Objective: Secure remote logging on syslog servers by encrypting it with TLS.
Syslog traffic can be encrypted using TLS/SSL, which provides mutual authentication between the remote server and the clients, thereby preventing man-in-the-middle attacks. The following steps show how to accomplish this.
Please ensure that:
- Port 6514 outbound is open on your firewall and the network as it is used by TLS for communication.
- gnuTLS is installed on both the clients and the remote server since we are using GTLS driver.
- Under no circ*mstance a third party accesses the certificate keys.
Procedure:
-
Create a self-signed certificate )
Below are the steps to create a self-signed certificate with gnuTLS on the remote syslog server.
- Generate a private key using this command:
certtool --generate-privkey --outfile ca-key.pem
- Set the file inaccessible to anyone other than the root user.
chmod 400 ca-key.pem
- Use the following command to create the self-signed CA certificate:
certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem
Fill in the details appropriately, when prompted. The Certificate Authority (CA) is now set up.
- Generate a private key using this command:
-
Generate machine certificate for every machine.
- Generate a private key and store it in the key.pem file.
certtool --generate-privkey --outfile key.pem --bits 2048
- Create the machine certificate using the following command. The name of the file request.pem, is specific to the machine. For example, if your machine is server1, the file may be named as server1-request.pem.
certtool --generate-request --load-privkey key.pem --outfile request.pem
- Sign the machine certificate using the private key of the CA with the following command
certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
See AlsoWhat is syslog? | Sumo LogicFill in the details as necessary, when prompted.
- Generate a private key and store it in the key.pem file.
-
Distributing the certificates
-
The following files need to be copied into all the server and client machines:
- a copy of ca.pem
- cert.pem
- Key.pem
Create a directory on the root server to store these keys.
These files should be inaccessible to any user except the root user.
-
-
Configure the remote server to communicate over TCP using TLS certificates
- Create a new configuration file /etc/rsyslog.d/logserver.conf, with the code given below:
module(load="imuxsock") # local messages
module(load="imtcp" # TCP listener
StreamDriver.Name="gtls"
StreamDriver.Mode="1" # run driver in TLS-only mode
StreamDriver.Authmode="anon"
)
# make gtls driver the default and set certificate files global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/path/to/contrib/gnutls/ca.pem"
DefaultNetstreamDriverCertFile="/path/to/contrib/gnutls/cert.pem"
DefaultNetstreamDriverKeyFile="/path/to/contrib/gnutls/key.pem"
)
# start up listener at port 6514
input( type="imtcp"
port="6514"
)
- Create a new configuration file /etc/rsyslog.d/logserver.conf, with the code given below:
-
Configure the client machines so that they send logs only when the server identity is verified
- Create a new file /etc/rsyslog.d/logclient.conf with the following code:
global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/path/to/contrib/gnutls/ca.pem"
DefaultNetstreamDriverCertFile="/path/to/contrib/gnutls/cert.pem"
DefaultNetstreamDriverKeyFile="/path/to/contrib/gnutls/key.pem"
)
# set up the action for all messages action(
type="omfwd"
target="central.example.net"
protocol="tcp"
port="6514"
StreamDriver="gtls"
StreamDriverMode="1"
# run driver in TLS-only mode StreamDriverAuthMode="x509/name"
StreamDriverPermittedPeers="central.example.net"
)
- Create a new file /etc/rsyslog.d/logclient.conf with the following code:
This sets up your system for encrypted transmission of syslogs.
EventLog Analyzer, a comprehensive log management solution collects, analyzes, correlates, searches, and archives log data from devices across the network. The solution ensures security of log data while collection and transmission by employing different security protocols. Check out more about EventLog Analyzer here.