syslog-ng Open Source Edition 3.26 - Mutual authentication using TLS

Introduction

Collecting log messages is an essential part of managing, maintaining, and troubleshooting IT systems. Since your log messages can contain all kinds of sensitive information, you should make sure that they are kept safe. The easiest way to protect the log messages as they are transferred from your clients to your logserver is to authenticate and encrypt the connection between the client and the server.

This tutorial shows you step-by-step how to create the certificates required to authenticate your server and your clients, and how to configure syslog-ng Open Source Edition (syslog-ng OSE) to send your log messages in an encrypted connection. Installing syslog-ng OSE is not covered, but downloading it from the Downloads page for your platform and installing it should be easy.

The tutorial is organized as follows:

  • Creating self-signed certificates describes how to create the required certificates to encrypt and authenticate the connection between your logserver and your clients. Actually, you can use this part of the tutorial even if you do not use syslog-ng OSE, as it is independent from the logging application you use.

  • Configuring syslog-ng OSE describes how to configure syslog-ng OSE on your clients and your logserver.

  • Testing what you have done gives you tips on how to test your configuration to make sure it is really working.


Was this topic helpful?

[Select Rating]



Creating self-signed certificates

TLS-encryption uses certificates to authenticate the server, and in case of mutual authentication, the client as well. The following sections show you how to create the required certificates.

To use mutual authentication in syslog-ng OSE, certificates are required. There are several commercial certificate authorities (CAs) who can help you, but the process costs both money and time (waiting until the submitted certificate is signed). This guide demonstrates how to create your very own Certificate Authority (CA) for creating self-signed certificates. It does not cover all the details, for example, changing expiration dates, only the minimally required steps to be able to use mutual authentication in syslog-ng OSE.

There are handy tools, such as CA.pl, which can make certificate creation and signing easier, but they are not available on all platforms, even if it is part of the OpenSSL software suite. On the other hand, the OpenSSL command line tool is available on all Linux distributions and BSD variants, so this tool will be used in the guide.


Was this topic helpful?

[Select Rating]



Creating a CA

Purpose:

To create a CA, complete the following steps:

Steps:
  1. Create an empty directory and navigate into that directory:

    mkdir CA

    cd CA

  2. Create a few directories and give starting values to some support files:

    mkdir certs crl newcerts private

    echo "01" > serial

    cp /dev/null index.txt

  3. Copy openssl.conf to the current directory. Depending on your distributions, the source directory might be different, so check the list of files in the OpenSSL package before copying:

    cp /etc/ssl/openssl.cnf openssl.cnf

  4. Edit openssl.conf in the current directory:

    vi openssl.cnf

  5. Search for the following part and replace ./DemoCA with a single dot:

    [ CA_default ]
    
    dir             = ./demoCA              # Where everything is kept
    certs           = $dir/certs            # Where the issued certs are kept 

    Change it to:

    [ CA_default ]
    
    dir             = .                     # Where everything is kept
    certs           = $dir/certs            # Where the issued certs are kept 
  6. As a last step, generate the certificate for the CA:

    openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf

    The following will be displayed. Answer the questions as in the example:

    Generating a 1024 bit RSA private key
    .++++++
    ......................++++++
    writing new private key to 'private/cakey.pem'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:HU
    State or Province Name (full name) [Some-State]:Budapest
    Locality Name (eg, city) []:Budapest
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mycompany
    Organizational Unit Name (eg, section) []:.
    Common Name (e.g. server FQDN or YOUR name) []:Example
    Email Address []:example@balabit.com

Was this topic helpful?

[Select Rating]



Creating a server certificate

Purpose:

To create a server certificate, complete the following steps:

Steps:
  1. The next step is to create and sign a certificate for your syslog-ng OSE server. The common name should contain the FQDN or IP address of your server, and the email address should be left blank.

    openssl req -nodes -new -x509 -keyout serverkey.pem -out serverreq.pem -days 365 -config openssl.cnf

  2. The following will be displayed. Answer the questions as in the example:

    Generating a 1024 bit RSA private key
    ........................................++++++
    .++++++
    writing new private key to 'serverkey.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:HU
    State or Province Name (full name) [Some-State]:Budapest
    Locality Name (eg, city) []:Budapest
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mycompany
    Organizational Unit Name (eg, section) []:.
    Common Name (e.g. server FQDN or YOUR name) []:172.16.177.147
    Email Address []:
    example@linux-modi:~/CA> openssl x509 -x509toreq -in serverreq.pem -signkey serverkey.pem -out tmp.pem
    Getting request Private Key
    Generating certificate request
    example@linux-modi:~/CA> openssl ca -config openssl.cnf -policy policy_anything -out servercert.pem -infiles tmp.pem
    Using configuration from openssl.cnf
    Enter pass phrase for ./private/cakey.pem:
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 1 (0x1)
            Validity
                Not Before: Jun 25 10:27:39 2014 GMT
                Not After : Jun 25 10:27:39 2015 GMT
            Subject:
                countryName               = HU
                stateOrProvinceName       = Budapest
                localityName              = Budapest
                organizationName          = Mycompany
                commonName                = 172.16.177.147
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                Netscape Comment:
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier:
                    55:4E:B1:47:33:CF:0C:83:5F:29:64:9B:E9:99:77:DF:0E:72:52:76
                X509v3 Authority Key Identifier:
                    keyid:D1:FF:ED:B4:0B:66:E6:45:EE:70:4F:DC:6C:C5:34:48:42:38:E9:38
    
    Certificate is to be certified until Jun 25 10:27:39 2015 GMT (365 days)
    Sign the certificate? [y/n]:y
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
        Data Base Updated 
  3. Enter the following:

    rm tmp.pem


Was this topic helpful?

[Select Rating]



Blogs
Using the syslog-ng Store Box (SSB) in front of Splunk
Containers and automation: five conferences in two words
Webinars
Make your logging infrastructure GDPR compliant
Optimize your SIEM
Feeding log data into your Data Lake
Optimized Log Collection and Distribution
Never Lose Another Log Message
Related Documents