This section describes how to configure mutual authentication between the syslog-ng server and the client. Configuring mutual authentication is similar to configuring TLS (for details, see Encrypting log messages with TLS), but the server verifies the identity of the client as well. Therefore, each client must have a certificate, and the server must have the certificate of the CA that issued the certificate of the clients. For the concepts of using TLS in syslog-ng, see Secure logging using TLS.
Preface
Introduction to syslog-ng
What syslog-ng is
What syslog-ng is not
Why is syslog-ng needed?
What is new in syslog-ng Premium Edition 7?
Who uses syslog-ng?
Supported platforms
The concepts of syslog-ng
The philosophy of syslog-ng
Logging with syslog-ng
Modes of operation
Global objects
Timezones and daylight saving
Versions and releases of syslog-ng Premium Edition
Licensing
GPL and LGPL licenses
High availability support
The structure of a log message
Message representation in syslog-ng PE
Structuring macros, metadata, and other value-pairs
Things to consider when forwarding messages between syslog-ng PE hosts
Using syslog-ng PE with NFS or CIFS (or SMB) file system for log files
Installing syslog-ng PE
Prerequisites to installing syslog-ng PE
Security-enhanced Linux: grsecurity, SELinux
Installing syslog-ng PE on RPM-based platforms (Red Hat, SUSE, AIX)
Using syslog-ng PE on SELinux
Installing syslog-ng PE on Debian-based platforms
Installing syslog-ng in Docker
Installing syslog-ng using the .run installer
The syslog-ng PE quick-start guide
Installing syslog-ng PE in client or relay mode
Installing syslog-ng PE in server mode
Installing syslog-ng PE without user-interaction
Upgrading syslog-ng PE
Upgrading from syslog-ng PE 7.0.x to version 7
Upgrading from syslog-ng PE 6.0.x to version 7
Upgrading syslog-ng PE to other package versions
Upgrading from syslog-ng PE to syslog-ng OSE
Upgrade from syslog-ng OSE to syslog-ng PE
Upgrading from complete syslog-ng PE to client setup version of syslog-ng PE
Upgrading the sql() source of syslog-ng PE
Uninstalling syslog-ng PE
Configuring Microsoft SQL Server to accept logs from syslog-ng
Configuring syslog-ng on client hosts
Configuring syslog-ng on server hosts
Configuring syslog-ng relays
Managing and checking syslog-ng PE service on Linux
The syslog-ng PE configuration file
Location of the syslog-ng configuration file
The configuration syntax in detail
Notes about the configuration syntax
Defining configuration objects inline
Using channels in configuration objects
Global and environmental variables
Logging configuration changes
Modules in syslog-ng Premium Edition (syslog-ng PE)
Managing complex syslog-ng configurations
Collecting log messages — sources and source drivers
Including configuration files
Reusing configuration blocks
Generating configuration blocks from a script
Python code in external files
Logging from your Python code
How sources work
default-network-drivers: Receive and parse common syslog messages
internal: Collecting internal messages
file: Collecting messages from text files
google-pubsub: collecting messages from the Google Pub/Sub messaging service
Sending and storing log messages — destinations and destination drivers
Prerequisites
Limitations
Supported platforms
Declaration
The Google Pub/Sub message format in syslog-ng PE
wildcard-file: Collecting messages from multiple text files
linux-audit: Collecting messages from Linux audit logs
mssql, oracle, sql: collecting messages from an SQL database
The contents of the Google Pub/Sub Message body on the syslog-ng Premium Edition (syslog-ng PE) side
The contents of the Google Pub/Sub Message attributes on the syslog-ng PE (syslog-ng PE) side
Processing incoming message contents in raw message format and in .JSON format
google-pubsub() source options
Preventing message duplication resulting from the At-Least-Once delivery behavior
Error messages you may encounter while using the google-pubsub() source
mssql(), oracle(), and sql() source options
Customizing mssql() queries
Configuring TLS encryption for MSSQL servers
