How to configure Prisma SaaS Syslog Monitoring
4514
Created On 11/14/20 01:31 AM - Last Modified 11/27/24 22:07 PM
Objective
On the Syslog server, create self create SSL certificate file, and make sure the TLS is enabled in config. TLS options need to set to: peer-verify(optional-untrusted)
This documentation describes the details of the procedure.
Environment
- SaaS Inline
- DLP
- Strata Logging Service
Procedure
In order to communicate thought TLS, customer must self sign their server and create a SSL certificate.
There are three steps for this procedure.
A.) Command line create CA
B.) Command line create server certificate
C.) Configuring the syslog-ng server
A.) Command line create CA
1.On the syslog-ng server, create a CA folder
$ cd /etc/syslog-ng $ mkdir CA $ cd CA2. Create a few directories and give starting values to some support files:
$ mkdir certs crl newcerts private $ echo "01" > serial $ cp /dev/null index.txt3. Copy openssl.conf to the current directory. Depending on your distributions, the source directory might be different, so check the list of files in the OpenSSL package before copying:
$ cp /etc/ssl/openssl.cnf openssl.cnf4. Edit openssl.conf in the current directory:
$ vi openssl.cnf5. Search for the following part and replace ./DemoCA with a single dot:
[ CA_default ] dir = ./demoCA # Where everything is kept certs = $dir/certs # Where the issued certs are kept change to [ CA_default ] dir = . # Where everything is kept certs = $dir/certs # Where the issued certs are kept
6. Generate the certificate for the CA:
openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf
B.) Command line create server certificate
Create and sign a certificate for your syslog-ng server.
The common name should contain the FQDN or IP address of your server, and the e-mail address should be left blank.
openssl req -nodes -new -x509 -keyout serverkey.pem -out serverreq.pem -days 365 -config openssl.cnf openssl x509 -x509toreq -in serverreq.pem -signkey serverkey.pem -out tmp.pem openssl ca -config openssl.cnf -policy policy_anything -out servercert.pem -infiles tmp.pemC.) Configuring the syslog-ng server
1. Create two new directories:
$ mkdir cert.d ca.d2. Copy serverkey.pem and servercert.pem to cert.d. Copy cacert.pem to ca.d and issue the following command on the certificate:
$ cp serverkey.pem cert.d/serverkey.pem $ cp servercert.pem cert.d/servercert.pem $ cp cacert.pem ca.d/cacert.pem $ cd ca.d $ openssl x509 -noout -hash -in cacert.pem hash123456The result is a hash (for example hash123456), a series of alphanumeric characters based on the Distinguished Name of the certificate.
3. create a symbolic link to the certificate that uses the hash returned by the previous command and the .0 suffix.
$ ln -s cacert.pem hash123456.04. Modify /etc/syslog-ng/syslog-ng.conf. Add source into the conf file
source s_aperture {
network(ip(0.0.0.0) port(6514)
transport("tls")
tls(
key_file("/etc/syslog-ng/CA/cert.d/serverkey.pem")
cert_file("/etc/syslog-ng/CA/cert.d/servercert.pem")
ca_dir("/etc/syslog-ng/CA/ca.d")
peer-verify(optional-untrusted))
);
};
Add destination into the conf file
destination d_aperture { file("/var/log/aperture.log"); };
Add log action into the conf file
log { source(s_aperture); destination(d_aperture); };
Note : As part of the publicapi probe tests, we source Aperture logs from port 6514 and append them to destination /var/log/syslog. When doing this, there is no need to set up a separate destination in /var/log/aperture.log. We can directly use the existing d_syslog destination to append to that file.
log { source(s_aperture); destination(d_syslog); };
5. If you want to use IETF-syslog protocol:
source s_aperture {
syslog(ip(0.0.0.0) port(6514)
transport("tls")
tls(
key_file("/etc/syslog-ng/CA/cert.d/serverkey.pem")
cert_file("/etc/syslog-ng/CA/cert.d/servercert.pem")
ca_dir("/etc/syslog-ng/CA/ca.d")
peer-verify(optional-untrusted))
);
};
6. Restart syslog-ng
$ sudo /etc/init.d/syslog-ng restart [ ok ] Restarting syslog-ng (via systemctl): syslog-ng.service.Now all syslog messages received from network though port 6514 will be saved in /var/log/aperture.log.