Configure a secure connection to a syslog server using an external certificate

You can use an external certificate to send TLS-encrypted logs to the syslog server from XG Firewall. You need to use the default Certificate Authority (CA) of XG Firewall.

Introduction

Prerequisite: To establish a TLS connection with the syslog server, you must turn on TLS encryption on the syslog server.

In this example, we use the following:

  • Syslog server: syslog-ng
  • Client: XG Firewall
  • External certificate (ExternalCertificate.pem), external key (ExternalPrivateKey.key), and external CA (ExternalCA.pem). You generate these using a third-party CA.
  • Default CA certificate (Default.pem) available on XG Firewall.
The configuration steps are as follows:
  • Specify the attributes and details of the default CA on XG Firewall.
  • Copy the default and external CA certificates, the external certificate, and the external key to the syslog server.
  • On XG Firewall, add the syslog server.
  • Select the modules for which logs are to be sent to the syslog server.

Configure the attributes for the default CA on XG Firewall

To get the CA certificate, specify the attributes for the default CA, and download the file.

  1. Go to Certificates > Certificate authorities and click the default CA (Default).
  2. Specify the following identification attributes and details, and click Save:

    Name

    Description

    Country name

    United States

    State

    Texas

    Locality name

    Austin

    Organization name

    Your company

    Organization unit name

    IT

    Common name

    Hostname or IP address of XG Firewall because it sends the logs to the syslog server.

    Email address

    Contact person’s email address.

    CA passphrase

    Passphrase for encryption.

    Here's an example:


    Updated default CA
  3. Click download Download button for the default CA you updated.

    It's a tar.gz file.

  4. Extract the files to get the CA certificate Default.pem.

Copy the certificate and CA to the syslog server

Copy the default CA certificate of XG Firewall and the external certificate and key to the syslog server.

  1. Go to the syslog server and copy Default.pem and ExternalCA.pem to the /etc/syslog-ng/ca.d/ directory.
  2. Copy the syslog server's certificate (ExternalCertificate.pem) and key (ExternalPrivateKey.key) to the /etc/syslog-ng/cert.d/ directory.
  3. Go to the /etc/syslog-ng/ca.d/ directory, and enter the following command to create a hash based on Default.pem:

    #openssl x509 -noout -hash -in Default.pem

    The result is an alphanumeric hash (example: 52412b66) based on the distinguished name in the CA certificate.

  4. Enter the following command using the hash with the suffix .0 to create a symbolic link to Default.pem:

    #ln -s Default.pem 52412b66.0

  5. Edit the syslog-ng.conf file to point to the certificate (ExternalCertificate.pem), the key (ExternalPrivateKey.key), the third-party CA certificate (ExternalCA.pem), and the CA certificate of XG Firewall (Default.pem). Do as follows:
    1. Enter ExternalCertificate.pem and ExternalPrivateKey.key with the paths for the respective directories.
    2. Enter ca.d with the path for the CA directory.

    See the following example:

    @version: 3.15
      
    @include "scl.conf"
      
    source s_src {
      
        network(ip(0.0.0.0) port(6514)
      
            transport("tls")
      
            tls( key-file("/etc/syslog-ng/cert.d/ExternalPrivateKey.key")
      
                 cert-file("/etc/syslog-ng/cert.d/ExternalCertificate.pem")
      
                 ca-dir("/etc/syslog-ng/ca.d")
      
                 peer_verify(required-trusted))
      
        ); };
      
    destination d_local {
      
            file("/var/log/messages");
      
            file("/var/log/messages-kv.log" template("$ISODATE $HOST $(format-welf --scope all-nv-pairs)\n") frac-digits(3));
      
    };
      
    log { source(s_src);
      
            destination(d_local);
      
    };
  6. Start the syslog-ng server.

Add a syslog server

Add a syslog server to XG Firewall, and specify the log settings for the server.

  1. Go to System services > Log settings and click Add.
  2. Specify the settings.
    OptionDescription
    IP address/domain IP address or domain name of the syslog server.

    Secure log transmission

    Encrypts logs sent to the syslog server using TLS.

    Port 6514
  3. Click Save.

    Here's an example:


    Add a syslog server
  4. Go to System services > Log settings and scroll down to Log settings. Under Syslog server, select the logs you want to send.

    Here's an example:Select the logs to send to the syslog server