Last update:
Last verified version: AMC 3.2.1
Before enabling encryption, check which authentication mode your SIEM supports for Client-Server communication. For Rsyslog, see supported authentication modes.
Please be aware that we do not provide support for your Syslog or SIEM solution and your CA infrastructure.
Overview
This article guides you through securing the transmission of ASGARD logs to a remote log server. This requires adjustments to ASGARD and possibly also to the Syslog server.
The example can be used as a template for other protocol targets.
Prerequisites
The following example relates to encrypted communication between the ASGARD Management Center and a Debian Linux based Rsyslog using "x509/certvalid" (certificate validation only) authmode. The ASGARD acts as client.
-
Root access to ASGARD
-
ASGARD with Update access
-
Root access to your Syslog server
-
CA signing infrastructure
Expected result
The communication between your ASGARD and your SIEM / Syslog is secured.
Steps to proceed
A. Configure the Syslog server
Step 1: Install the GnuTLS Library
To implement transport layer security for Rsyslog, install additional packages.
sudo -s
apt update
apt install gnutls-bin rsyslog-gnutls -y
Step 2: Setup TLS
Create a TLS key and a CSR. Use the FQDN of your Syslog:
hostname --fqdn
openssl req -new -newkey rsa:4096 -nodes -keyout /etc/ssl/private/rsyslog.key -out rsyslog.csr
After you have filled in the fields, generate a CA-signed certificate from your organization.
Delete the CSR and copy the new certificate to /etc/rsyslog.d/keys and apply secure rights:
rm *.csr
mv rsyslog.crt /etc/ssl/certs
The certificate of your CA must be imported into the CA store of the Syslog server operating system:
mv ca.crt /usr/local/share/ca-certificates
update-ca-certificates
Step 3: Modify Firewall
Open port 6514 for encrypted Syslog traffic:
ufw allow 6514
Step 4: Create Configuration File
Create a configuration file for Rsyslog. These settings apply to all incoming connections on port 6514:
vi /etc/rsyslog.d/30-tls.conf
...
# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-certificates.crt
$DefaultNetstreamDriverCertFile /etc/ssl/certs/rsyslog.crt
$DefaultNetstreamDriverKeyFile /etc/ssl/private/rsyslog.key
# load TCP listener
$ModLoad imtcp
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerStreamDriverAuthMode x509/certvalid # certificate validation only
$InputTCPServerRun 6514 # start up listener at port 6514
...
Reload the Rsyslog service:
systemctl reload rsyslog
Check for errors:
systemctl status rsyslog
Test secured connection. The return code should be "0":
openssl s_client -host ${HOSTNAME} -port 6514
Verify return code: 0 (ok)
B. Configure your Management Center
Step 1: Install the GnuTLS Library
To implement transport layer security for Rsyslog, install additional packages.
sudo -s
apt update
apt install gnutls-bin rsyslog-gnutls -y
Step 2: Setup TLS
Create new TLS key pair, signed by your CA:
cd /etc/asgard-management-center/
hostname --fqdn
openssl req -new -newkey rsa:4096 -nodes -keyout rsyslog.key -out rsyslog.csr
After completing the fields, generate a CA-signed certificate from your organization CA using the generated CSR.
Delete the CSR, upload the certificate, move the new certificate "rsyslog.crt" to “/etc/asgard-management-center”, and protect the files:
rm rsyslog.csr
mv /home/nextron/rsyslog.crt /etc/asgard-management-center/
chmod 400 rsyslog.key
chmod 400 rsyslog.crt
chown asgard-management-center:asgard-management-center rsyslog.crt
chown asgard-management-center:asgard-management-center rsyslog.key
Import the CA in your operating system CA storage:
mv ca.crt /usr/local/share/ca-certificates
udpate ca-certificates
Test the connection to your Rsyslog. The return code should be "0":
$ openssl s_client -host YOUR-SYSLOG-FQDN -port 6514 -cert /etc/asgard-management-center/rsyslog.cert -key /etc/asgard-management-center/rsyslog.key
Verify return code: 0 (ok)
Step 4: Create Configuration File
Because ASGARD configuration files may be overwritten during updates, make a copy after adjusting them.
The ASGARD Rsyslog configuration files for different use cases are stored here. The file names should be self-explanatory:
-
/etc/asgard-management-center/rsyslog-agent.conf
-
/etc/asgard-management-center/rsyslog-asgard-audit.conf
-
/etc/asgard-management-center/rsyslog-asgard.conf
-
/etc/asgard-management-center/rsyslog-aurora.conf
-
/etc/asgard-management-center/rsyslog-thor.conf
-
/etc/asgard-management-center/rsyslog-thor-non-realtime.conf
In this example, we forward the ASGARD log using Rsyslog "x509/certvalid" authmode. The client and server must trust each other via certificates.
vi /etc/asgard-management-center/rsyslog-asgard.conf
...
# make gtls driver the default
$DefaultNetstreamDriver gtls
# certificate files
$DefaultNetstreamDriverCAFile /etc/ssl/certs/ca-certificates.crt
$DefaultNetstreamDriverCertFile /etc/asgard-management-center/rsyslog.pem
$DefaultNetstreamDriverKeyFile /etc/asgard-management-center/rsyslog.key
# set up the action
$ActionStreamDriverMode 1 # require TLS
$ActionStreamDriverAuthMode x509/certvalid # certificate must be valid
# Forward all logs to your Syslog
*.* @@(o)YOUR-SYSLOG-FQDN:6514 # send all messages to your Syslog
...
If only the client should trust the server certificate, you can use the "anon" authmode. This is not recommended according to the rsyslog documentation. If you decide to do so anyway, the corresponding line must look like this:
$ActionStreamDriverAuthMode anon #anonymous authentication
Restart the Rsyslog service:
systemctl restart rsyslog
Check for errors:
systemctl status rsyslog
Test the connection to your Rsyslog. The return code should be "0":
openssl s_client -host YOUR-SYSLOG-FQDN -port 6514 -cert /etc/asgard-management-center/rsyslog.cert -key /etc/asgard-management-center/rsyslog.key
Verify return code: 0 (ok)