LogZilla Server SSL Key Creation

You will be prompted for a passphrase during this process, but it will only be used to create the keys. Once the keys are created, the passphrase will be removed. You will also be asked questions about the server's name, location, and contact information.

The server name **must** match the entry in your `/etc/hostname` file. First, to generate a new key, issue the following command: ``` openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt ``` You will be prompted for the following identification information: ``` Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New York Locality Name (eg, city) []:New York City Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bouncy Castles, Inc. Organizational Unit Name (eg, section) []:Ministry of Water Slides Common Name (e.g. server FQDN or YOUR name) []:server_IP_address Email Address []:admin@your_domain.com ``` Once your keys are created, copy them to the `syslog-ng` directory: ``` cp tls.key tls.crt /etc/logzilla/syslog-ng ``` Note that the proper paths for the key and certificate files are: | Purpose | Path | | ----------- | --------------------------------- | | Key | `/etc/logzilla/syslog-ng/tls.key` | | Certificate | `/etc/logzilla/syslog-ng/tls.crt` |

Configure syslog-ng

The port that LogZilla uses for incoming TLS connections by default is `6514`. This can be configured as follows (in this example, to `12345`): ``` logzilla config SYSLOG_TLS_PORT 12345 ``` Next, TLS support should be enabled: ``` logzilla config SYSLOG_TLS_ENABLED 1 ``` This will cause the LogZilla *syslog* server to be restarted automatically. You can check whether TLS support is operational using the `openssl` command, as illustrated below. Replace the `` with your LogZilla server address and TLS port. In the below example, first you see the identification information as you provided it above (`C`, `ST`, `L`, `O`, etc.). Next it should show the same certificate information as your certificate file (`tls.crt`). Last, it should show information about the TLS cipher and key specifications in use: ``` $ openssl s_client -connect < /dev/null CONNECTED(00000003) Can't use SSL_get_servername depth=0 C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress = [email protected] verify error:num=18:self signed certificate verify return:1 depth=0 C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress = [email protected] verify return:1 --- Certificate chain 0 s:C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress = [email protected] i:C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress = [email protected] --- Server certificate -----BEGIN CERTIFICATE----- MIIEAzCCAuugAwIBAgIUFs9AP+DgpVNy6Dny+ngi9CZyeiUwDQYJKoZIhvcNAQEL BQAwgZAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMRAwDgYDVQQH DAdNeSBDaXR5MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEzAR BgNVBAMMCnRlc3RzZXJ2ZXIxIjAgBgkqhkiG9w0BCQEWE3Jvb3RAdGVzdHNlcnZl ci5vcmcwHhcNMjIwNTI2MDkyMzE4WhcNMjMwNTI2MDkyMzE4WjCBkDELMAkGA1UE BhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxEDAOBgNVBAcMB015IENpdHkxITAf BgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDETMBEGA1UEAwwKdGVzdHNl cnZlcjEiMCAGCSqGSIb3DQEJARYTcm9vdEB0ZXN0c2VydmVyLm9yZzCCASIwDQYJ KoZIhvcNAQEBBQADggEPADCCAQoCggEBANPj5C/vYsHEapKl8lEgYKNqvRUDI6gt HSMzAfcRkWo6dh3hE93rD0cZG3AUYQpUbx1Lh94hfHaVvMmb1UPY5nSrkpQqQ7fF sbFjF+IRjtyO+zgm7QAu0uI696aSme8vrY2hTFhzNYnYNIuD359xd0U5demytBdR Fq/vIVTtHXJic6I0g8agge/dbtTL4KmJ4sjLedkYAQMEQ6yaSg+0cgfXYPNy6+K6 XKPxtIaNrd3PZy84VcA4P4ANUluFUTpZORcGFEYP4RWzor5X+Sc7rGbYmEtku30+ 7YctsIt8aUrzz2DiXAuiPxJ6iOVqxWS59Pkh5E4Lg97WzEWNI0iiDp0CAwEAAaNT MFEwHQYDVR0OBBYEFCuik5Z630HA9+g+vUEoy1HRd2SfMB8GA1UdIwQYMBaAFCui k5Z630HA9+g+vUEoy1HRd2SfMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL BQADggEBALqiTR5XaGZJJqiN+im+q4LxWAVlAmIvPGrgjuAm8wOkkaQnXvDQq4e3 tYQpK4y/JgaXNH1Z8D2kmA7yOH6WRpnqL+emUd5FPFjNF5Znx2JFpSrFmiHg2IYp Jq+zaBGGQKWblx5Zr3CI3lfMoawVcFl9n5CQbOPM4HFyhkLKVwO42g+UufuUvBFC 5oBecu5R8DzTjocTvKJWJeVK5KXUzwwxwXcZEyMrjnEy7dczVpu7iQJf03Rpu4JK zF2ZprA3/T6WK2DKfxVpDikl6BoxpjnvS7ihDSQ5gom/4JC+qPh66yE0rsSzOtEo lrp/XKooiOeplbb4OtCNP2hkvfmkwQo= -----END CERTIFICATE----- subject=C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress = [email protected] issuer=C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress = [email protected] --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 1587 bytes and written 363 bytes Verification error: self signed certificate --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 18 (self signed certificate) --- DONE ``` However if you see something similar to the following: ``` $ openssl s_client -connect < /dev/null 140683817334080:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110: 140683817334080:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111: connect:errno=111 ``` there has been an error, in which case you should verify your steps from the start of this document and if necessary start over.

Add the key files to client systems

Connect to the syslog-sending system and issue: ``` mkdir -p /etc/syslog-ng/ssl ``` Download/upload the key and certificate files (by default in `/etc/logzilla/syslog-ng/tls.key` and `/etc/logzilla/syslog-ng/tls.crt`) that were created earlier on the **LogZilla Server** to the **Client** system and put the files in the `/etc/syslog-ng/ssl` directory on the Client. This can be accomplished using `scp` or similar.

Configure syslog-ng on the client

Replace `LZ_SERVER` below with the DNS Name or IP Address of your LogZilla Server. You may also need to replace `s_src` with your locally configured source name which is defined in the main `/etc/syslog-ng/syslog-ng.conf` file on your sending server. Create a new file named `/etc/syslog-ng/conf.d/tls_to_LogZilla.conf` and add the following to it: ``` destination d_tls { syslog-ng( server("LZ_SERVER") port(6514) transport(tls) tls(ca-file("/etc/syslog-ng/ssl/tls.crt")) ); }; log { source(s_src); destination(d_tls); }; ``` Restart syslog-ng on the Client system by typing: ``` service syslog-ng restart` ```

Check your LogZilla server to verify that events are now being received from this Client.

If you encounter any issues, refer to the Debugging Event Reception section of this guide.

Advanced server configuration

If you need more than just a single source port with TLS transport, TLS can be added to any syslog source by directly editing the `/etc/logzilla/syslog-ng/config.yaml` file. Find the `sources` array element and for any source you can add `transport: tls` and then `tls_key_file` and `tls_cert_file` options. For example, to enable TLS transport for JSON input, add this: ``` - name: json-tls enabled: True type: network transport: tls port: 6515 tls_cert_file: "/etc/logzilla/syslog-ng/tls.crt" tls_key_file: "/etc/logzilla/syslog-ng/key.crt" flags: - no-parse program_override: _JSON ``` After any change to this configuration file, the LogZilla *syslog* module must be restarted by: ``` logzilla restart -c syslog ```

April 5, 2023
LogZilla University

More from the

LogZilla University


View All