Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
93 views6 pages

Rsyslog TLSEncryption NGINXReverse Proxy

The document discusses how to configure RSYSLOG to encrypt event messages in transit between a syslog forwarder and receiver. It provides steps to generate certificates, configure the receiver with Nginx, and modify the RSYSLOG configuration files to decrypt messages on the receiver side.

Uploaded by

esteve.mir.domo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
93 views6 pages

Rsyslog TLSEncryption NGINXReverse Proxy

The document discusses how to configure RSYSLOG to encrypt event messages in transit between a syslog forwarder and receiver. It provides steps to generate certificates, configure the receiver with Nginx, and modify the RSYSLOG configuration files to decrypt messages on the receiver side.

Uploaded by

esteve.mir.domo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

3/10/22, 2:16 PM How to Encrypt RSYSLOG Event Messages for Transit | The Nest

Skip to main content

HOW TO ENCRYPT RSYSLOG EVENT MESSAGES FOR TRANSIT


KB153 Apr 23, 2021 Bookmark this page

HOW TO SYSLOG SERVER ADMINISTRATION ARCHITECTURE INTEGRATION CONFIGURATION

PURPOSE
Cybereason uses the RSYSLOG system log processing standard to send event messages from Cybereason Detection and WebApp
Servers to the Cybereason Syslog Receiver via the Syslog Forwarder. The receiving end often uses these event messages for
integrating Cybereason data into third-party SIEM products.

The image below represents a high-level overview of the RSYSLOG architecture.

Here’s how it works:

1. Syslog events are collected from Cybereason components and sent to the Cybereason 'Syslog Forwarder' unencrypted.
2. The 'Syslog Forwarder' encrypts the raw data using the customer’s private domain certificate.
3. The encrypted data is then sent to the customer’s 'Syslog Receiver' through the customer’s firewall.
4. The 'Syslog Receiver' decrypts the TLS encryption using a private key and writes the raw data locally.
https://nest.cybereason.com/knowledgebase/153 1/6
3/10/22, 2:16 PM How to Encrypt RSYSLOG Event Messages for Transit | The Nest

5. The raw data is then available in the customer's network and can be used by any SIEM system.

STEPS
Minimum Requirements: A CentOS/RHEL 7 Server with 4 CPUs, 8GB Ram, and 50GB disk space.

To create a Syslog Receiver (using the NGINX Application Platform):

1. Install the Nginx package on the Syslog Receiver server.

# sudo yum install nginx

2. Create a public CA (Certificate Authority) certificate file and send it to Cybereason Technical Support in the .pem container
format (“ca.pem”) by SFTP (sftp.cybereason.com).
This file is for the TLS handshake between the Syslog Forwarder and Syslog Receiver.
3. Create a domain certificate (“cert.pem”) to be used for decrypting data on the Syslog Receiver side using a private key
(“key.pem”) to encrypt it. The private key will be used by the Syslog Receiver.
Note: If your certificate provider included the CA and CERT certificates in a single file, send this file.
4. Place the three certificate files created above in the following locations:
/etc/rsyslog.d/ca.pem
/etc/rsyslog.d/cert.pem
/etc/rsyslog.d/key.pem

5. Replace the contents of /etc/nginx/nginx.conf with the following (where “PORT_NUMBER” is the port number of the Syslog
receiver (default 6514):

https://nest.cybereason.com/knowledgebase/153 2/6
3/10/22, 2:16 PM How to Encrypt RSYSLOG Event Messages for Transit | The Nest

user nginx;
worker_processes auto;
load_module /usr/lib64/nginx/modules/ngx_stream_module.so;
error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
stream {
server {
listen PORT_NUMBER ssl so_keepalive=30m:30m:10;
proxy_connect_timeout 1s;
proxy_pass localhost:514;
ssl_certificate /etc/rsyslog.d/cert.pem;
ssl_certificate_key /etc/rsyslog.d/key.pem;
ssl_session_cache none;
ssl_session_timeout 1s;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2;
ssl_ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD
!DSS;
}
}

