Secure log transfer via rsyslog

  • 2 minute read
Prev Next

Secure log transfer using TLS

You can transfer logs to an external SIEM system from AppGate ZTNA appliances. By default this does so using rsyslog, which is not an inherently secure protocol. It is possible to secure this transmission by configuring both systems to talk using TLS. You will need a remote server that has version 8.16.0 or higher of rsyslog installed and also has the rsyslog-gnutls plugin installed.

Creating Security Keys

You will also need to generate certificates for the tls transport, for information on generating a CA please see here: https://www.rsyslog.com/doc/v8-stable/tutorials/tls_cert_machine.html

On the remote rsyslog server you will need ca.pem, cert.pem, and key.pem and on AppGate ZTNA you will need ca.pem. You will need to create the directory you want the files in.  On the AppGate ZTNA appliance the key must be stored in the /opt directory. In this example we used /opt/Keys on AppGate ZTNA and used /home/ubuntu/Keys on the rsyslog server.  

Configuring the Remote Rsyslog Server

We tested this using a Ubuntu 16.04 server with rsyslog v8.16.0 and rsyslog-gnutls installed. On the rsyslog server, enter: sudo nano /etc/rsyslog.conf and add the following lines to etc/rsyslog.conf: 

# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /home/ubuntu/Keys/ca.pem
$DefaultNetstreamDriverCertFile /home/ubuntu/Keys/cert.pem
$DefaultNetstreamDriverKeyFile /home/ubuntu/Keys/key.pem
# load TCP listener
$ModLoad imtcp 
# run driver in TLS-only mode
$InputTCPServerStreamDriverMode 1  
# client is NOT authenticated
$InputTCPServerStreamDriverAuthMode anon
# start up listener at port 10514
$InputTCPServerRun 10514

Configuring the AppGate ZTNA Appliance

On the AppGate ZTNA appliance:

  • create the /opt/Keys directory by doing: sudo mkdir /opt/Keys

  • copy the ca.pem certificate into the newly created /opt/Keys directory.

Then do the following steps to configure rsyslog through the admin UI:

  1. Go to System > Appliances > Edit Appliance > Networking > Advanced > Rsyslog Destinations and select +Add.

    Configuration settings for Rsyslog Destination including selector, template, and destination IP.

  2. In the Selector field, paste the following:

    # certificate files - just CA for a client
$DefaultNetstreamDriverCAFile /opt/Keys/ca.pem

# set up the action
$DefaultNetstreamDriver gtls # use gtls netstream driver
$ActionSendStreamDriverMode 1 
$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
:msg, contains, "[AUDIT]"

    NOTE

    The last line :msg, contains, "[AUDIT]"  will send only logs marked "AUDIT", which all the audit logs are marked with. Since the audit logs and syslogs are kept in the same file, if you want the audit and syslogs sent then the last line would be *.* which will forward all the logs.

  3. In the Template field, enter the following:

    %msg:9:$%\n

  4. In the Destination field, enter the destination of the remote rsyslog server you are sending logs to:

    @@(o)ec2-18-218-62-238.us-east-2.compute.amazonaws.com:10514

    In this example, we are sending logs to the server ec2-18-218-62-238.us-east-2.compute.amazonaws.com on port 10514.

  5. Click Save at the bottom of the Edit Appliance page to save the configuration.

  6. Make sure port 10514 is open between the AppGate ZTNA appliance and the remote rsyslog server.

Once the configuration is saved, the logs will be forwarded to the remote server and stored in the /var/log/syslog file. You can verify that messages are being sent by either checking the /var/log/syslog file on the remote rsyslog server to verify the log being written or by doing a tcpdump on the remote rsyslog server by entering: sudo tcpdump -i <interface> port 10514

For more information about logs, see System Logs.

For information about the details of audit log records, refer to  Audit log types.

Related articles