There are many ways to generate certificates for Secure Syslog communication. The following procedure leverages a stand-alone CentOS server to generate the certificates for both pieces of the communication—NetMon and LogRhythm Enterprise. You may also acquire these certificates through other means, including third-party certificate vendors.

The following instructions provide guidance on one path for setting up the certificates, and includes the following steps:

  1. Set up a clean CentOS 7 minimal virtual machine (VM) to act as the Certificate Authority (CA).
  2. Generate certificates needed on the NetMon (client) side.
  3. Generate matching certificates on the SIEM (server) side.
  4. Install the certificates on NetMon.
  5. Install the certificates on the LogRhythm Enterprise instance's System Monitor Agent.

Set up a Certificate Authority

If you do not have an existing CentOS 7 VM, you must create a new one. To do so:

  1. Install Oracle VirtualBox (https://www.virtualbox.org).
  2. Configure a CentOS 7 VM using the minimal ISO, available at https://www.centos.org/download.

    Resource needs for this VM are low, so configure your ISO accordingly.
  3. Log in to the VM using the following commands:

    $ mkdir certs

    $ cd certs/

    You do not need to use root or sudo for these commands.
  4. Enter the following command to install certtools:

    $ sudo yum install gnutls-utils

  5. Enter the following command to generate the private key:

    $ certtool --generate-privkey --outfile ca-key.pem

    The Generating a 2048-bit RSA Private Key dialog box appears.

  6. Enter the following command:

    $ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem

    The Generating a Self-Signed Certificate dialog box appears.

  7. Enter the following information to add the details of your certificate's distinguished name. To leave a field blank, press Enter.
    • Common name: netmon
    • UID:
    • Organizational unit name: <Your Organizational Unit>
    • Organization name: <Your Organization>
    • Locality name: <Your Locality>
    • State or province name: <Your State or Province>
    • Country name (2 chars): <Your Country>
    • Enter the subject's domain component (DC):

      This field should not be used in new certificates.
    • E-mail:
    • Enter the certificate's serial number in decimal (default: 6385180742532326521):
    • The certificate will expire in (days): 3650
    • Does the certificate belong to an authority? (y/N): y
    • Path length constraint (decimal, -1 for no constraint):
    • Is this a TLS web client certificate? (y/N): N
    • Will the certificate be used for IPsec IKE operations? (y/N): N
    • Is this a TLS web server certificate? (y/N): N
    • Enter a dnsName of the subject of the certificate:
    • Enter a URI of the subject of the certificate:
    • Enter the IP address of the subject of the certificate:
    • Enter the e-mail of the subject of the certificate:
    • Will the certificate be used to sign OCSP requests? (y/N): N
    • Will the certificate be used to sign other certificates? (y/N): y
    • Will the certificate be used to sign CRLs? (y/N): N
    • Will the certificate be used to sign code? (y/N): N
    • Will the certificate be used for time stamping? (y/N): N
    • Enter the URI of the CRL distribution point:
    • X.509 Certificate Information:
    The details you entered for the certificate are displayed for confirmation.
  8. Type y to confirm your certificate's details.
    The certificate is signed and finalized.

Generate a Machine Certificate and Key Files

You must generate a certificate and key for each machine on the network that is going to be used for communicating with LogRhythm Enterprise. The example in the section generates a key and cert for an instance with the name SD-NM-XM. The same approach is used for generating a key and cert for NetMons. As with LogRhythm Enterprise, you need a new cert and key for each NetMon being used.

While SD-NM-XM is used as an example in this guide, use a distinct common name in your deployment. Your resulting file names reflect that name.

  1. On the same VM with the CA, go to the certs/ directory created in the previous section and run the following command:
    $ certtool --generate-privkey --outfile key.pem

    The Generating a 2048-bit RSA Private Key dialog box appears.

