem --bits 2048 - Create the machine certificate using the following command. The name of the file request.pem, is specific to the machine. For example, if your machine is server1, the file may be named as server1-request.pem.
certtool --generate-request --load-privkey key.pem --outfile request.pem - Sign the machine certificate using the private key of the CA with the following command
certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
Fill in the details as necessary, when prompted.
Distributing the certificates
- The following files need to be copied into all the server and client machines:
- a copy of ca.pem
- cert.pem
- Key.pem
Create a directory on the root server to store these keys.
These files should be inaccessible to any user except the root user.
Configuring the remote server to communicate over TCP using TLS
- Create a new configuration file /etc/rsyslog.d/logserver.conf, with the code given below:
module(load="imuxsock") # local messages module(load="imtcp" # TCP listener StreamDriver.Name="gtls" StreamDriver.Mode="1" # run driver in TLS-only mode StreamDriver.Authmode="anon" ) # make gtls driver the default and set certificate files global( DefaultNetstreamDriver="gtls" DefaultNetstreamDriverCAFile="/path/to/contrib/gnutls/ca.pem" DefaultNetstreamDriverCertFile="/path/to/contrib/gnutls/cert.pem" DefaultNetstreamDriverKeyFile="/path/to/contrib/gnutls/key.pem" ) # start up listener at port 6514 input( type="imtcp" port="6514" )
Configuring the client machines
- Create a new file /etc/rsyslog.d/logclient.conf with the following code:
global( DefaultNetstreamDriver="gtls" DefaultNetstreamDriverCAFile="/path/to/contrib/gnutls/ca.pem" DefaultNetstreamDriverCertFile="/path/to/contrib/gnutls/cert.pem" DefaultNetstreamDriverKeyFile="/path/to/contrib/gnutls/key.pem" ) # set up the action for all messages action( type="omfwd" target="central.example.net" protocol="tcp" port="6514" StreamDriver="gtls" StreamDriverMode="1" # run driver in TLS-only mode StreamDriverAuthMode="x509/name" StreamDriverPermittedPeers="central.example.net" )
This sets up your system for encrypted transmission of syslogs.
Using a log mangement solution
EventLog Analyzer, a comprehensive log management solution collects, analyzes, correlates, searches, and archives log data from devices across the network. The solution ensures security of log data while collection and transmission by employing different security protocols. Check out more about EventLog Analyzer here.
