You are here: Features > Configuration > Advanced Configuration > Receiving Encrypted Syslog > Example Encrypted TCP Syslog Configuration

TOC & Recently Viewed

Recently Viewed Topics

Example Encrypted TCP Syslog Configuration

How the Encrypted TCP syslog is configured depends on the implementation of the rsyslog server that is forwarding the logs to LCE. For this example, certificates generated by the openssl-utils script contained in the /opt/lce/tools directory will be used. The certificates generated by the openssl-utils script are X509v3 certificates that will require the FQDN (Fully Qualified Domain Name) of each host. The OS used for this example is CentOS 6 64-bit.

Configuring TCP syslog will include the following steps:

  1. Generate credentials using /opt/lce/tools/openssl-utils.sh.
  2. Copy credentials to /opt/lce/credentials/syslog, and to a directory on the remote rsyslog server.
  3. Set file permissions on the certificates.
  4. Edit rsyslog.conf, and restart the rsyslog service.
  5. Configure the “Encrypted TCP Syslog” settings in the LCE GUI under “Configuration” -> “Advanced”, and update the configuration.

Step 1

Generate CA credentials.

# ./openssl-utils.sh --generate-CA-creds 'C=US,st=MD,CN=lce01.example.com' /tmp/foo-creds/ca/

Generate the certificates for the rsyslog server.

# ./openssl-utils.sh --generate-creds devsyslog1.example.com 192.168.1.157 'C=US,st=MD,CN=syslog1.example.com' /tmp/foo-creds/client// /tmp/foo-creds/ca/

Generate a client certificate to revoke. This is done to create a certificate revocation list. This is optional.

# ./openssl-utils.sh --generate-creds revoke.example.com 192.168.1.47 'C=US,st=MD,CN=revoke.example.com' /tmp/foo-creds/revoked// /tmp/foo-creds/ca/

Generate the revocation list certificate. This is only required if you completed the previous step.

# ./openssl-utils.sh --revoke /tmp/foo-creds/revoked/cert.pem /tmp/foo-creds/ca/ /tmp/foo-creds/crl.pem

Step 2

Copy the cert.pem certificates to the /opt/lce/credentials/syslog directory on your LCE server. The certificate will need to be renamed to rsyslog-ca.pem so it does not overwrite the LCE cert.pem file that already exists in the same location.

Caution: Make sure when copying the files to the /opt/lce/credentials directory that you do not overwrite the SSL certificates that were generated at the time of installation. The certificates are ca-cert.pem, ca-privkey.pem, cert.pem, privkey.pem, and sorted-cert-chain.pem.

[root@test01 ca]# cp /tmp/foo-creds/ca/cert.pem /opt/lce/credentials/syslog/rsyslog-ca.pem

Copy the certification revocation list (crl.pem) to /opt/lce/credentials/syslog directory on your LCE server.

[root@test01 ca]# cp /tmp/foo-creds/crl.pem /opt/lce/credentials/syslog/crl.pem

Copy these certificates to a directory on the server running rsyslog. For this example they will be placed in the /root/selfsigned directory of the rsyslog server.

/tmp/foo-creds/client/privkey.pem

/tmp/foo-creds/client/cert.pem

/tmp/foo-creds/ca/cert.pem

Notice that two of these certificates have the same name. It is suggested the certificate from the /tmp/foo-creds/ca/ directory be renamed to rsyslog-ca.pem.

Step 3

Verify the file permissions, and ownership on the certificates that were moved to /opt/lce/credentials/syslog. Each file should be read only by user, and group. They should be owned by lce. Use the following commands to change ownership and permissions.

# chmod 440 crl.pem

# chown lce:lce crl.pem

 

# chmod 440 rsyslog-ca.pem

# chown lce:lce ca.pem

The files moved to the rsyslog server should have the same file permissions, but should be owned by the root user.

# chmod 440 rsyslog-ca.pem

# chmod 440 privkey.pem

# chmod 440 cert.pem

Step 4

User your preferred text editor to add the following lines to the rsyslog server configuration (rsyslog.conf) file if they are not already present.

#$MainMsgQueueType Direct

# set up the action

$DefaultNetstreamDriver gtls # use gtls netstream driver

$ActionSendStreamDriverMode 1 # require TLS for the connection

#$ActionSendStreamDriverAuthMode anon # server is NOT authenticated

$ActionSendStreamDriverAuthMode x509/certvalid

 

# rsyslog v5 configuration file

# certificate files - just CA for a client

$DefaultNetstreamDriverKeyFile /root/self-signed/privkey.pem

$DefaultNetstreamDriverCertFile /root/self-signed/cert.pem

$DefaultNetstreamDriverCAFile /root/self-signed/rsyslog-ca.pem

 

# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional

*.* @@lce01.example.com:6514

Restart the rsyslog service.

# service rsyslog restart

The following items will need to be included in the LCE GUI configuration of Encrypted TCP Syslog. The path for the Senders’ CA Cert, PEM-encoded Path will need to be given, which would be /opt/lce/credentials/syslog/rsyslog-ca.pem.

The certificates were generated using X509v3 extensions, which means the FQDN (Fully Qualified Domain Name) will need to be entered into Authorized Hosts. After the information has been entered scroll to the bottom of the page, and select Update.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.