  2. Enter the following command:
    $ certtool --generate-request --load-privkey key.pem --outfile request.pem

    The Generating a PKCS #10 Certificate Request dialog box appears.

  3. Enter the following details for the request file. To leave a field blank, press Enter.

    • Common name: <Your Common Name> (for example, SD-NM-XM)
    • Organizational unit name: <Your Organizational Unit>
    • Organization name: <Your Organization>
    • Locality name: <Your Locality>
    • State or province name: <Your State or Province>
    • Country name (2 chars): <Your Country>
    • Enter the subject's domain component (DC):
    • UID:
    • Enter a dnsName of the subject of the certificate: <Your dnsName> (for example, SD-NM-XM)
    • Enter a dnsName of the subject of the certificate:
    • Enter a URI of the subject of the certificate:
    • Enter the IP address of the subject of the certificate:
    • Enter the e-mail of the subject of the certificate:
    • Enter a challenge password:
    • Does the certificate belong to an authority? (y/N): N
    • Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): N
    • Will the certificate be used for encryption (RSA ciphersuites)? (y/N): N
    • Is this a TLS web client certificate? (y/N): y
    • Is this a TLS web server certificate? (y/N): y
    • Self signature: verified
  4. Enter the following command:
    $ certtool --generate-certificate --load-request request.pem --outfile cert.pem --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem

    The Generating a Self-Signed Certificate dialog box appears.

  5. Enter the following information to add the details of your certificate's distinguished name. To leave a field blank, press Enter.

    • Enter the certificate's serial number in decimal (default: 6385202427932487626):
    • The certificate will expire in (days): 1000
    • Do you want to honour the extensions from the request? (y/N): N
    • Does the certificate belong to an authority? (y/N): N
    • Is this a TLS web client certificate? (y/N): y
    • Will the certificate be used for IPsec IKE operations? (y/N): N
    • Is this a TLS web server certificate? (y/N): y
    • Enter a dnsName of the subject of the certificate: <Your dnsName> (for example, SD-NM-XM)
    • Enter a dnsName of the subject of the certificate:
    • Enter a URI of the subject of the certificate:
    • Enter the IP address of the subject of the certificate:
    • Will the certificate be used for signing (DHE and RSA-EXPORT ciphersuites)? (y/N): N
    • Will the certificate be used for encryption (RSA ciphersuites)? (y/N): N
    • Will the certificate be used to sign OCSP requests? (y/N): N
    • X.509 Certificate Information:
    The details you entered for the certificate are displayed for confirmation.
  6. Type y to confirm your certificate's details.
    The certificate is signed and finalized.

Rename the Key and Cert Files

Enter the following commands:

$ mv key.pem SD-NM-XM-key.pem

$ mv cert.pem SD-NM-XM-cert.pem

$ rm request.pem

$ rm ca-key.pem

Create the .pfx file for LogRhythm Enterprise

This step combines the cert and key into one file. This process is only necessary for LogRhythm Enterprise. DO NOT do this for NetMon. For more information about this process and .pfx files, see https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl.

On the same VM where you created your certs, go to the certs/ directory and run the following command:

$ openssl pkcs12 -export -out SD-NM-XM.pfx -inkey SD-NM-XM-key.pem -in SD-NM-XM-cert.pem

Install Certificates and Configure the LogRhythm Agent

NetMon

  1. On the top navigation bar, click Configuration, and then click the Syslog tab.
  2. In the Syslog Type list, select SecureTCP.
  3. In the Syslog IP field, type the IP address of the SIEM Agent.
  4. In the Syslog Port field, enter the value for the SecureSyslogPort in the SIEM Agent’s advanced configuration.
  5. In the Peer Common Name field, enter the name of the LogRhythm Enterprise instance from the key and cert. In the example in the Generate a Machine Certificate and Key Files section, this is SD-NM-XM.
  6. In the CA Certificate field, click Choose File, and then select the ca.pem file.
  7. In the Machine Certificate field, click Choose File, and then select the SD-NM-XM-cert.pem file.
  8. In the Machine Key field, click Choose File, and then select the SD-NM-XM-key.pem file.

