Work with a rsyslog system file on a Web Gateway appliance to configure a syslog client that sends TLS-secured data.
- On the user interface, select Configuration | File Editor.
- On the appliances tree, select the appliance that you want to configure a syslog client on, then select rsyslog.conf.
The content of the system file appears in the configuration frame.
- Add the following lines to the file content.
$template TEST-MESSAGE, "%HOSTNAME" ClientText: %syslogtag%%msg%" $WorkDirectory /var/spool/rsyslog #Specifies where to store spool files. $ActionQueueFileName fwdRule1 #Provides a unique name prefix for spool files. $ActionQueueMaxDiskSpace 1g #Sets a space limit of 1 GB. $ActionQueueSaveOnShutdown on #Saves messages to disk upon shutdown. $ActionQueueType LinkedList #Lets the process run asynchronously. $ActionResumeRetryCount -1 #Triggers an unlimited number of retries if the server is down $DefaultNetstreamDriver gtls #Requires use of the netstream driver. $DefaultNetstreamDriverCAFile /etc/rsyslog.d/cert/ca.pem #Specifies the root CA. $DefaultNetstreamDriverCertFile /etc/rsyslog.d/cert/client.cert.pem #Specifies the certificate for the client. $DefaultNetstreamDriverKeyFile /etc/rsyslog.d/cert/client.key.pem #Specifies the certificate key for the client. $InputTCPServerStreamDriverAuthMode x509/name $InputTCPServerStreamDriverPermittedPeer <server host name or IP address> #Specifies the server through its host name or IP address. $InputTCPServerStreamDriverMode 1 #Requires the server to run in TLS mode only. $InputTCPServerRun 10514 #Specifies the listener port that the syslog communication starts at.
- Log on to the appliance from a local system console or remotely using SSH.
- Run the following command to restart the rsyslog function on the appliance.
After restarting rsyslog, a TLS-secured connection is set up, using the settings in the configuration file and the certificates.
- Verify that the TLS-secured connection has been set up successfully.
After running the verification command, you should see messages like the following displayed.
Nov 15 11:23:37 HyperVMlos2AD kernel: Kernel logging (proc) stopped. Nov 15 11:23:37 HyperVMlos2AD rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="53727" x-info="http://www.rsyslog.com"] exiting on signal 15. Nov 15 11:23:37 HyperVMlos2AD kernel: imklog 5.8.10, log source = /prog/kmsd started. Nov 15 11:23:37 HyperVMlos2AD rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="57261" x-info="http://www.rsyslog.com"] start [root@HyperVMlos2AD rsyslog.d]
You can now send TLS-secured syslog messages. Run the following command to send a test message:
logger "TLS-secured test message"