Example Secure Syslog Linux Client Configuration
In certain situations, you may need to send secure syslog messages for collection from a Linux system to a Windows Server with an Axon Agent installed. These setups can be a bit in-depth, and this guide provides an example configuration that can help you understand this process.
In the examples on this page, we will be using the rsyslog program to configure syslog on the Linux machine.
Access to the fluentd configuration files on the Axon Agent server is required for this example.
The default location of these files is C:\opt\fluent\etc\fluent\.
This guide will be following the rsyslog Machine Configuration tutorial, the documentation for which can be found at this link.
Generate the Machine Private Key and Certificate Request
The following steps cover generating a machine private key and making a certificate request from the Linux system.
Use the following command to generate the machine key on the client machine (in this example, the Linux system):
certtool --generate-privkey --outfile key.pem --bits 2048
Next, use this command to generate a request file, replacing the example content with your own relevant answers:
certtool --generate-request --load-privkey key.pem --outfile request.pem
Generating a PKCS #10 certificate request...
Country name (2 chars): US
Organization name: SomeOrg
Organizational unit name: SomeOU
Locality name: Somewhere
State or province name: CA
Common name: machine.example.net
UID:
Enter a dnsName of the subject of the certificate:
Enter the IP address of the subject of the certificate:
Enter the e-mail of the subject of the certificate:
Enter a challenge password:
Does the certificate belong to an authority? (y/N): n
Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N):
Will the certificate be used for encryption (RSA ciphersuites)? (y/N):
Is this a TLS web client certificate? (y/N): y
Is this also a TLS web server certificate? (y/N): y
Generate the Certificate
The following step covers generating the certificate on the client machine.
Before this step, ensure the client system has a copy of ca-certificate.pem and ca-private-key.pem.
The default location for these files is C:\opt\fluent\etc\fluent\pki\.
Run the following command to generate the certificate on the client machine:
certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca-certificate.pem --load-ca-privkey ca-private-key.pem
Generating a signed certificate...
Enter password:
Enter the certificate's serial number in decimal (123) or hex (0xabcd)
(default is 0x2de070d594caf756f4493473cfb44afc7cec400d)
value:
Activation/Expiration time.
The certificate will expire in (days): 3000
Extensions.
Do you want to honour all the extensions from the request? (y/N): n
Does the certificate belong to an authority? (y/N):
Is this a TLS web client certificate? (y/N): y
Will the certificate be used for IPsec IKE operations? (y/N):
Is this a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: demo3.kongjoo.net
Enter an additional dnsName of the subject of the certificate: 192.1.1.1
Enter an additional dnsName of the subject of the certificate:
Enter a URI of the subject of the certificate:
Enter the IP address of the subject of the certificate: 192.1.1.1
Will the certificate be used for signing (DHE ciphersuites)? (Y/n):
Will the certificate be used for encryption (RSA ciphersuites)? (Y/n):
Will the certificate be used for data encryption? (y/N):
Will the certificate be used to sign OCSP requests? (y/N): y
Will the certificate be used to sign code? (y/N):
Will the certificate be used for time stamping? (y/N):
Will the certificate be used for email protection? (y/N):
Enter the URI of the CRL distribution point:
X.509 Certificate Information:
Version: 3
