Skip to main content
Skyhigh Security

Configure a syslog server to receive TLS-secured data

Work with a rsyslog system file on a Web Gateway appliance to configure a syslog server that receives TLS-secured data.

Task

  1. On the user interface, select Configuration | File Editor.
  2. On the appliances tree, select the appliance that you want to configure a syslog server on, then select rsyslog.conf.
    The content of the system file appears in the configuration frame.
  3. Add the following lines to the file content.
$ModLoad imtcp.so #Specifies the TCP listener that listens to requests sent from the clients.

$DefaultNetstreamDriver gtls #Requires use of the netstream driver.
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/cert/ca.pem #Specifies the root CA.
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/cert/server.cert.pem #Specifies the certificate for the server.
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/cert/server.key.pem #Specifies the certificate key for the server.

$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer <client IP address> #Specifies the client through its IP address.
$InputTCPServerStreamDriverMode 1 #Requires the server to run in TLS mode only.
$InputTCPServerRun 10514 #Specifies the listener port that the syslog communication starts at.
  1. Log on to the appliance from a local system console or remotely using SSH.
  2. Run the following command to restart the rsyslog function on the appliance.
    /etc/init.d/rsyslog restart
    After restarting rsyslog, a TLS-secured connection is set up, using the settings in the configuration file and the certificates.
  3. Verify that the TLS-secured connection has been set up successfully.
    cat /var/log/messages
    After running the verification command, you should see messages like the following displayed.
Nov 15 11:23:37 testdev kernel: Kernel logging (proc) stopped.
Nov 15 11:23:37 testdev rsyslogd: [origin software="rsyslogd" swVersion="5.8.10"
x-pid="37290" x-info="http://www.rsyslog.com"] exiting on
signal 15.
Nov 15 11:23:37 testdev kernel: imklog 5.8.10, log source = /prog/kmsd started.
Nov 15 11:23:37 testdev rsyslogd: [origin software="rsyslogd" swVersion="5.8.10"
x-pid="41552" x-info="http://www.rsyslog.com"] start
[root@testdev tls]

Tags recommended by the template: article:topic

  • Was this article helpful?