Example Encrypted TCP Syslog Configuration

How the Encrypted TCP syslog is configured depends on the implementation of the rsyslog server that is forwarding the logs to Tenable Log Correlation Engine. For this example, certificates generated by the openssl-utils script contained in the /opt/lce/tools directory will be used. The certificates generated by the openssl-utils script are X509v3 certificates that will require the FQDN (fully qualified domain name) of each host. The OS used for this example is CentOS 6 64-bit.

To configure the TCP syslog:

  1. Generate CA credentials using /opt/lce/tools/openssl-utils.sh.

    # ./openssl-utils.sh --generate-CA-creds 'C=US,st=MD,CN=lce01.example.com' /tmp/foo-creds/ca/

    Generate the certificates for the rsyslog server.

    # ./openssl-utils.sh --generate-creds devsyslog1.example.com 192.0.2.157 'C=US,st=MD,CN=syslog1.example.com' /tmp/foo-creds/client// /tmp/foo-creds/ca/

    Generate a client certificate to revoke. This is done to create a certificate revocation list. This is optional.

    # ./openssl-utils.sh --generate-creds revoke.example.com 192.0.2.47 'C=US,st=MD,CN=revoke.example.com' /tmp/foo-creds/revoked// /tmp/foo-creds/ca/

    Generate the revocation list certificate. This is only required if you completed the previous step.

    # ./openssl-utils.sh --revoke /tmp/foo-creds/revoked/cert.pem /tmp/foo-creds/ca/ /tmp/foo-creds/crl.pem

  2. Copy credentials to /opt/lce/credentials/syslog, and to a directory on the remote rsyslog server. Copy the cert.pem certificates to the /opt/lce/credentials/syslog directory on your Tenable Log Correlation Engine server.

    The certificate will need to be renamed to rsyslog-ca.pem so it does not overwrite the Tenable Log Correlation Engine cert.pem file that already exists in the same location.

    Caution: Make sure when copying the files to the /opt/lce/credentials directory that you do not overwrite the SSL credentials that were generated at the time of installation. The credentials are CA-cert.pem, CA-privkey.pem, server-cert.pem, and server-privkey.pem.

    [root@test01 ca]# cp /tmp/foo-creds/ca/cert.pem /opt/lce/credentials/syslog/rsyslog-ca.pem

    Copy the certification revocation list (crl.pem) to /opt/lce/credentials/syslog directory on your Tenable Log Correlation Engine server.

    [root@test01 ca]# cp /tmp/foo-creds/crl.pem /opt/lce/credentials/syslog/crl.pem

    Copy these certificates to a directory on the server running rsyslog. For this example they will be placed in the /root/selfsigned directory of the rsyslog server.

    /tmp/foo-creds/client/privkey.pem

    /tmp/foo-creds/client/cert.pem

    /tmp/foo-creds/ca/cert.pem

    Notice that two of these certificates have the same name. It is suggested the certificate from the /tmp/foo-creds/ca/ directory be renamed to rsyslog-ca.pem.

  3. Set file permissions on the certificates.

    Verify the file permissions, and ownership on the certificates that were moved to /opt/lce/credentials/syslog. Each file should be read only by user, and group. They should be owned by Tenable Log Correlation Engine. Use the following commands to change ownership and permissions.

    # chmod 440 crl.pem

    # chown lce:lce crl.pem

     

    # chmod 440 rsyslog-ca.pem

    # chown lce:lce ca.pem

    The files moved to the rsyslog server should have the same file permissions, but should be owned by the root user.

    # chmod 440 rsyslog-ca.pem

    # chmod 440 privkey.pem

    # chmod 440 cert.pem

  4. Use your preferred text editor to add the following lines to the rsyslog server configuration (rsyslog.conf) file if they are not already present.

    #$MainMsgQueueType Direct

    # set up the action

    $DefaultNetstreamDriver gtls # use gtls netstream driver

    $ActionSendStreamDriverMode 1 # require TLS for the connection

    #$ActionSendStreamDriverAuthMode anon # server is NOT authenticated

    $ActionSendStreamDriverAuthMode x509/certvalid

     

    # rsyslog v5 configuration file

    # certificate files - just CA for a client

    $DefaultNetstreamDriverKeyFile /root/self-signed/privkey.pem

    $DefaultNetstreamDriverCertFile /root/self-signed/cert.pem

    $DefaultNetstreamDriverCAFile /root/self-signed/rsyslog-ca.pem

     

    # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional

    *.* @@lce01.example.com:6514

    Restart the rsyslog service.

    # service rsyslog restart

    The following items will need to be included in the Tenable Log Correlation Engine interface configuration of Encrypted TCP Syslog. The path for the Senders’ CA Cert, PEM-encoded Path will need to be given, which would be /opt/lce/credentials/syslog/rsyslog-ca.pem.

    The certificates were generated using X509v3 extensions, which means the FQDN (Fully Qualified Domain Name) will need to be entered into Authorized Hosts. After the information has been entered scroll to the bottom of the page, and select Update.

  5. Configure the “Encrypted TCP Syslog” settings in the Log Correlation Engine interface under Configuration > Advanced, and update the configuration.