syslog-ng Premium Edition 6.0.21 - Administrator Guide for syslog-ng Agent for Windows

Target audience and prerequisites Products covered in this guide Typographical conventions About this document

Chapter 1. Introduction Chapter 2. Installing the syslog-ng Agent

Silent installation Upgrading syslog-ng Agent for Windows to the latest version

Chapter 3. How to configure the syslog-ng Agent

Chapter 4. Configuring destinations Chapter 5. Configuring message sources Chapter 6. Using TLS-encrypted connections with syslog-ng Agent

Using the File-based certificates authentication method

Configuring mutual authentication when using the File-based certificates authentication method

Using the Windows Certificate Store authentication method

Configuring mutual authentication when using the Windows Certificate Store authentication method

Importing certificates with the Microsoft Management Console

Chapter 7. Filtering messages Chapter 8. Customizing the message format

Macros available in the syslog-ng Agent

Chapter 9. Controlling the syslog-ng Agent services Chapter 10. Troubleshooting syslog-ng Agent for Windows

Debugging syslog-ng Agent Reading eventlog messages is slow on Windows Vista or newer Debug bundle on Windows

Chapter 11. Configuring the auditing policy on Windows syslog-windebun.ps1

Chapter 6. Using SSL-encrypted connections with the syslog-ng Agent

When connecting to a syslog-ng server using an encrypted connection, the syslog-ng Agent for Windows verifies the certificate of the server. The connection can be established only if the syslog-ng Agent for Windows can verify the certificate of the syslog server. For this, import one of the following certificates into the Certificate Store (MMC > Certificates > Computer Account > Local Computer > Trusted Root Certificates) of the Windows-based host:

The certificate of the Certificate Authority (CA) that issued the certificate of the server
If your server uses a self-signed certificate, import the self-signed certificate

For details on importing certificates, see Procedure 6.3, “Importing certificates with the Microsoft Management Console”.

NOTE:

This certificate (sometimes also called the CACert of the server) is not the certificate of the server: it is the certificate of the CA that signed the certificate of the server.

Procedure 6.1. Enabling encrypted connections

Purpose:

To enable SSL-encrypted connections to the server, complete the following steps:

Steps:

Start the configuration interface of the syslog-ng Agent for Windows application.
Select syslog-ng Agent Settings > Destinations.
Right-click on the server that accepts encrypted connections and select Properties.

Select the Use SSL option.

Caution:

The connection is established only if the syslog-ng Agent for Windows can verify the certificate of the syslog server. For this, import one of the following certificates into the Certificate Store (MMC > Certificates > Computer Account > Local Computer > Trusted Root Certificates) of the Windows-based host:

The certificate of the Certificate Authority (CA) that issued the certificate of the server
If your server uses a self-signed certificate, import the self-signed certificate

For details on importing certificates, see Procedure 6.3, “Importing certificates with the Microsoft Management Console”.

NOTE:

The subject_alt_name parameter (or the Common Name parameter if the subject_alt_name parameter is empty) of the server's certificate must contain the hostname or the IP address (as resolved from the syslog-ng clients and relays) of the server (for example syslog-ng.example.com).

Alternatively, the Common Name or the subject_alt_name parameter can contain a generic hostname, for example *.example.com.

Note that if the Common Name of the certificate contains a generic hostname, do not specify a specific hostname or an IP address in the subject_alt_name parameter.

Click Advanced Options.

Figure 6.1. Advanced Options: allowing compression, and advanced RLTP settings

To compress the messages during transfer to save bandwidth, select the Allow Compression option. Note that for syslog-ng Agent to actually use compression, the following points must be met.
- The Server > Advanced Options > Allow Compression option must be enabled.
- You must use SSL and/or RLTP to send messages to the logserver (that is, at least one of the Use syslog-ng proprietary Reliable Log Transfer Protocol (RLTP) or Use TLS encryption options must be enabled.
- The logserver must be configured to enable compression. If the logserver is syslog-ng PE the proper allow-compress() option must be enabled in the source. If the logserver is syslog-ng Store Box, enable the Log > Sources > Allow compression option. Note that to send compressed messages to syslog-ng Store Box, you must use the RLTP™ protocol (for details, see the syslog-ng Documentation page).
Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

Using mutual authentication with syslog-ng Agent

When the syslog-ng server is configured to use mutual authentication, it requests a certificate from the syslog-ng clients. The syslog-ng Agent application can automatically show the requested certificate to the server when the connection is established, provided it is available in the Personal Certificates store (MMC > Certificates > Computer Account > Local Computer > Personal Certificates) of the Local Computer. Use the Certificate Import Wizard to import this certificate. For details, see Procedure 6.3, “Importing certificates with the Microsoft Management Console”.