Possible connection errors between the MSSQL server (2019) and syslog-ng PE 7 LTS
network: Collecting messages using the RFC3164 protocol (network() driver)
office365: Fetching logs from Office 365
Configuring Office 365 to permit fetching logs
office365() source options
Troubleshooting audit logging in Office 365
osquery: Collect and parse osquery result logs
pipe: Collecting messages from named pipes
program: Receiving messages from external applications
python: writing server-style Python sources
python-fetcher: writing fetcher-style Python sources
snmptrap: Read Net-SNMP traps
syslog: Collecting messages using the IETF syslog protocol (syslog() driver)
system: Collecting the system-specific log messages of a platform
systemd-journal: Collecting messages from the systemd-journal system log storage
systemd-syslog: Collecting systemd messages using a socket
tcp, tcp6,udp, udp6: Collecting messages from remote hosts using the BSD syslog protocol
udp-balancer: Receiving UDP messages at very high rate
unix-stream, unix-dgram: Collecting messages from UNIX domain sockets
windowsevent: Collecting Windows event logs
elasticsearch2>: Sending messages directly to Elasticsearch version 2.0 or higher (DEPRECATED)
Routing messages: log paths, flags, and filters
Prerequisites
How syslog-ng PE interacts with Elasticsearch
Client modes
Elasticsearch2 destination options (DEPRECATED)
elasticsearch-http: Sending messages to Elasticsearch HTTP Event Collector
file: Storing messages in plain-text files
google_pubsub(): Sending logs to the Google Cloud Pub/Sub messaging service
Limitations
Configuring the google_pubsub() destination
google_pubsub() destination options
Available endpoints for the google_pubsub() destination
Error messages you may encounter while using the google_pubsub() destination
google_pubsub-managedaccount(): Sending logs to the Google Cloud Pub/Sub messaging service authenticated by Google Cloud managed service account
Limitations
Configuring the google_pubsub_managedaccount() destination
google_pubsub_managedaccount() destination options
Available endpoints for the google_pubsub_managedaccount() destination
Error messages you can encounter while using the google_pubsub_managedaccount() destination
hdfs: Storing messages on the Hadoop Distributed File System (HDFS)
Prerequisites
How syslog-ng PE interacts with HDFS
Storing messages with MapR-FS
Kerberos authentication with syslog-ng hdfs() destination
HDFS destination options
http: Posting messages over HTTP
kafka(): Publishing messages to Apache Kafka (Java implementation) (DEPRECATED)
kafka-c(): Publishing messages to Apache Kafka using the librdkafka client (C implementation)
kafka-c(): Prerequisites and limitations
kafka-c(): Shifting from the Java implementation to the C implementation
kafka-c(): Flow control in syslog-ng PE and the Kafka client
Options of the kafka-c() destination
logstore: Storing messages in encrypted files
mongodb: Storing messages in a MongoDB database
network: Sending messages to a remote log server using the RFC3164 protocol (network() driver)
pipe: Sending messages to named pipes
program: Sending messages to external applications
python: writing custom Python destinations
sentinel(): Sending logs to the Microsoft Azure Sentinel cloud
Configuring the sentinel() destination to send logs to the Microsoft Azure Sentinel cloud
snmp: Sending SNMP traps
smtp: Generating SMTP messages (email) from logs
splunk-hec: Sending messages to Splunk HTTP Event Collector
sql(): Storing messages in an SQL database
Getting the required credentials to configure syslog-ng PE as a Data Connector for Microsoft Azure Sentinel
Log types
sentinel() destination options
Using the sql() driver with an Oracle database
Using the sql() driver with a Microsoft SQL database
The way syslog-ng PE interacts with the database
sql() destination options
stackdriver: Sending logs to the Google Stackdriver cloud
syslog: Sending messages to a remote logserver using the IETF-syslog protocol
syslog-ng(): Forward logs to another syslog-ng node
tcp, tcp6, udp, udp6: Sending messages to a remote log server using the legacy BSD-syslog protocol (tcp(), udp() drivers)
