Configure a secure connection to a syslog server using a self-signed certificate from XG Firewall

You can configure a self-signed certificate on XG Firewall and use it to send TLS-encrypted logs to the syslog server.

Introduction

Prerequisites:

  • To establish a TLS connection with the syslog server, you must turn on TLS encryption on the syslog server.
  • To be able to generate a self-signed certificate on XG Firewall, you must specify the identification attributes and details for the default CA.

In this example, we use the following:

  • Syslog server: syslog-ng
  • Client: XG Firewall
  • Self-signed certificate generated on XG Firewall.

The configuration steps are as follows:

  • Configure a self-signed certificate on XG Firewall.
  • Copy the root certificate, user certificate, and the key to the syslog server.
  • On XG Firewall, add the syslog server.
  • Select the modules for which logs are to be sent to the syslog server.

Configure a self-signed certificate

Configure a self-signed certificate on XG Firewall and download the file.

  1. Go to Certificates > Certificate authorities and click the default CA (Default). Make sure you've configured its identification attributes and details.
  2. Go to Certificates > Certificates and click Add.
  3. Select Generate self-signed certificate.

    Here's an example:


    Select self-signed certificate
  4. Specify the following details and click Save:

    Name

    Description

    Key encryption

    Select the option.

    Passphrase/PSK

    Enter the passphrase and confirm.

    Certificate ID

    Select Email, and enter the email address of the contact person.

    Here's an example:


    Certificate details
  5. For Common name, enter the hostname or IP address of the syslog server.

    Here's an example:


    Certificate identification attributes
  6. Click download Download button for the certificate you created.

    It's a .tar.gz file.

  7. Extract the file to get the files RootCertificate.pem, UserCertificate.pem, and UserPrivateKey.key.

Copy the certificates and the key to the syslog server

Copy the root certificate, user certificate, and the private key generated on XG Firewall to the syslog server. The directories in which we copied these are an example. Use the directories specific to your syslog server.

  1. Go to the syslog server and copy RootCertificate.pem to the /etc/syslog-ng/ca.d/ directory.
  2. Copy UserCertificate.pem and UserPrivateKey.key to the /etc/syslog-ng/cert.d/ directory.
  3. Go to the /etc/syslog-ng/ca.d/ directory, and enter the following command to create a hash based on RootCertificate.pem:

    #openssl x509 -noout -hash -in RootCertificate.pem

    The result is an alphanumeric hash (example: 52412b66) based on the distinguished name in the root certificate.

  4. Enter the following command using the hash and the suffix .0 to create a symbolic link to RootCertificate.pem:

    #ln -s RootCertificate.pem 52412b66.0

  5. Edit the syslog-ng.conf file to point to the copied certificate (UserCertificate.pem), key (UserPrivateKey.key), and the root certificate (RootCertificate.pem).
    1. Enter UserPrivateKey.key and UserCertificate.pem with the paths for the respective directories.
    2. Enter ca.d with the path for the CA directory.

    See the following example:

    @version: 3.15
      
    @include "scl.conf"
      
    source s_src {
      
        network(ip(0.0.0.0) port(6514)
      
            transport("tls")
      
            tls( key-file("/etc/syslog-ng/cert.d/UserPrivateKey.key")
      
                 cert-file("/etc/syslog-ng/cert.d/UserCertificate.pem")
      
                 ca-dir("/etc/syslog-ng/ca.d")
      
                 peer_verify(required-trusted))
      
        ); };
      
    destination d_local {
      
            file("/var/log/messages");
      
            file("/var/log/messages-kv.log" template("$ISODATE $HOST $(format-welf --scope all-nv-pairs)\n") frac-digits(3));
      
    };
      
    log { source(s_src);
      
            destination(d_local);
      
    };
  6. Start the syslog-ng server.

Add a syslog server

Add a syslog server to XG Firewall, and specify the log settings for the server.

  1. Go to System services > Log settings and click Add.
  2. Specify the settings.
    OptionDescription
    IP address/domain IP address or domain name of the syslog server.

    Secure log transmission

    Encrypts logs sent to the syslog server using TLS.

    Port 6514
  3. Click Save.

    Here's an example:


    Add a syslog server
  4. Go to System services > Log settings and scroll down to Log settings. Under Syslog server, select the logs you want to send.

    Here's an example:Select the logs to send to the syslog server