Skip to content

Configure a secure connection to a syslog server using a locally-signed certificate from Sophos Firewall

You can configure a locally-signed certificate on Sophos Firewall and use it to send TLS-encrypted logs to the syslog server.

Introduction

Prerequisites:

  • To establish a TLS connection with the syslog server, you must turn on TLS encryption on the syslog server.
  • To generate a locally-signed certificate on Sophos Firewall, you must specify the identification attributes and details for the default CA.

In this example, we use the following:

  • Syslog server: syslog-ng
  • Client: Sophos Firewall
  • Locally-signed certificate generated on Sophos Firewall.

The configuration steps are as follows:

  • Configure a locally-signed certificate on Sophos Firewall.
  • Copy the root certificate, user certificate, and the key to the syslog server.
  • On Sophos Firewall, add the syslog server.
  • Select the modules for which logs are to be sent to the syslog server.

Configure a locally-signed certificate

Configure a locally-signed certificate on Sophos Firewall and download the file.

  1. Go to Certificates > Certificate authorities and click the default CA (Default).

    Make sure its identification attributes and details are correct.

  2. Go to Certificates > Certificates and click Add.

  3. Select Generate locally-signed certificate.

    Here's an example:

    Select to generate a locally-signed certificate

  4. Specify the following details and click Save:

    Name Description
    Key encryption Select the option.
    Passphrase/PSK Enter the passphrase and confirm.
    Certificate ID Select Email, and enter the email address of the contact person.

    Here's an example:

    Certificate details

  5. For Common name, enter the hostname or IP address of the syslog server.

    Here's an example:

    Certificate identification attributes

  6. Click download Download button for the certificate you created.

    It's a .tar.gz file.

  7. Extract the file to get the files RootCertificate.pem, UserCertificate.pem, and UserPrivateKey.key.

Copy the certificates and the key to the syslog server

Copy the root certificate, user certificate, and the private key generated on Sophos Firewall to the syslog server. The directories in which we copied these are an example. Use the directories specific to your syslog server.

  1. Go to the syslog server and copy RootCertificate.pem to the /etc/syslog-ng/ca.d/ directory.
  2. Copy UserCertificate.pem and UserPrivateKey.key to the /etc/syslog-ng/cert.d/ directory.
  3. Go to the /etc/syslog-ng/ca.d/ directory, and enter the following command to create a hash based on RootCertificate.pem:

    #openssl x509 -noout -hash -in RootCertificate.pem

    The result is an alphanumeric hash (example: 52412b66) based on the distinguished name in the root certificate.

  4. Enter the following command using the hash and the suffix .0 to create a symbolic link to RootCertificate.pem:

    #ln -s RootCertificate.pem 52412b66.0

  5. Edit the syslog-ng.conf file to point to the copied certificate (UserCertificate.pem), key (UserPrivateKey.key), and the root certificate (RootCertificate.pem).

    1. Enter UserPrivateKey.key and UserCertificate.pem with the paths for the respective directories.
    2. Enter ca.d with the path for the CA directory.

    Example

    @version: 3.15
    
    @include "scl.conf"
    
    source s_src {
    
        network(ip(0.0.0.0) port(6514)
    
            transport("tls")
    
            tls( key-file("/etc/syslog-ng/cert.d/UserPrivateKey.key")
    
                 cert-file("/etc/syslog-ng/cert.d/UserCertificate.pem")
    
                 ca-dir("/etc/syslog-ng/ca.d")
    
                 peer_verify(required-trusted))
    
        ); };
    
    destination d_local {
    
            file("/var/log/messages");
    
            file("/var/log/messages-kv.log" template("$ISODATE $HOST $(format-welf --scope all-nv-pairs)\n") frac-digits(3));
    
    };
    
    log { source(s_src);
    
            destination(d_local);
    
    };
    
  6. Start the syslog-ng server.

Add a syslog server

Add a syslog server to Sophos Firewall, and specify the log settings for the server.

  1. Go to System services > Log settings and click Add.
  2. Specify the settings.

    Option Description
    IP address/domain IP address or domain name of the syslog server.
    Secure log transmission Encrypts logs sent to the syslog server using TLS.
    Port 6514
  3. Click Save.

    Here's an example:

    Add a syslog server

  4. Go to System services > Log settings and scroll down to Log settings. Under Syslog server, select the logs you want to send.

    Here's an example:Select the logs to send to the syslog server