unix-stream, unix-dgram: Sending messages to UNIX domain sockets
usertty: Sending messages to a user terminal — usertty() destination
Client-side failover
Log paths
Managing incoming and outgoing messages with flow-control
Using the disk-buffer option and memory buffering
Global options of syslog-ng PE
TLS-encrypted message transfer
Enabling the reliable disk-buffer option
Enabling the normal disk-buffer option
How to get information about disk-buffer files
Filters
Information about disk-buffer files
Getting the list of disk-buffer files
Getting the status information of disk-buffer files
Printing the content of disk-buffer files
Orphan disk-buffer files
How to process messages from an orphan disk-buffer file using a separate syslog-ng PE instance
How to empty disk-buffer files
Enabling memory buffering
About disk queue files
Using filters
Combining filters with boolean operators
Comparing macro values in filters
Using wildcards, special characters, and regular expressions in filters
Tagging messages
Filter functions
Dropping messages
Secure logging using TLS
Encrypting log messages with TLS
Mutual authentication using TLS
Password-protected keys
TLS options
Advanced Log Transport Protocol
Reliability and minimizing the loss of log messages
Introduction
Flow control, no disk-buffer option, no ALTP
Flow control, normal disk-buffer option, no ALTP
Flow control, reliable disk-buffer option, no ALTP
Flow control, reliable disk-buffer option, ALTP
Deciding which loss prevention mechanism to apply
Manipulating messages
Customizing message format using macros and templates
parser: Parse and segment structured messages
Formatting messages, filenames, directories, and tablenames
Templates and macros
Date-related macros
Hard versus soft macros
Macros of syslog-ng PE
Using template functions
Template functions of syslog-ng PE
Modifying the on-the-wire message format
Modifying messages using rewrite rules
Replacing message parts
Setting message fields to specific values
Unsetting message fields
Creating custom SDATA fields
Setting multiple message fields to specific values
Conditional rewrites
Anonymizing credit card numbers
Regular expressions
Parsing syslog messages
Parsing messages with comma-separated and similar values
Parsing key=value pairs
JSON parser
XML parser
Parsing dates and timestamps
Cisco Parser
Linux audit parser
Python parser
Parsing enterprise-wide message model (EWMM) messages
Sudo parser
iptables parser
Processing message content with a pattern database
Classifying log messages
Using pattern databases
Correlating log messages using pattern databases
Triggering actions for identified messages
Creating pattern databases
Correlating log messages
Enriching log messages with external data
Monitoring statistics and metrics of syslog-ng
Metrics and counters of syslog-ng PE
Log statistics from the internal() source
The monitoring() source
Multithreading and scaling in syslog-ng PE
Multithreading concepts of syslog-ng PE
Configuring multithreading
Optimizing multithreaded performance
Troubleshooting syslog-ng
Possible causes of losing log messages
Creating syslog-ng core files
Collecting debugging information with strace, truss, or tusc
Running a failure script
Stopping syslog-ng
Reporting bugs and finding help
Error messages
Best practices and examples
General recommendations
Handling large message load
Using name resolution in syslog-ng
Collecting logs from chroot
Configuring log rotation
Load balancing logs between multiple destinations
The syslog-ng manual pages
Glossary
Mutual authentication using TLS
Configuring TLS on the syslog-ng clients
TLS-encrypted message transfer > Mutual authentication using TLS > Configuring TLS on the syslog-ng clients
Complete the following steps on every syslog-ng client host. Examples are provided using both the legacy BSD-syslog protocol (using the network() driver) and the new IETF-syslog protocol standard (using the syslog() driver):
To configure TLS on the syslog-ng clients
-
Create an X.509 certificate
Create an X.509 certificate for the syslog-ng client.
