LogZilla Server SSL Key Creation
You will be prompted for a passphrase during this process, but it will only be used to create the keys. Once the keys are created, the passphrase will be removed. You will also be asked questions about the server's name, location, and contact information.
The server name **must** match the entry in your `/etc/hostname` file.
First, to generate a new key, issue the following command:
```
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt
```
You will be prompted for the following identification information:
```
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bouncy Castles, Inc.
Organizational Unit Name (eg, section) []:Ministry of Water Slides
Common Name (e.g. server FQDN or YOUR name) []:server_IP_address
Email Address []:admin@your_domain.com
```
Once your keys are created, copy them to the `syslog-ng` directory:
```
cp tls.key tls.crt /etc/logzilla/syslog-ng
```
Note that the proper paths for the key and certificate files are:
| Purpose | Path |
| ----------- | --------------------------------- |
| Key | `/etc/logzilla/syslog-ng/tls.key` |
| Certificate | `/etc/logzilla/syslog-ng/tls.crt` |
Configure syslog-ng
The port that LogZilla uses for incoming TLS connections by default is `6514`.
This can be configured as follows (in this example, to `12345`):
```
logzilla config SYSLOG_TLS_PORT 12345
```
Next, TLS support should be enabled:
```
logzilla config SYSLOG_TLS_ENABLED 1
```
This will cause the LogZilla *syslog* server to be
restarted automatically. You can check whether TLS support is operational
using the `openssl` command, as illustrated below. Replace the
`11.22.33.44:12345` with your LogZilla server address and TLS port.
In the below example, first you see the identification information as
you provided it above (`C`, `ST`, `L`, `O`, etc.). Next it should show
the same certificate information as your certificate file (`tls.crt`).
Last, it should show information about the TLS cipher and key specifications
in use:
```
$ openssl s_client -connect 11.22.33.44:12345 < /dev/null
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress = root@testserver.org
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress = root@testserver.org
verify return:1
---
Certificate chain
0 s:C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress = root@testserver.org
i:C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress = root@testserver.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEAzCCAuugAwIBAgIUFs9AP+DgpVNy6Dny+ngi9CZyeiUwDQYJKoZIhvcNAQEL
BQAwgZAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMRAwDgYDVQQH
DAdNeSBDaXR5MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEzAR
BgNVBAMMCnRlc3RzZXJ2ZXIxIjAgBgkqhkiG9w0BCQEWE3Jvb3RAdGVzdHNlcnZl
ci5vcmcwHhcNMjIwNTI2MDkyMzE4WhcNMjMwNTI2MDkyMzE4WjCBkDELMAkGA1UE
BhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxEDAOBgNVBAcMB015IENpdHkxITAf
BgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDETMBEGA1UEAwwKdGVzdHNl
cnZlcjEiMCAGCSqGSIb3DQEJARYTcm9vdEB0ZXN0c2VydmVyLm9yZzCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANPj5C/vYsHEapKl8lEgYKNqvRUDI6gt
HSMzAfcRkWo6dh3hE93rD0cZG3AUYQpUbx1Lh94hfHaVvMmb1UPY5nSrkpQqQ7fF
sbFjF+IRjtyO+zgm7QAu0uI696aSme8vrY2hTFhzNYnYNIuD359xd0U5demytBdR
Fq/vIVTtHXJic6I0g8agge/dbtTL4KmJ4sjLedkYAQMEQ6yaSg+0cgfXYPNy6+K6
XKPxtIaNrd3PZy84VcA4P4ANUluFUTpZORcGFEYP4RWzor5X+Sc7rGbYmEtku30+
7YctsIt8aUrzz2DiXAuiPxJ6iOVqxWS59Pkh5E4Lg97WzEWNI0iiDp0CAwEAAaNT
MFEwHQYDVR0OBBYEFCuik5Z630HA9+g+vUEoy1HRd2SfMB8GA1UdIwQYMBaAFCui
k5Z630HA9+g+vUEoy1HRd2SfMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBALqiTR5XaGZJJqiN+im+q4LxWAVlAmIvPGrgjuAm8wOkkaQnXvDQq4e3
tYQpK4y/JgaXNH1Z8D2kmA7yOH6WRpnqL+emUd5FPFjNF5Znx2JFpSrFmiHg2IYp
Jq+zaBGGQKWblx5Zr3CI3lfMoawVcFl9n5CQbOPM4HFyhkLKVwO42g+UufuUvBFC
5oBecu5R8DzTjocTvKJWJeVK5KXUzwwxwXcZEyMrjnEy7dczVpu7iQJf03Rpu4JK
zF2ZprA3/T6WK2DKfxVpDikl6BoxpjnvS7ihDSQ5gom/4JC+qPh66yE0rsSzOtEo
lrp/XKooiOeplbb4OtCNP2hkvfmkwQo=
-----END CERTIFICATE-----
subject=C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress = root@testserver.org
issuer=C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress = root@testserver.org
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1587 bytes and written 363 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
DONE
```
However if you see something similar to the following:
```
$ openssl s_client -connect 192.168.10.12:1234 < /dev/null
140683817334080:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
140683817334080:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111
```
there has been an error, in which case you should verify your steps from
the start of this document and if necessary start over.
Add the key files to client systems
Connect to the syslog-sending system and issue:
```
mkdir -p /etc/syslog-ng/ssl
```
Download/upload the key and certificate files (by default in
`/etc/logzilla/syslog-ng/tls.key` and `/etc/logzilla/syslog-ng/tls.crt`)
that were created earlier on the **LogZilla Server** to the
**Client** system and put the files in the `/etc/syslog-ng/ssl`
directory on the Client. This can be accomplished using `scp` or
similar.
Configure syslog-ng on the client
Replace `LZ_SERVER` below with the DNS Name or IP Address of your
LogZilla Server. You may also need to replace `s_src` with your locally
configured source name which is defined in the main
`/etc/syslog-ng/syslog-ng.conf` file on your sending server.
Create a new file named `/etc/syslog-ng/conf.d/tls_to_LogZilla.conf`
and add the following to it:
```
destination d_tls {
syslog-ng(
server("LZ_SERVER")
port(6514)
transport(tls)
tls(ca-file("/etc/syslog-ng/ssl/tls.crt"))
);
};
log {
source(s_src);
destination(d_tls);
};
```
Restart syslog-ng on the Client system by typing:
```
service syslog-ng restart`
```
Check your LogZilla server to verify that events are now being received from this Client.
If you encounter any issues, refer to the Debugging Event Reception section of this guide.
Advanced server configuration
If you need more than just a single source port with TLS transport, TLS can be
added to any syslog source by directly editing the
`/etc/logzilla/syslog-ng/config.yaml` file. Find the `sources` array element and
for any source you can add `transport: tls` and then `tls_key_file` and
`tls_cert_file` options. For example, to enable TLS transport for JSON input,
add this:
```
- name: json-tls
enabled: True
type: network
transport: tls
port: 6515
tls_cert_file: "/etc/logzilla/syslog-ng/tls.crt"
tls_key_file: "/etc/logzilla/syslog-ng/key.crt"
flags:
- no-parse
program_override: _JSON
```
After any change to this configuration file, the LogZilla *syslog* module must
be restarted by:
```
logzilla restart -c syslog
```
.svg)
