Inputs - Secure (TLS) Syslog
|Top Previous Next|
Some devices available on the market, such as Cisco ASA-55XX, which support sending secure syslog messages over TCP channel with transport layer security (TLS). Kiwi Syslog Server starting from release 9.2 supports Secure (TLS) Syslog (RFC 5425).
Secure (TLS) Syslog is performed over TCP channel and thus most of the settings, available on "Input –Secure (TLS) Syslog" page, are the same as on the "Input – TCP" page. Only settings specific to Secure (TLS) Syslog are described here.
TLS relies on certificate-based authentication. A proper certificate has to be selected from certificate store before any client will be able to successfully connect to Kiwi Syslog Server using TLS secured TCP channel. "Select Certificate" button allows the user to browse local certificate stores and pickup a suitable certificate. The selected certificate is used to prove identity of Kiwi Syslog Server to the client. The server itself does not check client certificate and accepts TLS connection from any client.
Note: Certificates which will be used by Kiwi Syslog Server have to be installed into the Local Machine certificate store.
To open this store the following procedure may be used:
Start -> Run -> [type] mmc [Enter] -> [Inside MMC Console] File -> Add/Remove Snap-in… -> Add -> Certificate -> Add -> Computer account -> Next -> Local computer -> Finish -> Close -> OK
Expend Certificates (Local Computer) and install certificate into Personal
What kind of certificate should be used and configuration of public key infrastructure (PKI) is device specific and manufacturer documentation should be consulted. Steps which may be used for Cisco ASA-5505 are given below on this page.
By default the port allocated to Secure (TLS) Syslog is 6514 (RFC 5425).
There is one more message delimiter type added for Secure (TLS) Syslog comparably to delimiters available on "Input – TCP" page. This delimiter conforms to the rule defined in RFC 5425. If the user decides to look for this delimiter inside incoming message stream the search for this delimiter is performed before other delimiters are checked.
Example: Configuring Cisco ASA-5505 for sending secure syslog to Kiwi Syslog Server and Cisco ASA-5505
Tok-ASA5005(config)# crypto ca trustpoint Syslog
Tok-ASA5005(config-ca-trustpoin)# enrollment terminal
Tok-ASA5005(config)# crypto ca authenticate Syslog
(provide base64 certificate into terminal console and end it with "quit")
Tok-ASA5005(config)# logging enable
Tok-ASA5005(config)# logging host [interface name] [ip] tcp/6514 secure
Tok-ASA5005(config)# logging permit-hostdown