-
Copy the certificate and private key
Copy the certificate (for example, client_cert.pem) and the matching private key (for example, client.key) to the syslog-ng client host, for example, into the /opt/syslog-ng/etc/syslog-ng/cert.d directory. The certificate must be a valid X.509 certificate in PEM format. If you want to use a password-protected key, see Password-protected keys.
-
Copy the CA certificate to the client host
Copy the CA certificate of the Certificate Authority (for example, cacert.pem) that issued the certificate of the syslog-ng server (or the self-signed certificate of the syslog-ng server) to the syslog-ng client hosts, for example, into the /opt/syslog-ng/etc/syslog-ng/ca.d directory.
-
Issue commands
Issue the following command on the certificate: openssl x509 -noout -hash -in cacert.pem The result is a hash (for example, 6d2962a8), a series of alphanumeric characters based on the Distinguished Name of the certificate.
Issue the following command to create a symbolic link to the certificate that uses the hash returned by the previous command and the .0 suffix.
ln -s cacert.pem 6d2962a8.0
-
Add a destination statement to the syslog-ng configuration file that uses the tls( ca-dir(path_to_ca_directory) ) option and specify the directory using the CA certificate. The destination must use the network() or the syslog() destination driver, and the IP address and port parameters of the driver must point to the syslog-ng server. Include the client's certificate and private key in the tls() options.
Example: A destination statement using mutual authentication
The following destination encrypts the log messages using TLS and sends them to the 1999/TCP port of the syslog-ng server having the 10.1.2.3 IP address. The private key and the certificate file authenticating the client is also specified.
destination demo_tls_destination { network("10.1.2.3" port(1999) transport("tls") tls( ca-dir("/opt/syslog-ng/etc/syslog-ng/ca.d") key-file("/opt/syslog-ng/etc/syslog-ng/key.d/client.key") cert-file("/opt/syslog-ng/etc/syslog-ng/cert.d/client_cert.pem")) ); };destination demo_tls_syslog_destination { syslog("10.1.2.3" port(1999) transport("tls") tls( ca-dir("/opt/syslog-ng/etc/syslog-ng/ca.d") key-file("/opt/syslog-ng/etc/syslog-ng/key.d/client.key") cert-file("/opt/syslog-ng/etc/syslog-ng/cert.d/client_cert.pem")) ); }; -
Include destination in a log statement
Include the destination created in the Step Add a destination statement in a log statement.
Caution: The encrypted connection between the server and the client fails if the Common Name or the subject_alt_name parameter of the server certificate does not contain the hostname or the IP address (as resolved from the syslog-ng clients and relays) of the server.
Do not forget to update the certificate files when they expire.
Configuring TLS on the syslog-ng server
TLS-encrypted message transfer > Mutual authentication using TLS > Configuring TLS on the syslog-ng server
Complete the following steps on the syslog-ng server:
To configure TLS on the syslog-ng clients
-
Copy the certificate (for example, syslog-ng.cert) of the syslog-ng server to the syslog-ng server host, for example, into the /opt/syslog-ng/etc/syslog-ng/cert.d directory. The certificate must be a valid X.509 certificate in PEM format.
-
Copy the CA certificate (for example, cacert.pem) of the Certificate Authority that issued the certificate of the syslog-ng clients to the syslog-ng server, for example, into the /opt/syslog-ng/etc/syslog-ng/ca.d directory.
Issue the following command on the certificate: openssl x509 -noout -hash -in cacert.pem The result is a hash (for example, 6d2962a8), a series of alphanumeric characters based on the Distinguished Name of the certificate.
Issue the following command to create a symbolic link to the certificate that uses the hash returned by the previous command and the .0 suffix.
ln -s cacert.pem 6d2962a8.0
-
Copy the private key (for example, syslog-ng.key) matching the certificate of the syslog-ng server to the syslog-ng server host, for example, into the /opt/syslog-ng/etc/syslog-ng/key.d directory. The key must be in PEM format. If you want to use a password-protected key, see Password-protected keys.
