Inputs - Secure (TLS) Syslog

 Top  Previous  Next

Some devices available on the market, such as Cisco ASA-55XX, which support sending secure syslog messages over TCP channel with transport layer security (TLS). Kiwi Syslog Server starting from release 9.2 supports Secure (TLS) Syslog (RFC 5425).

 

Secure (TLS) Syslog is performed over TCP channel and thus most of the settings, available on "Input –Secure (TLS) Syslog" page, are the same as on the "Input – TCP" page. Only settings specific to Secure (TLS) Syslog are described here.

 

Certificates:

TLS relies on certificate-based authentication. A proper certificate has to be selected from certificate store before any client will be able to successfully connect to Kiwi Syslog Server using TLS secured TCP channel. "Select Certificate" button allows the user to browse local certificate stores and pickup a suitable certificate. The selected certificate is used to prove identity of Kiwi Syslog Server to the client. The server itself does not check client certificate and accepts TLS connection from any client.

 

Note: Certificates which will be used by Kiwi Syslog Server have to be installed into the Local Machine certificate store.

To open this store the following procedure may be used:

Start -> Run -> [type] mmc [Enter] -> [Inside MMC Console] File -> Add/Remove Snap-in… -> Add -> Certificate -> Add -> Computer account -> Next -> Local computer -> Finish -> Close -> OK

Expend Certificates (Local Computer) and install certificate into Personal

 

What kind of certificate should be used and configuration of public key infrastructure (PKI) is device specific and manufacturer documentation should be consulted. Steps which may be used for Cisco ASA-5505 are given below on this page.

 

TCP Port:

By default the port allocated to Secure (TLS) Syslog is 6514 (RFC 5425).

 

Message Delimiters:

There is one more message delimiter type added for Secure (TLS) Syslog comparably to delimiters available on "Input – TCP" page. This delimiter conforms to the rule defined in RFC 5425. If the user decides to look for this delimiter inside incoming message stream the search for this delimiter is performed before other delimiters are checked.

 

 

Example: Configuring Cisco ASA-5505 for sending secure syslog to Kiwi Syslog Server and Cisco ASA-5505

1.Request certificate from Certification Authority (CA), e.g. Microsoft Certificate Service, specifying "Server Authentication Certificate" as certificate purpose.
2.When certificate is issued install it into Local Machine certificate store (see directions in Certificate section) of the machine where Kiwi Syslog Server is installed.
3.Load certificate into ASA-5505 (e.g. using terminal console access)
a.Enter configuration mode
b.Create trust point, e.g. naming it Syslog, and config it to accept certificate through terminal

Tok-ASA5005(config)# crypto ca trustpoint Syslog

Tok-ASA5005(config-ca-trustpoin)# enrollment terminal

c.Authenticate trust point by downloading certificate

Tok-ASA5005(config)# crypto ca authenticate Syslog

(provide base64 certificate into terminal console and end it with "quit")

d.Certificate loaded
4.Adjust ASA-5505 to send secure syslog

Tok-ASA5005(config)# logging enable

Tok-ASA5005(config)# logging host [interface name] [ip] tcp/6514 secure

Tok-ASA5005(config)# logging permit-hostdown

5.Enable Secure TCP input in Kiwi Syslog Server and select certificate installed into Local Machine certificate store on step 2.