Complete the following to configure a secure syslog agent.

Enable Secure Syslog

When using secure syslog, log messages are encrypted and sent over the network using SSL/TLS. When syslog is enabled, the default setting is for the sending syslog clients to connect to the Agent (syslog server) without using an SSL client certificate.  The default setting for the Agent is to use a self-signed and self-generated SSL server certificate. For more information, see Public Key Infrastructure (PKI) Support.

To enable the LogRhythm Agent to listen for incoming syslog messages for both standard syslog and secure syslog:

  1. In the Client Console, on the main toolbar, click the Deployment Manager
  2. Right-click the System Monitor you want to configure, and then click Properties
  3. Click the Syslog and Flow Settings tab, then select Enable Syslog Server.
    When the Enable Syslog Server box is checked, the Agent listens for incoming syslog messages using the ports configured in the Agent’s Advanced settings.  The default settings use the standard IANA port numbers:
    • Standard syslog. UDP/TCP port 514
    • Secure syslog. TCP port 6514

The minimum configuration is to enable the syslog server in the Agent’s configuration and syslog clients should immediately be able to establish secure connections to the Agent.

Use a Self-Generated Certificate

If the Agent uses a self-generated server certificate (default), the syslog clients do not need to import the server certificate's signing certificates into their certificate store.  In this case, the Agent generates a new server certificate every time it is restarted, so any saved certificates in the syslog client system become irrelevant. Using a self-generated certificate encrypts data while it is traveling through the network, but does not ensure sender/receiver authentication. 

To ensure both encryption and authentication, users can specify their own Agent (server) certificate as well as check the integrity of the syslog client by requiring it to present a client certificate.

Create a Custom Server Certificate

The instructions below describe how to configure the Agent to use a custom SSL server certificate and how to generate the server certificate using OpenSSL (downloadable from www.openssl.org).

To create a custom server certificate and private and public keys using OpenSSL:

  1. Install the OpenSSL package, or extract the OpenSSL files to the directory C:\Program Files (x86)\Common Files\SSL if using Windows operating system.

    The OpenSSL executable expects the “openssl.cnf” file to be located in the C:\Program Files (x86)\Common Files\SSL directory. Ensure that you copy it there from the C:\OpenSSL\bin folder.

    The openssl.cnf file is the main configuration file for the certificate. This certificate allows the syslog clients to establish a secure connection to the LR Agent using either the Agent's host name, fully qualified host name, or IP address. See the following example:

    [ req ]
    default_bits = 2048
    distinguished_name = req_distinguished_name
    req_extensions = req_ext

    [ req_distinguished_name ]
    countryName = US # 2 letter code for country name
    stateOrProvinceName = Califoria # State or Province Name (full name)
    localityName = Los Angeles # city or locality name
    organizationName = Acme Mfg # company name
    commonName = LRAgent12 # e.g. server name or IP address

    [ req_ext ]
    subjectAltName = @alt_names

    [alt_names]
    DNS.1 = LRAgent12.AcmeMfg.com
    IP.1 = 10.2.0.5

  2. Generate the Agent SSL Key using the following command:
    openssl.exe req -x509 -days 1825 -newkey rsa:2048 -keyout C:\LogRhythm\agent_key.pem -out C:\LogRhythm\agent_cert_private.pem
    The Common Name must be the IP address of the Agent server.

  3. Generate the Agent Private Key using the following command:
    openssl.exe pkcs12 -export -in C:\LogRhythm\agent_cert_private.pem -inkey C:\LogRhythm\agent_key.pem -out C:\LogRhythm\agent_cert.pfx
  4. Export the Public Key from the certificate using the following command:
    openssl.exe pkcs12 -in C:\LogRhythm\agent_cert.pfx -clcerts -nokeys -out C:\LogRhythm\agent_cert_public.pem
  5. The following files should now have been created.
    • agent_cert.pfx
    • agent_cert_private.pem
    • agent_cert_public.pem
    • agent_key.pem

Install the Agent Server Certificate in the Windows Certificate Store

Run MMC (Microsoft Management Console) and Import the Agent Server Certificate and Signing Certificate

Import the signing certificate:

  1. Open the Microsoft Management Console on the server where the agent is running.
  2. On the File menu, click Add/Remove Snap-in.
  3. Under Available snap-ins, select Certificates, and then click Add.
  4. When prompted about which certificates this snap-in will manage, select Computer Account, and then click Next.
  5. In the Select Computer dialog box, select Local computer: (the computer this console is running on), and then click Finish.
  6. Expand Trusted Root Certificate Authorities, right-click on Certificates, click All Tasks, and then click Import.
  7. On the Welcome screen, click Next.
  8. Browse to the .pfx file created above, and then click Next.
  9. Type the password specified when you created the certificate, select the Mark this key as exportable and Include all extended properties check boxes, and then click Next.
  10. Ensure that the certificate will be placed in the Trusted Root Certificate Authorities store, and then click Next.
  11. Click Finish to import the certificate.
    The new certificate should now be listed in the Microsoft Management Console.

