How to send TLS encrypted logs using syslog-ng

There's a ton of information in your log files that can be used to compromise or secure your network...

Tom Damon, DevOps Manager


How to send TLS encrypted logs using syslog-ng

Friday, October 17, 2014

Configuring TLS Tunnels

If your server is receiving messages from through a public network, it’s vulnerable to snooping attempts by hackers. There’s a ton of information in your log files that can be used to compromise your network.

Fortunately, there’s an easy solution: Transport Layer Security. TLS uses X.509 certificates to provide a configurable level of security.

In this example, I’m using 2048 bit keys, which are the current minimum for medium-high security. The best part is that configuring TLS tunnels is not a time consuming process.

I’ll assume that your server already has openssh installed, since you need that for remote connectivity. First, we need to create the keys on the server.

Note: In this example, we’ve used port 1999, you can use any port you’d like.

LogZilla Server Configuration

LogZilla Server SSL Key Creation

You’ll be prompted for a passphrase during this process, but it will only be used to create the keys. Once the keys are created, the passphrase will be removed. You’ll also be asked questions about the server name, location, and contact information.

The server name must match the entry in your /etc/hostname file.

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout logserver.key -out logserver.crt

You’ll be prompted for the following info.

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bouncy Castles, Inc.
Organizational Unit Name (eg, section) []:Ministry of Water Slides
Common Name (e.g. server FQDN or YOUR name) []:server_IP_address
Email Address []:admin@your_domain.com

Once your keys are created, copy them to the lz_syslog container.

docker exec -ti lz_syslog mkdir /etc/logzilla/syslog-ng/ssl
docker cp logserver.key lz_syslog:/etc/logzilla/syslog-ng/ssl
docker cp logserver.crt lz_syslog:/etc/logzilla/syslog-ng/ssl

Configure syslog-ng

Create a file named tls.conf in the directory you use to store LogZilla rules and config files on the host. NOTE: If you already have custom syslog-ng configurations, such as our ISE or Firepower packages, you will need to combine those with the following.

source s_tls {
  tcp(port(1999)
  tls( key_file("/etc/logzilla/syslog-ng/ssl/logserver.key")
    cert_file("/etc/logzilla/syslog-ng/ssl/logserver.crt")
  peer_verify(optional-untrusted))
  flags(no-multi-line)
  );
};

log {
    source(s_logzilla);
    source(s_tls);
    destination(d_logzilla_network);
    # Uncomment line below for debug/testing of incoming events
    #destination(df_debug);
    #destination(d_unix_stream);
    flags(flow-control,final);
};

Then copy the file to the container.

docker cp tls.conf lz_syslog:/etc/logzilla/syslog-ng/

And load the new configuration:

docker restart lz_syslog

Add the key files to client systems

Connect to the Client and mkdir -p /etc/syslog-ng/ssl. Download/Upload the /etc/syslog-ng/ssl/logserver.crt which was created earlier on the LogZilla Server to the Client system and put the file in /etc/syslog-ng/ssl on the Client.

Find the hash for your key by running:

openssl x509 -noout -hash -in /etc/syslog-ng/ssl/logserver.crt`

The result (for example 84d92a45) is a series of alphanumeric characters based on the Distinguished Name of the certificate.

Next, create a symbolic link to the certificate that uses the hash returned by the previous command, with an added .0 suffix.

ln -s /etc/syslog-ng/ssl/logserver.crt /etc/syslog-ng/ssl/84d92a45.0

Configure syslog-ng on the client

Replace LZ_SERVER below with the DNS Name or IP Address of your LogZilla Server. You may also need to replace s_src with your locally configured source name which is defined in the main /etc/syslog-ng/syslog-ng.conf file on your sending server.

Create a new file named /etc/syslog-ng/conf.d/tls_to_LogZilla.conf and add the following,

destination d_tls {
  tcp("LZ_SERVER" port(1999)
  tls( ca_dir("/etc/syslog-ng/ssl/")) );
};

log {
  source(s_src);
  destination(d_tls);
};

Restart syslog-ng on the Client system by typing service syslog-ng restart

Check your LogZilla server to verify that events are now being received by this Client.



Tom Damon

Tom Damon

DevOps Manager

Tags: NetOps , TLS , Security , Syslog , syslog-ng