Serial Number (hex): 2de070d594caf756f4493473cfb44afc7cec400d
Validity:
Not Before: Fri May 31 15:58:17 UTC 2024
Not After: Tue Aug 17 15:58:19 UTC 2032
Subject: CN=demo3.kongjoo.net,OU=Basement,O=Adams Labs,L=Upper Dublin,ST=Adams Corp,C=US
Subject Public Key Algorithm: RSA
Algorithm Security Level: Medium (2048 bits)
Modulus (bits 2048):
00:f0:6e:d6:51:67:83:55:78:37:ce:c8:a2:4d:04:d3
a4:5e:a6:f5:ff:66:87:e7:e2:1d:2e:6b:e3:40:f0:8b
ef:d3:b0:a1:48:64:40:a3:40:90:30:6d:eb:7e:88:ca
83:ef:33:ca:47:56:d9:20:70:98:50:9d:8c:e7:51:f9
8e:69:02:5f:92:63:c6:7e:4e:40:ae:6d:6d:f2:41:3c
45:8f:b3:8d:d9:4c:c9:0b:71:70:c4:61:f1:05:82:fc
1c:51:86:b6:78:d3:ff:1b:11:91:ac:ab:7f:87:45:a4
b5:23:43:3a:1d:fb:22:84:6b:ac:e0:e5:c7:13:b6:df
06:51:0e:fe:65:6c:2e:c7:53:c7:ee:d9:27:6e:34:57
c4:ea:cb:b3:ba:23:61:de:43:25:c4:51:a7:51:39:58
8b:3a:01:bc:26:60:fe:12:79:38:47:df:de:79:83:e9
ad:e2:f0:69:16:c4:7b:b3:08:90:9b:f3:9f:b9:5b:a5
ea:18:f2:c2:de:b8:61:37:60:fa:1d:c2:81:b1:5f:3e
5f:c7:57:9c:b2:99:2b:6e:98:a3:d1:56:fc:58:35:0a
a6:96:d3:6e:ba:4d:b0:2d:78:4e:75:84:d8:c8:de:22
62:40:be:71:56:8f:7e:5b:6e:76:90:9b:46:1c:27:05
a3
Exponent (bits 24):
01:00:01
Extensions:
Basic Constraints (critical):
Certificate Authority (CA): FALSE
Key Purpose (not critical):
TLS WWW Client.
TLS WWW Server.
OCSP signing.
Subject Alternative Name (not critical):
DNSname: demo3.kongjoo.net
DNSname: 192.1.1.1
IPAddress: 192.1.1.1
Key Usage (critical):
Digital signature.
Key encipherment.
Subject Key Identifier (not critical):
9066f346cfa4b4c1f2cebc029dd271a7053e9a96
Authority Key Identifier (not critical):
b41059adca178e5cc4794d71c144cc6d1ad19b7a
Other Information:
Public Key ID:
sha1:9066f346cfa4b4c1f2cebc029dd271a7053e9a96
sha256:d7e9e1477121c87f165e714759eba9eb0d459395c3553a1aab33223d7ce147ec
Public Key PIN:
pin-sha256:1+nhR3EhyH8WXnFHWeup6w1Fk5XDVToaqzMiPXzhR+w=
Is the above information ok? (y/N): y
Signing certificate...
When generating the certificate, you will be asked for the ca-certificate password.
The default location for the file containing this information is C:\opt\fluent\etc\fluent\collector.d\syslog.conf.
Set Proper File Permissions on Certificate Files
The following step covers configuring file permissions for the certificate files.
By default, all of the files are stored in /etc/securesyslog/ on the Linux client machine.
To configure the file permissions, run the following commands:
chown syslog /etc/securesyslog/*
chmod 600 /etc/securesyslog/*
Create an rsyslog Configuration File
The following steps outline the process to create the rsyslog configuration file.
Create the .conf file in /etc/rsyslog.d/.
To set up the forwarding of syslog rules to the Windows server as well as using TLS:
Enter this sample configuration in /etc/syslog.d/60-logrhythm.conf, replacing the sample IP address with the IP of your collection file:
#Optional Debug configuration
#$DebugFile /var/log/rsyslogdebug
#$DebugLevel 2
global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCAFile="/etc/securesyslog/ca-certificate.pem"
DefaultNetstreamDriverCertFile="/etc/securesyslog/cert.pem"
DefaultNetstreamDriverKeyFile="/etc/securesyslog/key.pem"
)
# set up the action for all messages
action(type="omfwd" protocol="tcp" target="192.1.1.1" port="1514" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="anon")
Run the following command to restart rsyslog and load the new configuration file:
systemctl restart rsyslog
All syslog traffic from this machine is now forwarded over TLS to the Windows collection server and collected via Axon Agent.
If no logs are coming in, check the rsyslog logs on the client system to ensure that the certificates have been loaded properly and use a network monitoring tool (for example, Wireshark) on the server to ensure the logs are traveling from the client to the server.