Encrypting Syslog Traffic with TLS (SSL)

Written by Rainer Gerhards (2008-06-17)

• Overview
• Sample Scenario
• Setting up the CA
• Generating Machine Certificates
• Setting up the Central Server
• Setting up syslog Clients
• Setting up the UDP syslog relay
• Wrapping it all up
• Frequently seen Error Messages

Sample Scenario

We have a quite simple scenario. There is one central syslog server, named central.example.net. These server is being reported to by two Linux machines with name zuse.example.net and turing.example.net. Also, there is a third client - ada.example.net - which send both its own messages to the central server but also forwards messages receive from an UDP-only capable router. We hav decided to use ada.example.net because it is in the same local network segment as the router and so we enjoy TLS' security benefits for forwarding the router messages inside the corporate network. All systems (except the router) use rsyslog as the syslog software.

Please note that the CA must not necessarily be connected to the rest of the network. Actually, it may be considered a security plus if it is not. If the CA is reachable via the regular network, it should be sufficiently secured (firewal rules et al). Keep in mind that if the CA's security is breached, your overall system security is breached.

In case the CA is compromised, you need to regenerate the CA's certificate as well as all individual machines certificates.

Copyright

Copyright (c) 2008 Rainer Gerhards and Adiscon.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license can be viewed at http://www.gnu.org/copyleft/fdl.html.