NOTE:

If a certificate revocation list (CRL) is available in the Local Computer/Personal Certificates store, the syslog-ng Agent verifies that the certificate of the syslog-ng server is not on this list.

Procedure 6.2. Configuring mutual authentication with the syslog-ng Agent for Windows

Purpose:

If the syslog-ng server requests authentication from the syslog-ng Agent, complete the following steps.

Steps:

Create certificates for the clients. By default, the syslog-ng Agent will look for a certificate that contains the hostname or IP address of the central syslog-ng server in its Common Name. If you use a different Common Name, do not forget to complete Step 3 to set the Common Name of the certificate.

The certificate must contain the private key and must be in PKCS12 format.

TIP:

To convert a certificate and a key from PEM format to PKCS12 you can use the following command:

openssl pkcs12 -export -in agentcertificate.pem -inkey agentprivatekey.pem -out agentcertificatewithkey.pfx

Import this certificate into the Personal Certificate store of the Local Computer using the Certificate Import Wizard. For details, see Procedure 6.3, “Importing certificates with the Microsoft Management Console”.
By default, the syslog-ng Agent will look for a certificate that contains the hostname or IP address of the central syslog-ng server in its Common Name. (The agent will look for the server name or address set in the Server Name field of the destination.) If the certificate of the client has a different Common Name, complete the following steps:
1. Start the configuration interface of the syslog-ng Agent for Windows application.
2. Select syslog-ng Agent Settings > Destinations.
3. Right-click on the server that requires mutual authentication and select Properties.
4. Select the Use SSL option, click Select, then select the certificate to use. You can also type the Common Name of the certificate into the Client Certificate Subject field.
  
  If you have more than one certificates with the same Common Name, alternatively, you can type the Distinguished Name (DN) of the certificate into the Client Certificate Subject field. When using the Distinguished Name, type only the elements of the name, separated with comma, starting with the country. For example US, Maryland, Pasadena, Example Inc, Sample Department, mycommonname
  
  NOTE:
  A common way is to use the hostname or the IP address of the host running the syslog-ng Agent as the Common Name of the certificate (for example syslog-ng-agent1.example.com).
Select Apply, then OK. To activate the changes, restart the syslog-ng Agent service.

Procedure 6.3. Importing certificates with the Microsoft Management Console

Purpose:

To import a certificate, complete the following steps.

Steps:

Start Microsoft Management Console by executing mmc.exe (Start menu Run application).

NOTE:
Running mmc.exe requires administrator privileges.
Click on the Add/Remove snap-in item of the File menu.
Click Add, select the Certificates module, and click Add.
Select Computer account in the displayed window and click Next.
Select Local computer and click Close.
To import the CA certificate of the syslog-ng server's certificate, navigate to Console Root > Certificates > Trusted Root Certificate Authorities > Certificates.

To import a certificate for the syslog-ng Agent to perform mutual authentication, navigate to Console Root > Certificates > Personal > Certificates.
Right-click on the Certificates folder and from the appearing menu select All tasks > Import. The Certificate Import Wizard will be displayed. Click Next.

Optional step: Certificates used to authenticate the syslog-ng Agent in mutual authentication include the private key. Provide the password for the private key when requested.
Windows offers a suitable certificate store by default, so click Next.
Click Finish on the summary window and Yes on the window that marks the successful importing of the certificate.

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

syslog-ng Premium Edition 6.0.21 - Administrator Guide for syslog-ng Agent for Windows

Chapter 6. Using SSL-encrypted connections with the syslog-ng Agent

Using mutual authentication with syslog-ng Agent