Configuring TLS Syslog

TCP connections between log sources and LogLogic LMI can be secured by TLS.

TCP syslog feeders, rsyslog feeders, and ULDP clients can connect to LogLogic LMI via TLS using a certificate.

Note: TLS TCP connections are supported for log data collection. However, encrypted log data forwarding to LogLogic LMI appliances uses SSH encryption.

By default, a TCP collector supports two ports 514 and 6514, and up to 14 more custom ports. If the firewall is enabled on the LogLogic LMI appliance, you must run system firewall to add these ports to the firewall rule. The rules take effect automatically.

Note: The iptables rules are created automatically.

Every TCP collector's port can be used for collecting logs - either unencrypted or by using TLS. The TCP collector automatically detects secure TLS TCP connections.

The port numbers and other information can be configured using a configuration file /loglogic/conf/tcpcoll.conf.

Procedure

  1. Create the file /loglogic/conf/tcpcoll.conf, if it does not exist.
    Note:
    • Ensure that the configuration key file has 0644 permission.
    • In an HA configuration, you must save this file on both the master and the standby nodes.
    • It is best practice to place certificate files in a sub-folder under /loglogic/conf/ so that the certificate files are backed up automatically.
    • The TCP collector runs with lowered privileges. The following files mentioned as parameters in the configuration file must be readable by the logapp user:
      • TLSCert=<file_name>

        For example: TLSCert=/loglogic/conf/certs/cert1

      • TLSKey=<file_name>

        For example: TLSKey=/loglogic/conf/certs/key1

      • TLSDefaultClientCA=<file_name>

        The default client file is TLSDefaultClientCA=/loglogic/conf/certs/client179.ca

  2. Add the following information in the file:
    1. Specify the TLS version in the TLSVerFlags parameter:
      The TLSVerFlags parameter is a 4-bit number. Bit 3 is not used, and of the remaining three bits, each bit represents one TLS version. Setting the corresponding bit to 1 indicates that the version is enabled. By default, all versions are enabled, so the default value of TLSVerFlags is 7, that is, 0111 (hex). The default value and some examples are explained in the following table.
      Bit 3 Bit 2 Bit 1 Bit 0
      TLS version represented by the bit: not used TLSv1.2 TLSv1.1 TLSv1.0
      Default Value: TLSVerFlags=7

      TLS versions 1.2, 1.1, and 1.0 are supported

      		0 1 1 1
      TLSVerFlags=6

      TLS versions 1.2 and 1.1 are supported

      		0 1 1 0
      TLSVerFlags=5

      TLS versions 1.2 and 1.0 are supported

      		0 1 0 1
      TLSVerFlags=4

      Only TLS versions 1.2 is supported

      		0 1 0 0
    2. By default, client certificate validation is disabled. To enable it, add this line: 
      TLSClientVerify=1
      0 indicates disabled; any other number indicates enabled
    3. An SSL certificate is generated whenever the IP of the appliance changes. The SSL certificate is for receiving logs from Blue Coat Proxy appliances over HTTPS. This certificate is the default to be used by LogLogic LMI (TLS server). To configure the certificate and the key path: 
      TLSCert=/loglogic/conf/certs/cert1 
TLSKey=/loglogic/conf/certs/key1
      Note: The external keys and certificates cannot be synchronized between HA nodes, and must be configured manually on the master and standby nodes.
    4. For client certificate validation, specify the client's CA file. For example: 
      TLSDefaultClientCA=/loglogic/conf/certs/client179.ca
      Note:
      • You must manually put the CA file of the client certificate in this directory, and it must have the same name as specified in this configuration file.
      • Only one client CA is supported. If you specify multiple lines for the TLSDefaultClientCA parameter, only the last one is considered. If you use a certificate chain to sign the client certificate, the chain must be stored in the same file that is mentioned in this parameter.
    5. To have LogLogic LMI listen on any additional ports for receiving TCP syslog data, you must explicitly specify the port numbers using the ListenOnPort parameter: In the following example, the port number is 4321: 
      ListenOnPort=4321
      If you want to add more ports, specify each port on a separate line. For example: 
      ListenOnPort=4322
ListenOnPort=4323
ListenOnPort=4324
ListenOnPort=4325
      Note: This step is required for both TLS TCP syslog and octet framing features (except for the default ports 514 and 6514).
    6. (Optional) To enable octet-counting framing on the additional ports, you must set the FrameOnPort parameter for those ports. To specify multiple ports, each port must be listed on a new line: 
      FrameOnPort=2513
FrameOnPort=2514
FrameOnPort=2515

      The port listed for octet-counting framing must be a listening port, which means the ListenOnPort parameter for the port must appear before the FrameOnPort parameter. For example, if you configure the port 2345 to receive octet-counting framing messages, you must configure the parameters as: 

      ListenOnPort=2345
FrameOnPort=2345

      Once a port is set to receive octet-counting framing messages, the port rejects messages that are not of the octet-counting framing type.

      Note: Because the ports 514 and 6514 are open by default, it is sufficient to specify the FrameOnPort parameter for these ports and omit the ListenOnPort parameter.
  3. (Optional) The password associated with TLSKey can be set by using the CLI command: 
    > set tls syslog key password
    The password in encrypted when stored. It is stored in MySQL in the Settings2 table of the logappconfig database, with a setting called GlobalTlsKeyPwd.

    Follow the instructions to type a password and confirm the password. To erase the password, run the same command, but press the Enter key when prompted for the password.

  4. Save the file and restart the engine_tcpcollector using the following command: 
    $ mtask -s engine_tcpcollector restart