Configure a secure connection to a syslog server using a locally-signed certificate from Sophos Firewall
You can configure a locally-signed certificate on Sophos Firewall and use it to send TLS-encrypted logs to the syslog server.
Introduction
Prerequisites:
- To establish a TLS connection with the syslog server, you must turn on TLS encryption on the syslog server.
- To generate a locally-signed certificate on Sophos Firewall, you must specify the identification attributes and details for the default CA.
In this example, we use the following:
- Syslog server: syslog-ng
- Client: Sophos Firewall
- Locally-signed certificate generated on Sophos Firewall.
The configuration steps are as follows:
- Configure a locally-signed certificate on Sophos Firewall.
- Copy the root certificate, user certificate, and the key to the syslog server.
- On Sophos Firewall, add the syslog server.
- Select the modules for which logs are to be sent to the syslog server.
Configure a locally-signed certificate
Configure a locally-signed certificate on Sophos Firewall and download the file.
-
Go to Certificates > Certificate authorities and click the default CA (Default).
Make sure its identification attributes and details are correct.
-
Go to Certificates > Certificates and click Add.
-
Select Generate locally-signed certificate.
Here's an example:
-
Specify the following details and click Save:
Name Description Key encryption Select the option. Passphrase/PSK Enter the passphrase and confirm. Certificate ID Select Email, and enter the email address of the contact person. Here's an example:
-
For Common name, enter the hostname or IP address of the syslog server.
Here's an example:
-
Click download for the certificate you created.
It's a
.tar.gz
file. -
Extract the file to get the files
RootCertificate.pem
,UserCertificate.pem
, andUserPrivateKey.key
.
Copy the certificates and the key to the syslog server
Copy the root certificate, user certificate, and the private key generated on Sophos Firewall to the syslog server. The directories in which we copied these are an example. Use the directories specific to your syslog server.
- Go to the syslog server and copy
RootCertificate.pem
to the/etc/syslog-ng/ca.d/
directory. - Copy
UserCertificate.pem
andUserPrivateKey.key
to the/etc/syslog-ng/cert.d/
directory. -
Go to the
/etc/syslog-ng/ca.d/
directory, and enter the following command to create a hash based onRootCertificate.pem
:#openssl x509 -noout -hash -in RootCertificate.pem
The result is an alphanumeric hash (example:
52412b66
) based on the distinguished name in the root certificate. -
Enter the following command using the hash and the suffix
.0
to create a symbolic link toRootCertificate.pem
:#ln -s RootCertificate.pem 52412b66.0
-
Edit the
syslog-ng.conf
file to point to the copied certificate (UserCertificate.pem
), key (UserPrivateKey.key
), and the root certificate (RootCertificate.pem
).- Enter
UserPrivateKey.key
andUserCertificate.pem
with the paths for the respective directories. - Enter
ca.d
with the path for the CA directory.
Example
@version: 3.15 @include "scl.conf" source s_src { network(ip(0.0.0.0) port(6514) transport("tls") tls( key-file("/etc/syslog-ng/cert.d/UserPrivateKey.key") cert-file("/etc/syslog-ng/cert.d/UserCertificate.pem") ca-dir("/etc/syslog-ng/ca.d") peer_verify(required-trusted)) ); }; destination d_local { file("/var/log/messages"); file("/var/log/messages-kv.log" template("$ISODATE $HOST $(format-welf --scope all-nv-pairs)\n") frac-digits(3)); }; log { source(s_src); destination(d_local); };
- Enter
-
Start the syslog-ng server.
Add a syslog server
Add a syslog server to Sophos Firewall, and specify the log settings for the server.
- Go to System services > Log settings and click Add.
-
Specify the settings.
Option Description IP address/domain IP address or domain name of the syslog server. Secure log transmission Encrypts logs sent to the syslog server using TLS. Port 6514
-
Click Save.
Here's an example:
-
Go to System services > Log settings and scroll down to Log settings. Under Syslog server, select the logs you want to send.
Here's an example: