Tom Damon, DevOps Manager
If your server is receiving messages from through a public network, it’s vulnerable to snooping attempts by hackers. There’s a ton of information in your log files that can be used to compromise your network.
Fortunately, there’s an easy solution: Transport Layer Security. TLS uses X.509 certificates to provide a configurable level of security.
In this example, I’m using 2048 bit keys, which are the current minimum for medium-high security. The best part is that configuring TLS tunnels is not a time consuming process.
I’ll assume that your server already has openssh installed, since you need that for remote connectivity. First, we need to create the keys on the server.
Note: In this example, we’ve used port 1999, you can use any port you’d like.
You’ll be prompted for a passphrase during this process, but it will only be used to create the keys. Once the keys are created, the passphrase will be removed. You’ll also be asked questions about the server name, location, and contact information.
The server name must match the entry in your /etc/hostname
file.
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout logserver.key -out logserver.crt
You’ll be prompted for the following info.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bouncy Castles, Inc.
Organizational Unit Name (eg, section) []:Ministry of Water Slides
Common Name (e.g. server FQDN or YOUR name) []:server_IP_address
Email Address []:admin@your_domain.com
Once your keys are created, copy them to the lz_syslog container.
docker exec -ti lz_syslog mkdir /etc/logzilla/syslog-ng/ssl
docker cp logserver.key lz_syslog:/etc/logzilla/syslog-ng/ssl
docker cp logserver.crt lz_syslog:/etc/logzilla/syslog-ng/ssl
Create a file named tls.conf
in the directory you use to store LogZilla rules and config files on the host. NOTE: If you already have custom syslog-ng configurations, such as our ISE or Firepower packages, you will need to combine those with the following.
source s_tls {
tcp(port(1999)
tls( key_file("/etc/logzilla/syslog-ng/ssl/logserver.key")
cert_file("/etc/logzilla/syslog-ng/ssl/logserver.crt")
peer_verify(optional-untrusted))
flags(no-multi-line)
);
};
log {
source(s_logzilla);
source(s_tls);
destination(d_logzilla_network);
# Uncomment line below for debug/testing of incoming events
#destination(df_debug);
#destination(d_unix_stream);
flags(flow-control,final);
};
Then copy the file to the container.
docker cp tls.conf lz_syslog:/etc/logzilla/syslog-ng/
And load the new configuration:
docker restart lz_syslog
Connect to the Client and mkdir -p /etc/syslog-ng/ssl
. Download/Upload the /etc/syslog-ng/ssl/logserver.crt
which was created earlier on the LogZilla Server to the Client system and put the file in /etc/syslog-ng/ssl
on the Client.
Find the hash for your key by running:
openssl x509 -noout -hash -in /etc/syslog-ng/ssl/logserver.crt`
The result (for example 84d92a45
) is a series of alphanumeric characters based on the Distinguished Name of the certificate.
Next, create a symbolic link to the certificate that uses the hash returned by the previous command, with an added .0
suffix.
ln -s /etc/syslog-ng/ssl/logserver.crt /etc/syslog-ng/ssl/84d92a45.0
Replace LZ_SERVER
below with the DNS Name or IP Address of your LogZilla Server. You may also need to replace s_src
with your locally configured source name which is defined in the main /etc/syslog-ng/syslog-ng.conf
file on your sending server.
Create a new file named /etc/syslog-ng/conf.d/tls_to_LogZilla.conf
and add the following,
destination d_tls {
tcp("LZ_SERVER" port(1999)
tls( ca_dir("/etc/syslog-ng/ssl/")) );
};
log {
source(s_src);
destination(d_tls);
};
Restart syslog-ng on the Client system by typing service syslog-ng restart
Check your LogZilla server to verify that events are now being received by this Client.