Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure a syslog client to send TLS-secured data

Work with a rsyslog system file on a Web Gateway appliance to configure a syslog client that sends TLS-secured data.

Task

  1. On the user interface, select Configuration | File Editor.
  2. On the appliances tree, select the appliance that you want to configure a syslog client on, then select rsyslog.conf.
    The content of the system file appears in the configuration frame.
  3. Add the following lines to the file content.
$template TEST-MESSAGE, "%HOSTNAME" ClientText: %syslogtag%%msg%"
$WorkDirectory /var/spool/rsyslog #Specifies where to store spool files.

$ActionQueueFileName fwdRule1 #Provides a unique name prefix for spool files.
$ActionQueueMaxDiskSpace 1g #Sets a space limit of 1 GB.
$ActionQueueSaveOnShutdown on #Saves messages to disk upon shutdown.
$ActionQueueType LinkedList #Lets the process run asynchronously.
$ActionResumeRetryCount -1 #Triggers an unlimited number of retries if the server is down

$DefaultNetstreamDriver gtls #Requires use of the netstream driver.
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/cert/ca.pem #Specifies the root CA.
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/cert/client.cert.pem #Specifies the certificate for the client.
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/cert/client.key.pem #Specifies the certificate key for the client.

$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer <server host name or IP address> #Specifies the server through its host name or IP address.
$InputTCPServerStreamDriverMode 1 #Requires the server to run in TLS mode only.
$InputTCPServerRun 10514 #Specifies the listener port that the syslog communication starts at.
  1. Log on to the appliance from a local system console or remotely using SSH.
  2. Run the following command to restart the rsyslog function on the appliance.
    /etc/init.d/rsyslog restart
    After restarting rsyslog, a TLS-secured connection is set up, using the settings in the configuration file and the certificates.
  3. Verify that the TLS-secured connection has been set up successfully.
    cat /var/log/messages
    After running the verification command, you should see messages like the following displayed.
Nov 15 11:23:37 HyperVMlos2AD kernel: Kernel logging (proc) stopped.
Nov 15 11:23:37 HyperVMlos2AD rsyslogd: [origin software="rsyslogd" swVersion="5.8.10"
x-pid="53727" x-info="http://www.rsyslog.com"] exiting on
signal 15.
Nov 15 11:23:37 HyperVMlos2AD kernel: imklog 5.8.10, log source = /prog/kmsd started.
Nov 15 11:23:37 HyperVMlos2AD rsyslogd: [origin software="rsyslogd" swVersion="5.8.10"
x-pid="57261" x-info="http://www.rsyslog.com"] start
[root@HyperVMlos2AD rsyslog.d]

You can now send TLS-secured syslog messages. Run the following command to send a test message:
logger "TLS-secured test message"

  • Was this article helpful?