6. Replace the contents of /etc/rsyslog.conf with the following:

https://nest.cybereason.com/knowledgebase/153 3/6
3/10/22, 2:16 PM How to Encrypt RSYSLOG Event Messages for Transit | The Nest

# rsyslog configuration file


# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html

#### MODULES ####


# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal

# Provides TCP syslog reception


$ModLoad imtcp
$InputTCPServerRun 514

#### GLOBAL DIRECTIVES ####


$PreserveFQDN on

# Where to place auxiliary files


$WorkDirectory /var/lib/rsyslog

# Use default timestamp format


$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Include all config files in /etc/rsyslog.d/


$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;


# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal


$IMJournalStateFile imjournal.state

#### RULES ####

# Log all kernel messages to the console.


# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
mail.none;authpriv.none;cron.none /var/log/messages

# The authpriv file has restricted access.


authpriv.* /var/log/secure

# Log all the mail messages in one place.


mail.* ~/var/log/maillog

# Log cron stuff


cron.* /var/log/cron

# Everybody gets emergency messages


*.emerg :omusrmsg:*

# Save news errors of level crit and higher in a special file.

https://nest.cybereason.com/knowledgebase/153 4/6
3/10/22, 2:16 PM How to Encrypt RSYSLOG Event Messages for Transit | The Nest
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log


local7.* /var/log/boot.log

### begin forwarding rule ###


$ActionQueueFileName fwdRule0 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
local0.* /tmp/logfile.local0.log

$ActionQueueFileName fwdRule1 # unique name prefix for spool files


$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
local2.* /tmp/logfile.local2.log

$ActionQueueFileName fwdRule2 # unique name prefix for spool files


$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down
local3.* /tmp/logfile.local3.log

7. Run the following commands on the server:

# service rsyslog restart


# service rsyslog status -l
# service nginx restart
# service nginx status -l

The first two commands will result in the following output:

rsyslog.service - System Logging Service


Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2018-12-05 13:37:28 UTC; 1 day 22h ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 12559 (rsyslogd)
CGroup: /system.slice/rsyslog.service
└─12559 /usr/sbin/rsyslogd -n

Dec 04 13:11:27 cr-rsyslog-receiver systemd[1]: Starting System Logging Service...


Dec 04 13:11:28 cr-rsyslog-receiver systemd[1]: Started System Logging Service.

The last two commands will result in the following output:

https://nest.cybereason.com/knowledgebase/153 5/6
3/10/22, 2:16 PM How to Encrypt RSYSLOG Event Messages for Transit | The Nest

nginx.service - The nginx HTTP and reverse proxy server


Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2018-12-07 12:26:20 UTC; 2s ago
Process: 13542 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
Process: 13538 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
Process: 13536 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
Main PID: 13544 (nginx)
CGroup: /system.slice/nginx.service
├─13544 nginx: master process /usr/sbin/ngin
├─13545 nginx: worker proces
└─13546 nginx: worker proces

Dec 07 12:26:20 cr-rsyslog-receiver systemd[1]: Starting The nginx HTTP and reverse proxy server...
Dec 07 12:26:20 cr-rsyslog-receiver nginx[13538]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Dec 07 12:26:20 cr-rsyslog-receiver nginx[13538]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Dec 07 12:26:20 cr-rsyslog-receiver systemd[1]: Started The nginx HTTP and reverse proxy server.

RESULT
The Syslog Receiver will now be listening for Syslog events from the Syslog Forwarder, and event messages will be encrypted for
transit and decrypted on receipt at the receiving end.

RELATED TOPIC
Syslog Message Examples

Syslog Forwarder Template - Rsyslog.conf File

LINUX MAC WINDOWS 17.5 18.0 18.1 19.0 19.1 19.2 20.1 ALL VERSIONS

https://nest.cybereason.com/knowledgebase/153 6/6

You might also like