-
Add a source statement to the syslog-ng configuration file that uses the tls( key-file(key_file_fullpathname) cert-file(cert_file_fullpathname) ) option and specify the key and certificate files. The source must use the source driver (network() or syslog()) matching the destination driver used by the syslog-ng client. Also specify the directory storing the certificate of the CA that issued the client's certificate.
For the details of the available tls() options, see TLS options.
Example: A source statement using TLS
The following source receives log messages encrypted using TLS, arriving to the 1999/TCP port of any interface of the syslog-ng server.
source demo_tls_source { network(ip(0.0.0.0) port(1999) transport("tls") tls( key-file("/opt/syslog-ng/etc/syslog-ng/key.d/syslog-ng.key") cert-file("/opt/syslog-ng/etc/syslog-ng/cert.d/syslog-ng.cert") ca-dir("/opt/syslog-ng/etc/syslog-ng/ca.d")) ); };A similar source for receiving messages using the IETF-syslog protocol:
source demo_tls_syslog_source { syslog(ip(0.0.0.0) port(1999) transport("tls") tls( key-file("/opt/syslog-ng/etc/syslog-ng/key.d/syslog-ng.key") cert-file("/opt/syslog-ng/etc/syslog-ng/cert.d/syslog-ng.cert") ca-dir("/opt/syslog-ng/etc/syslog-ng/ca.d")) ); };Caution: Do not forget to update the certificate and key files when they expire.
Password-protected keys
Starting with syslog-ng PE version
Restrictions and limitations
-
IMPORTANT: Hazard of data loss! If you use password-protected keys, you must provide the passphrase of the password-protected keys every time syslog-ng PE is restarted (syslog-ng PE keeps the passphrases over reloads). The sources and destinations that use these keys will not work until you provide the passwords. Other parts of the syslog-ng PE configuration will be unaffected.
This means that if you use a password-protected key in a destination, and you use this destination in a log path that has multiple destinations, neither destinations will receive log messages until you provide the password. In this cases, always use the disk-buffer option to avoid data loss.
-
The path and the filename of the private key cannot contain whitespaces.
-
Depending on your platform, the number of passwords syslog-ng PE can use at the same time might be limited (for example, on Ubuntu 16.04 you can store 16 passwords if you are running syslog-ng PE as a non-root user). If you use lots of password-protected private keys in your syslog-ng PE configuration, increase this limit using the following command: sudo ulimit -l unlimited
Providing the passwords
The syslog-ng-ctl credentials status command allows you to query the status of the private keys that syslog-ng PE uses in the network() and syslog() drivers. The command returns the list of private keys used, and their status. For example:
syslog-ng-ctl credentials status Secret store status: /home/user/ssl_test/client-1/client-encrypted.key SUCCESS
If the status of a key is PENDING, you must provide the passphrase for the key, otherwise syslog-ng PE cannot use it. The sources and destinations that use these keys will not work until you provide the passwords. Other parts of the syslog-ng PE configuration will be unaffected. You must provide the passphrase of the password-protected keys every time syslog-ng PE is restarted.
The following log message also notifies you of PENDING passphrases:
Waiting for password; keyfile='private.key'
You can add the passphrase to a password-protected private key file using the following command. syslog-ng PE will display a prompt for you to enter the passphrase. We recommend that you use this method.
syslog-ng-ctl credentials add --id=<path-to-the-key>
Alternatively, you can include the passphrase in the --secret parameter:
syslog-ng-ctl credentials add --id=<path-to-the-key> --secret=<passphrase-of-the-key>
Or you can pipe the passphrase to the syslog-ng-ctl command, for example:
echo "<passphrase-of-the-key>" | syslog-ng-ctl credentials add --id=<path-to-the-key>
For details on the syslog-ng-ctl credentials command, see The syslog-ng control tool manual page.