Secure log transfer using TLS
You can transfer logs to an external (SIEM) system from Appgate SDP appliances. By default this does so using rsyslog which is not an inherently secure protocol. It is possible to secure this transmission by configuring both systems to talk using TLS. You will need a remote server that has rsyslog installed (8.16.0 or higher) and also have the rsyslog-gnutls plugin installed.
Creating Security Keys
You will also need to generate certificates for the tls transport, for information on generating a CA please see here: https://docs.rsyslog.com/doc/tutorials/tls_cert_machine.html
On the remote rsyslog server you will need ca.pem, cert.pem, and key.pem and on Appgate SDP you will need ca.pem. You will need to create the directory you want the files in. On the Appgate SDP Appliance the key must be stored in the /opt directory. In this example we used /opt/Keys on Appgate SDP and used /home/ubuntu/Keys on the rsyslog server.
Configuring the Remote Rsyslog Server
We tested this using a Ubuntu 16.04 server with rsyslog v8.16.0 and rsyslog-gnutls installed. On the rsyslog server do: sudo nano /etc/rsyslog.conf and add the following lines to etc/rsyslog.conf:
# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /home/ubuntu/Keys/ca.pem
$DefaultNetstreamDriverCertFile /home/ubuntu/Keys/cert.pem
$DefaultNetstreamDriverKeyFile /home/ubuntu/Keys/key.pem
# load TCP listener
$ModLoad imtcp
# run driver in TLS-only mode
$InputTCPServerStreamDriverMode 1
# client is NOT authenticated
$InputTCPServerStreamDriverAuthMode anon
# start up listener at port 10514
$InputTCPServerRun 10514 Configuring the Appgate SDP Appliance
On the Appgate SDP appliance:
create the /opt/Keys directory by doing:
sudo mkdir /opt/Keyscopy the ca.pem certificate into the newly created /opt/Keys directory.
Then do the following steps to configure rsyslog through the admin UI:
Go to System > Appliances > Edit Appliance > Networking > Advanced > Rsyslog Destinations and select <+ Add new>.
In the 'Selector' section Paste the following:
# certificate files - just CA for a client $DefaultNetstreamDriverCAFile /opt/Keys/ca.pem # set up the action $DefaultNetstreamDriver gtls # use gtls netstream driver $ActionSendStreamDriverMode 1 $ActionSendStreamDriverAuthMode anon # server is NOT authenticated :msg, contains, "[AUDIT]"NOTE
The last line
:msg, contains, "[AUDIT]"will send only logs marked "AUDIT" which all the audit logs are marked with. Since the Audit logs and syslogs are kept in the same file, if you want the audit and syslogs sent then the last line would be *.* which will forward all the logs.In the 'Template' section enter the following:
%msg:9:$%\nIn the "Destinations" section Enter the destination of the remote rsyslog server you are sending logs to:
@@(o)ec2-18-218-62-238.us-east-2.compute.amazonaws.com:10514In this example, we are sending logs to the server ec2-18-218-62-238.us-east-2.compute.amazonaws.com on port 10514.
Click save at the bottom of the Appliance Edit page to save the configuration.
Make sure port 10514 is open between the Appgate SDP appliance and the remote rsyslog server.
Once the configuration is saved the logs will start to be forward to the remote server and stored in the /var/log/syslog file. You can verify that messages are being sent by either checking the /var/log/syslog file on the remote rsyslog server to verify the log being written or by doing a tcpdump on the remote rsyslog server by doing: sudo tcpdump -i <interface> port 10514
For more information about Logs in general refer to System Logs
For information about the details of specific audit logs records refer to Audit log types