TCP Collector Settings

TCP connections between log sources and LogLogic LMI can be secured by TLS.

TCP syslog feeders, rsyslog feeders, and ULDP clients can connect to LogLogic LMI via TLS using a certificate.

Note: TCP connections are supported for log data collection, but not for log data forwarding.
A TCP collector supports two default ports 514 and 6514, and up to 14 more custom ports. If the firewall is enabled on the LogLogic LMI appliance before the custom ports are added into the configuration file /loglogic/conf/tcpcoll.conf, then engine_ipfilter must be restarted using the command: 
mtask -s engine_ipfilter restart
However, if the firewall is enabled after configuring the custom ports, no action is required.
Note: The iptables rules are created automatically.

Every TCP collector's port can be used for collecting logs either unencrypted or using TLS. The TCP collector automatically detects secure TLS TCP connections.

The port numbers and other information can be configured using a configuration file /loglogic/conf/tcpcoll.conf.

Procedure

  1. Create the file /loglogic/conf/tcpcoll.conf, if it does not exist.
  2. Add the following information in the file:
    1. Specify the TLS version in the TLSVerFlags parameter:
      The TLSVerFlags parameter is a 4-bit number. Bit 3 is not used, and of the remaining three bits, each bit represents one TLS version. Setting the corresponding bit to 1 indicates that the version is enabled. By default, all versions are enabled, so the default value of TLSVerFlags is 7, that is, 0111 (hex). The default value and some examples are explained in the following table.
      Bit 3 Bit 2 Bit 1 Bit 0
      TLS version represented by the bit: not used TLSv1.2 TLSv1.1 TLSv1.0
      Default Vale: TLSVerFlags=7

      TLS versions 1.2, 1.1, and 1.0 are supported

      		0 1 1 1
      TLSVerFlags=6

      TLS versions 1.2 and 1.1 are supported

      		0 1 1 0
      TLSVerFlags=5

      TLS versions 1.2 and 1.0 are supported

      		0 1 0 1
      TLSVerFlags=4

      Only TLS versions 1.2 is supported

      		0 1 0 0
    2. Specify the port numbers using the ListenOnPort parameter: In the following example, the port number is 4321: 
      ListenOnPort=4321
      If you want to add more ports, specify each port on a separate line. For example: 
      ListenOnPort=4322
ListenOnPort=4323
ListenOnPort=4324
ListenOnPort=4325
    3. By default, client certificate validation is disabled. To enable it, add this line: 
      TLSClientVerify=1
      0 indicates disabled; any other number indicates enabled
    4. An SSL certificate is generated whenever the IP of the appliance changes. This certificate is hardwired to be used by the LogLogic LMI (TLS server). To configure the certificate and the key path: 
      TLSCert=/loglogic/conf/certs/cert1 
TLSKey=/loglogic/conf/certs/key1
      Note: The external keys and certificates cannot be synchronized between HA nodes, and must be configured manually on the master and slave nodes.
    5. For client certificate validation, specify the client's CA file: 
      TLSDefaultClientCA=/loglogic/conf/certs/client179.ca
      Note:
      • You must manually put the client certificate's CA file in this directory, and it must have the same name as specified in this configuration file.
      • Only one client CA is supported. If you specify multiple lines for the TLSDefaultClientCA parameter, only the last one is considered. If you use a certificate chain to sign the client certificate, the chain must be stored in the same file that is mentioned in this parameter.
    6. By default, the TCP collector cannot handle events larger than 64KB. To enable the option, add the following line if it does not exist: 
      UseTcpCollectorQueue=1
      Note:
      • Messages up to 1 MB are supported.
      • Enabling this option might impact search performance.
      • Advanced Search can handle events larger than 64KB.
      • The Triggered Alerts page cannot display the complete message content if the message size is greater than 64KB.
      • For ULDP protocol, LogLogic LMI cannot receive messages longer than 64KB.
      • After setting this value to 1:
        • If you are running this setup on a single node that is not in an HA configuration, restart mtask.
        • If you are running this setup in an HA configuration, reboot both master and slave nodes.
  3. Save the file and restart the engine_tcpcollector using the following command: 
    mtask -s engine_tcpcollector restart
    Note: When using stunnel, ensure that the file with the key has 0644 permission.
    • In an HA configuration, you must save this file on both the master and the slave nodes.
    • It is good practice to place certificate files in a sub-folder under /loglogic/conf/, so that the certificate files are backed up automatically.
    • The TCP collector runs with lowered privileges. The following files mentioned as parameters in the configuration file must be readable by the logapp user or any other user:
      • TLSCert=<file_name>

        For example: TLSCert=/loglogic/conf/certs/cert1

      • TLSKey=<file_name>

        For example: TLSKey=/loglogic/conf/certs/key1

      • TLSDefaultClientCA=<file_name>

        The default client file is TLSDefaultClientCA=/loglogic/conf/certs/client179.ca

    • The password associated with TLSKey must be set by using the CLI command: 
      set tls syslog key password
      Follow the instructions to type a password and confirm the password. To erase the password, run the same command, but press the Enter key when prompted for the password. Then restart the engine_tcpcollector using the following command: 
      mtask -s engine_tcpcollector restart