Using Tls Tunnels

TLS (Transport Layer Security) provides encrypted communication channels for syslog data transmission. LogZilla supports TLS encryption for secure log transport across untrusted networks, ensuring data confidentiality and integrity during transmission.

TLS Overview

TLS encryption protects syslog data by:

• Encrypting data in transit between clients and LogZilla server
• Authenticating endpoints using digital certificates
• Ensuring data integrity through cryptographic verification
• Preventing eavesdropping on sensitive log information

Server Configuration

Certificate Generation

Generate TLS certificates for the LogZilla server. The Common Name must match the server's hostname or IP address that clients will use to connect.

bash
Wrap: OnCopyFullscreen
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt

Provide accurate certificate information when prompted:

text
Wrap: OnCopyFullscreen
Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: California
Locality Name (eg, city) []: San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Company Name
Organizational Unit Name (eg, section) []: IT Department
Common Name (e.g. server FQDN or name) []: logzilla.company.com
Email Address []: [email protected]

Important: The Common Name field must exactly match the hostname or IP address that clients use to connect to the LogZilla server.

Certificate Installation

Copy the generated certificates to the LogZilla syslog-ng directory:

bash
Wrap: OnCopyFullscreen
cp tls.key tls.crt /etc/logzilla/syslog-ng

Set appropriate file permissions for security:

bash
Wrap: OnCopyFullscreen
chmod 600 /etc/logzilla/syslog-ng/tls.key
chmod 644 /etc/logzilla/syslog-ng/tls.crt

Certificate File Locations

Configuring syslog-ng

By default, LogZilla uses port 6514 for incoming TLS connections. The port can be changed (for example, to 12345) with the following command:

bash
Wrap: OnCopyFullscreen
logzilla config SYSLOG_TLS_PORT 12345

Enable TLS support:

bash
Wrap: OnCopyFullscreen
logzilla config SYSLOG_TLS_ENABLED 1

The LogZilla syslog server will restart automatically. To check if TLS support is working, use the openssl command as shown below. Replace 11.22.33.44:12345 with the LogZilla server address and TLS port.

bash
Wrap: OnCopyFullscreen
openssl s_client -connect 11.22.33.44:12345 < /dev/null

If the output shows identification information (C, ST, L, O, etc.), certificate details from the tls.crt file, and TLS cipher and key specifications in use, then TLS support is operational.

If an error occurs, verify the steps from the start of this document and restart if necessary:

bash
Wrap: OnCopyFullscreen
openssl s_client -connect 192.168.10.12:1234 < /dev/null

Adding Key Files to Client Systems

On the syslog-sending system, create a new directory:

bash
Wrap: OnCopyFullscreen
mkdir -p /etc/syslog-ng/ssl

Transfer the key and certificate files created earlier on the LogZilla Server to the Client system, placing them in the /etc/syslog-ng/ssl directory. You can use scp or a similar method.

Configuring syslog-ng on the Client

There are two scenarios:

1. A local LogZilla instance forwards events to another LogZilla instance.
2. A standalone syslog-ng on the client server forwards events to a LogZilla instance.

Forwarding Events from One LogZilla Instance to Another

Replace LZ_SERVER below with the DNS Name or IP Address of the LogZilla Server. Change the port number accordingly if a different port number was configured at the receiving site. In the log{} section, update the source according to the sources configured in the /etc/syslog-ng/syslog-ng.conf file.

Create a new file named /etc/syslog-ng/conf.d/tls_to_LogZilla.conf and put the following content into it:

json
Wrap: OnCopyFullscreen
destination d_tls {
    syslog-ng(
        server("LZ_SERVER")
        port(6514)
        transport(tls)
        tls(ca-file("/etc/syslog-ng/ssl/tls.crt"))
    );
};

log {
  source(s_src);
  destination(d_tls);
};

Restart syslog-ng on the Client system:

bash
Wrap: OnCopyFullscreen
service syslog-ng restart

Checking configuration

Check the LogZilla server to verify that events are now being received from this Client.

If issues occur, refer to the Syslog Troubleshooting section.

Advanced server configuration

For more than a single source port with TLS transport, TLS can be added to any syslog source by directly editing the /etc/logzilla/syslog-ng/config.yaml file. Find the sources array element and for any source, add transport: tls and then tls_key_file and tls_cert_file options. For example, to enable TLS transport for JSON input, add this:

yaml
Wrap: OnCopyFullscreen
- name: json-tls
  enabled: True
  type: network
  transport: tls
  port: 6515
  tls_cert_file: "/etc/logzilla/syslog-ng/tls.crt"
  tls_key_file: "/etc/logzilla/syslog-ng/key.crt"
  flags:
    - no-parse
  program_override: _JSON

After any change to this configuration file, the LogZilla syslog module must be restarted:

bash
Wrap: OnCopyFullscreen
logzilla restart -c syslog