Receiving Encrypted Syslog

Encrypted TCP Syslog

Tenable Log Correlation Engine can be configured to receive encrypted syslog. The configuration to enable this functionality is located in two places. The Encrypted TCP Syslog Listen Port can be found by selecting Configuration followed by Basic, and by default is configured to port 6514. To locate the Encrypted TCP Syslog section, select Configuration followed by Advanced, and scroll down until the Encrypted TCP Syslog section is displayed.

The “Encrypted TCP Syslog” functionality requires an rsyslog server configured to send encrypted syslog to the Tenable Log Correlation Engine server. A self-signed certificate can be used, but it is recommended to use a signed certificate from a trusted CA (Certificate Authority). The only configuration requirement in the “Encrypted TCP Syslog” is the “Senders’ CA Cert. PEM-encoded Path”, and the suggested path is /opt/lce/credentials/syslog/<filename.pem>.

A fingerprint can be generated, and used for authentication if it is placed in the “Authorized Fingerprints” section of the “Encrypted TCP Syslog” configuration. It is also suggested to include the IP address or DNS name of authorized hosts that will be forwarding encrypted syslog into the “Authorized Hosts” section of “Encrypted TCP Syslog”.

An example configuration is shown below:

Option Description

Senders’ CA Cert PEM-encoded Path

Path of encrypted syslog senders’ CA cert, PEM-encoded, for validating encrypted syslog senders.

If this option is used neither an Authorized Fingerprint nor Authorized Host is required.

Authorized Fingerprints

Fingerprints (SHA-1 hashes of DER-encoded certificates, per RFC4572) of hosts authorized to send encrypted syslog. The length of each fingerprint will be 65 characters. This option can be used alone or in conjunction with Authorized Hosts to enable the receipt of TCP Encrypted Syslog.

Note: Using an Authorized Fingerprint will only verify the certificate’s fingerprint against the configured value. It does not check if the certificate is revoked or expired. It does not require the v3extension.

Authorized Hosts

DNS names or IPs of hosts authorized to send encrypted syslog to the Tenable Log Correlation Engine server. This option can be used alone or in conjunction with Authorized Fingerprints to enable the receipt of TCP Encrypted Syslog.

Note: This option is only required if the X509v3 Subject Alternative Name is present in the certificate.