Skip to main content
Skip table of contents

Example Secure Syslog Linux Client Configuration

This guide will show an example of how to send secure syslog messages for collection from a Linux system to a Windows Server with an Axon Agent installed

This guide will be using the rsyslog program to configure syslog on the Linux machine

Access to the fluentd configuration files on the Axon Agent server is required for this example

Location is C:\opt\fluent\etc\fluent\

This guide will be following the rsyslog machine configuration tutorial

Generating the Machine Private Key and Certificate Request

Use the following command to generate the machine key on the client machine (in this example, the Linux system)

CODE
certtool --generate-privkey --outfile key.pem --bits 2048

Next, use this command to generate a request file, using the following answers to the questions asked with appropriate replacements

CODE
certtool --generate-request --load-privkey key.pem --outfile request.pem
Generating a PKCS #10 certificate request...
Country name (2 chars): US
Organization name: SomeOrg
Organizational unit name: SomeOU
Locality name: Somewhere
State or province name: CA
Common name: machine.example.net
UID:
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Enter a challenge password:
Does the certificate belong to an authority? (y/N): n
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N):
Will the certificate be used for encryption (RSA ciphersuites)? (y/N):
Is this a TLS web client certificate? (y/N): y
Is this also a TLS web server certificate? (y/N): y

Generating the Certificate

Before this step, make sure the client system has a copy of ca-certificate.pem and ca-private-key.pem

Can be found in C:\opt\fluent\etc\fluent\pki\ in this example

Run the following command to generate the certificate on the client machine

CODE
certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca-certificate.pem  --load-ca-privkey ca-private-key.pem
Generating a signed certificate...
Enter password:
Enter the certificate's serial number in decimal (123) or hex (0xabcd)
(default is 0x2de070d594caf756f4493473cfb44afc7cec400d)
value:


Activation/Expiration time.
The certificate will expire in (days): 3000


Extensions.
Do you want to honour all the extensions from the request? (y/N): n
Does the certificate belong to an authority? (y/N):
Is this a TLS web client certificate? (y/N): y
Will the certificate be used for IPsec IKE operations? (y/N):
Is this a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: demo3.kongjoo.net
Enter an additional dnsName of the subject of the certificate: 192.168.2.23
Enter an additional dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate: 192.168.2.23
Will the certificate be used for signing (DHE ciphersuites)? (Y/n):
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n):
Will the certificate be used for data encryption? (y/N):
Will the certificate be used to sign OCSP requests? (y/N): y
Will the certificate be used to sign code? (y/N):
Will the certificate be used for time stamping? (y/N):
Will the certificate be used for email protection? (y/N):
Enter the URI of the CRL distribution point:
X.509 Certificate Information:
        Version: 3
        Serial Number (hex): 2de070d594caf756f4493473cfb44afc7cec400d
        Validity:
                Not Before: Fri May 31 15:58:17 UTC 2024
                Not After: Tue Aug 17 15:58:19 UTC 2032
        Subject: CN=demo3.kongjoo.net,OU=Basement,O=Adams Labs,L=Upper Dublin,ST=Adams Corp,C=US
        Subject Public Key Algorithm: RSA
        Algorithm Security Level: Medium (2048 bits)
                Modulus (bits 2048):
                        00:f0:6e:d6:51:67:83:55:78:37:ce:c8:a2:4d:04:d3
                        a4:5e:a6:f5:ff:66:87:e7:e2:1d:2e:6b:e3:40:f0:8b
                        ef:d3:b0:a1:48:64:40:a3:40:90:30:6d:eb:7e:88:ca
                        83:ef:33:ca:47:56:d9:20:70:98:50:9d:8c:e7:51:f9
                        8e:69:02:5f:92:63:c6:7e:4e:40:ae:6d:6d:f2:41:3c
                        45:8f:b3:8d:d9:4c:c9:0b:71:70:c4:61:f1:05:82:fc
                        1c:51:86:b6:78:d3:ff:1b:11:91:ac:ab:7f:87:45:a4
                        b5:23:43:3a:1d:fb:22:84:6b:ac:e0:e5:c7:13:b6:df
                        06:51:0e:fe:65:6c:2e:c7:53:c7:ee:d9:27:6e:34:57
                        c4:ea:cb:b3:ba:23:61:de:43:25:c4:51:a7:51:39:58
                        8b:3a:01:bc:26:60:fe:12:79:38:47:df:de:79:83:e9
                        ad:e2:f0:69:16:c4:7b:b3:08:90:9b:f3:9f:b9:5b:a5
                        ea:18:f2:c2:de:b8:61:37:60:fa:1d:c2:81:b1:5f:3e
                        5f:c7:57:9c:b2:99:2b:6e:98:a3:d1:56:fc:58:35:0a
                        a6:96:d3:6e:ba:4d:b0:2d:78:4e:75:84:d8:c8:de:22
                        62:40:be:71:56:8f:7e:5b:6e:76:90:9b:46:1c:27:05
                        a3
                Exponent (bits 24):
                        01:00:01
        Extensions:
                Basic Constraints (critical):
                        Certificate Authority (CA): FALSE
                Key Purpose (not critical):
                        TLS WWW Client.
                        TLS WWW Server.
                        OCSP signing.
                Subject Alternative Name (not critical):
                        DNSname: demo3.kongjoo.net
                        DNSname: 192.168.2.23
                        IPAddress: 192.168.2.23
                Key Usage (critical):
                        Digital signature.
                        Key encipherment.
                Subject Key Identifier (not critical):
                        9066f346cfa4b4c1f2cebc029dd271a7053e9a96
                Authority Key Identifier (not critical):
                        b41059adca178e5cc4794d71c144cc6d1ad19b7a
Other Information:
        Public Key ID:
                sha1:9066f346cfa4b4c1f2cebc029dd271a7053e9a96
                sha256:d7e9e1477121c87f165e714759eba9eb0d459395c3553a1aab33223d7ce147ec
        Public Key PIN:
                pin-sha256:1+nhR3EhyH8WXnFHWeup6w1Fk5XDVToaqzMiPXzhR+w=

Is the above information ok? (y/N): y


Signing certificate...

When generating the certificate, you will be asked for the ca-certificate password

This can be found in C:\opt\fluent\etc\fluent\collector.d\syslog.conf file

Set Proper File Permissions on Certificate Files

All the files are stored in /etc/securesyslog/ on the Linux client machine in this example

CODE
chown syslog /etc/securesyslog/* 
chmod 600 /etc/securesyslog/* 

Create an rsyslog Configuration File

Create a .conf file in /etc/rsyslog.d/

To set up the forwarding of syslog rules to the Windows server as well as using TLS, use this sample configuration in /etc/syslog.d/60-logrhythm.conf

CODE
#Optional Debug configuration
#$DebugFile /var/log/rsyslogdebug
#$DebugLevel 2

global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/etc/securesyslog/ca-certificate.pem"
DefaultNetstreamDriverCertFile="/etc/securesyslog/cert.pem"
DefaultNetstreamDriverKeyFile="/etc/securesyslog/key.pem"
)

# set up the action for all messages
action(type="omfwd" protocol="tcp" target="192.168.1.16" port="1514" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="anon")

Replace the ip address in the conf file with the IP of your collection server

Finally, restart rsyslog to load the new configuration file

CODE
systemctl restart rsyslog

All syslog traffic from this machine should now be forwarded over TLS to the Windows collection server and collected via Axon Agent.

If no logs are coming, check the rsyslog logs on the client system to ensure the certificates have been loaded properly and use a network monitoring tool (e.g Wireshark) on the server to ensure the logs are traveling from the client to the server.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.