Import the server certificate:

  1. Open the Microsoft Management Console on the server where the agent is running.
  2. On the File menu, click Add/Remove Snap-in.
  3. Under Available snap-ins, select Certificates, and then click Add.
  4. When prompted about which certificates this snap-in will manage, select Computer Account, and then click Next.
  5. In the Select Computer dialog box, select Local computer: (the computer this console is running on), and then click Finish.
  6. Expand Personal, right-click on Certificates, click All Tasks, and then click Import.
  7. On the Welcome screen, click Next.
  8. Browse to the .pfx file created above, and then click Next.
  9. Type the password specified when you created the certificate, select the Mark this key as exportable and Include all extended properties check boxes, and then click Next.
  10. Ensure that the certificate will be placed in the Personal store, and then click Next.
  11. Click Finish to import the certificate.
    The new certificate should now be listed in the Microsoft Management Console.

Install the Agent Signing Certificate on the Syslog Client

Export the Signing Certificate Public Key to be Imported on the Syslog Client Systems

  1. In the Microsoft Management Console, right-click on the new certificate in Trusted Root Certificate Authorities, click All Tasks, and then click Export.
  2. Click Next in the opening page of the Certificate Export Wizard.
  3. When prompted to export the private key, select No, do not export the private key, and then click Next.
  4. For the export file format, select Base-64 encoded X.509 (.CER), and then click Next.
  5. Type a name for the public key, and then click Next.
  6. In the last page of the Certificate Export Wizard, click Finish to export the public key.
    The .cer file will be saved to the specified folder.
  7. Copy the exported .cer file to all syslog client systems.

Import the Signing Certificate's Public Key on the Syslog Client Systems

  1. Copy the .cer file from the Agent server to the syslog client system.
  2. Use the syslog client's configuration interface to import the Agent's signing certificate.

Update the System Monitor Agent Configuration

To configure the Secure Syslog Group fields:

  1. On the main toolbar, click Deployment Manager.
  2. Click the System Monitors tab.
  3. Right-click the System Monitor you want to configure, and then click Properties.
  4. In the lower-left corner of the System Monitor Agent Properties window, click Advanced
  5. Scroll to the Secure Syslog Server Group.
SettingAccepted ValuesDefault ValueDescription
EnforceSecureSyslogClientCertRevocationEnabled/DisabledDisabledEnforce Agent Certificate Revocation Check. If this fails, the Agent disconnects from the syslog client.
EnforceSecureSyslogClientCertTrustEnabled/DisabledDisabledEnforce secure syslog certificate Trusted Authority Check. If this fails, the Agent disconnects from the syslog client.
RequireSecureSylogClientCertEnabled/DisabledDisabledRequire secure syslog clients to present a client certificate when connecting.
SecureSyslogClientCertOCSPURL  The OCSP URL for Agent certificate revocation checking.
SecureSyslogPort1-655356514Secure syslog TCP port to listen on. Default is 6514.
SecureSyslogServerCertLocationLocalMachine The Windows certificate location where the Agent secure syslog server certificate is installed. Can be LocalMachine or CurrentUser.
SecureSyslogServerCertStoreMY The Windows certificate store where the Agent secure syslog server certificate is installed--can be MY or ROOT.
SecureSyslogServerCertSubjectCN=<FQDN> The Subject of the server certificate that the Agent should use for secure syslog (e.g., CN=190.1.2.123 or CN=lr-0870eds-msa or CN=lr-0870eds-msa.secious.com). This must be the IP address specified in step 2 under the Create Certificates section above and must match what the syslog client uses in the configuration.
UseSecureSyslogServerCertEnabled/DisabledDisabledIf checked, the Agent uses the specified server certificate for server-side authentication during the establishment of secure syslog connections; otherwise, the Agent will use a self-generated/signed certificate (default).