Secure sending via syslog-ng

  • Syslog-ng is an open source implementation of the syslog protocol.
  • It has several additional functionalities when compared to syslog including filters, flexible configuration, TPC support, SSL, and more. 
  • It usually consists of a configuration file (usually /etc/syslog-ng/syslog-ng.conf) and a directory (usually /etc/syslog-ng/conf.d/) to store the filters and templates for processing syslog-ng rules in a structured form and separated by files.
  • Syslog-ng allows (at least), the following three types of SSL/TLS channel security:
    • Encrypted channel: The transportation channel is encrypted, and no additional verification is performed.
    • Encrypted channel with peer checking: The transportation channel is encrypted and the server certificate is used for authentication. Rsyslogs must have the certificate verification chain (CA + subCAs) in order to make the validation.
    • Encrypted channel with peer checking and client authentication: The transportation channel is encrypted, the server certificate is used for authentication, and a client certificate is used to authenticate the user. Syslog-ng must have access to the client certificate public and private keys.
    • An SSL/TLS secure channel with a client certificate is obligatory in order to send logs to Devo using a secure channel. 
  • This article describes how to manually configure syslog-ng to monitor and process log files from applications installed on the system and send them to Devo using an encrypted and authenticated channel.

For the primary Linux distributions, this configuration can be done automatically.

Configuration

Open the /etc/syslog-ng/syslog-ng.conf file and set the file destination as shown below:

destination d_ssl_devo_unix {tcp("DEVO-RELAY" port(PORT)
                                 template("<$PRI>$DATE $HOST box.unix.$PROGRAM: $MESSAGE\n")
                                 tls( 
                                     ca_dir("/etc/syslog-ng/ca.d")
                                     key_file("/etc/syslog-ng/key.d/client.key")
                                     cert_file("/etc/syslog-ng/key.d/client.crt")
                                     peer_verify(required-untrusted)
                                 ));};
  • Download the ca.crt, user.crt and user.key files from Administration → Relays → X.509 Certificates in the Devo web application.
    • Save the ca.crt file in /etc/syslog-ng/ca.d/.
    • Save the client.key and client.crt files in /etc/syslog-ng/key.d/.
  • Use the following command to limit the access permissions to the certificate’s private key: 

    cd /etc/syslog-ng/key.d/; chmod 600 client.crt client.key
     
    -rw------- 1 root root 1529 Oct 24 13:18 client.crt
    -rw------- 1 root root 1675 Oct 24 13:18 client.key

This is an example of the syslog-ng.conf configured to securely send internal system logs:

/etc/syslog-ng/syslog-ng.conf

source s_src {
       system();
       internal();
};
destination d_ssl_devo_unix {tcp("DEVO-RELAY" port(PORT)
                                 template("<$PRI>$DATE $HOST box.unix.$PROGRAM: $MESSAGE\n")
                                 tls( 
                                     ca_dir("/etc/syslog-ng/ca.d")
                                     key_file("/etc/syslog-ng/key.d/client.key")
                                     cert_file("/etc/syslog-ng/key.d/client.crt")
                                     peer_verify(required-untrusted)
                                 ));};
log { source(s_src); destination(d_ssl_devo_unix); };

This is an example of the syslog-ng.conf configured to securely send Apache logs:

File /etc/rsyslog.d/45-apache.conf monitoring example

# Apache access log
source s_apache_access {
    file("/var/log/apache2/access.log" follow_freq(1) flags(no-parse));
};
destination d_devo_apache_access {tcp("DEVO-RELAY" port(PORT)
                                      template("<$PRI>$DATE $HOST web.apache.access-combined.pro.webFoobar.www1: $MESSAGE\n")
                                      tls( 
                                          ca_dir("/etc/syslog-ng/ca.d")
                                          key_file("/etc/syslog-ng/key.d/client.key")
                                          cert_file("/etc/syslog-ng/key.d/client.crt")
                                          peer_verify(required-untrusted)
                                      ));};
log { source(s_apache_access); destination(d_devo_apache_access); };
  
# Apache SSL access log
source s_apache_ssl_access {
    file("/var/log/apache2/ssl_access.log" follow_freq(1) flags(no-parse));
};
destination d_devo_apache_ssl_access {tcp("DEVO-RELAY" port(PORT)
                                          template("<$PRI>$DATE $HOST web.apache.access-combined.pro.webFoobar-ssl.www1: $MESSAGE\n")
                                          tls( 
                                              ca_dir("/etc/syslog-ng/ca.d")
                                              key_file("/etc/syslog-ng/key.d/client.key")
                                              cert_file("/etc/syslog-ng/key.d/client.crt")
                                              peer_verify(required-untrusted)
                                          ));};
log { source(s_apache_ssl_access); destination(d_devo_apache_ssl_access); };
  
# Apache error log
source s_apache_error {
    file("/var/log/apache2/error.log" follow_freq(1) flags(no-parse));
};
destination d_devo_apache_error {tcp("DEVO-RELAY" port(PORT)
                                     template("<$PRI>$DATE $HOST web.apache.error.pro.webFoobar.www1: $MESSAGE\n")
                                     tls( 
                                          ca_dir("/etc/syslog-ng/ca.d")
                                          key_file("/etc/syslog-ng/key.d/client.key")
                                          cert_file("/etc/syslog-ng/key.d/client.crt")
                                          peer_verify(required-untrusted)
                                     ));};
log { source(s_apache_error); destination(d_devo_apache_error); };
  
# Apache SSL error log
source s_apache_ssl_error {
    file("/var/log/apache2/ssl_error.log" follow_freq(1) flags(no-parse));
};
destination d_devo_apache_ssl_error {tcp("DEVO-RELAY" port(PORT)
                                         template("<$PRI>$DATE $HOST web.apache.error.pro.webFoobar-ssl.www1: $MESSAGE\n")
                                         tls( 
                                             ca_dir("/etc/syslog-ng/ca.d")
                                             key_file("/etc/syslog-ng/key.d/client.key")
                                             cert_file("/etc/syslog-ng/key.d/client.crt")
                                             peer_verify(required-untrusted)
                                         ));};
log { source(s_apache_ssl_error); destination(d_devo_apache_ssl_error); };
  • The tls() option must be included in the tcp() configuration for every log you want to send over a secured channel.

Once you have edited the syslog-ng.conf file and saved the X.509 certificates, restart syslog-ng to activate the new configuration:

Restart syslog-ng daemon

/etc/init.d/syslog-ng restart

Use the logger command to send test messages. 

Sending test

$ logger "Hello from an secure log source1"
$ logger "Hello from an secure log source2"
$ logger "Hello from an secure log source3"
$ logger "Hello from an secure log source4"
$ logger "Hello from an secure log source5"

In the Devo web application, go to Data Search, locate the box.unix table and make sure that the logger messages appear in the table.

If the system has SELinux enabled in enforcing mode (run the getenforce command to check the status), it may be necessary to add exceptions to the SELinux policy. See SELinux policy for more information.

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US