SIEM and Agent

Copy both the .pfx cert and ca.pem files to the Agent machine.

Install the CA Certificate

  1. Right-click the ca.pem cert, and then click Install Certificate.

    You may need to rename ca.pem to ca.cer in order for Windows to offer the Install Certificate option in the context menu.
  2. In the Store Location section, click Local Machine, and then click Next.
  3. Select the Place all certificates in the following store check box.
  4. Click Browse, click Trusted Root Certification Authorities, and then click OK.
  5. Click Next, and then click Finish.

Install the .pfx Certificate

  1. Right-click the .pfx cert, and then click Install pfx.
  2. In the Store Location section, click Local Machine, and then click Next.
  3. Verify that the path to the .pfx file is correct, and then click Next.
  4. If you generated the key without a password, leave the Password field blank, and then click Next.

    If you generated a password with your key, enter the password in the Password field.
  5. Select the Place all certificates in the following store check box.
  6. Click Browse, click Trusted Root Certification Authorities, and then click OK.
  7. Click Next, and then click Finish.

Verify the Certificate Location

  1. To open the Run dialogue, press Ctrl+R.
  2. Run cmd, and then run mmc.exe.
  3. Click File, and then click Add/Remove Snap-in.
  4. On the left side, click Certificates, and then click Add.
  5. Click Computer account.
  6. Click Next, click Finish, and then click OK.
  7. In the Console Root folder on the left side of the Console, click Certificates (Local Computer) to expand the section, click Trusted Root Certification Authorities, and then click Certificates.
  8. Verify that both the CA certificate and the .pfx file are listed in this folder.

Configure the Agent's Secure Syslog

  1. In the LogRhythm Console, click Deployment Manager, and then click System Monitors.
  2. Double-click your Agent in the System Monitors list.
    The System Monitor Agent Properties dialog box appears.
  3. Click Advanced.
  4. In the Name field, filter for syslog.
  5. Check the boxes next to the following options:
    • EnforceSecureSyslogClientCertTrust
    • RequireSecureSyslogClientCert
    • UseSecureSyslogServerCert
  6. Specify the SecureSyslogPort you want to send logs to. The default is 6514.
  7. If you installed the certificates to Local Machine and specified the Trusted Root Certification Authorities certificate store—as specified in the instructions earlier in this section—set the following options:
    • SecureSyslogServerCertLocation: LocalMachine
    • SecureSyslogServerCertStore: ROOT
  8. Verify that the .pfx certificate subject (found in the Issued to field on the General tab in mmc.exe) is the hostname of the agent machine.
  9. In the Agent Advanced Properties dialog box, set SecureSyslogServerCertSubject to CN=<hostname>.
  10. Click Apply, and then click OK.

Create a Firewall Exception

  1. In Windows, click Start.
  2. Click the magnifying glass icon in the upper-right corner of the screen, search for Firewall, and then click Windows Firewall.
  3. Click Advanced Settings, click Inbound Rules, and then click New Rule.
  4. Select the Port button, and then click Next.
  5. If prompted, select the All programs button, or specify the agent program (usually C:\Program Files\LogRhythm\LogRhythm System Monitor\scsm.exe), and then click Next.
  6. Depending on the protocol by which you are sending your Secure Syslog, select either TCP or UDP.
  7. In the Specific local ports field, enter the Secure Syslog port—the default is 6514—and then click Next.
  8. Verify that Allow the connection is selected, and then click Next.
  9. In the When does this rule apply? section, select all three boxes—DomainPrivate, and Public—and then click Next.
  10. Enter a name for the rule and a description for others to understand why it was created.
  11. Click Finish.

Restart the Agent Service

In Windows, click Start, click Services, right-click LogRhythm System Monitor Service, and then click Restart.