Collecting log messages is an essential part of managing, maintaining, and troubleshooting IT systems. Since your log messages can contain all kinds of sensitive information, you should make sure that they are kept safe. The easiest way to protect the log messages as they are transferred from your clients to your logserver is to authenticate and encrypt the connection between the client and the server.
This tutorial shows you step-by-step how to create the certificates required to authenticate your server and your clients, and how to configure syslog-ng Premium Edition (syslog-ng PE) to send your log messages in an encrypted connection. Installing syslog-ng PE is not covered, for details, see Installing syslog-ng PE in the Administration Guide.
The tutorial is organized as follows:
-
Creating self-signed certificates describes how to create the required certificates to encrypt and authenticate the connection between your logserver and your clients. Actually, you can use this part of the tutorial even if you do not use syslog-ng PE, as it is independent from the logging application you use.
-
Configuring syslog-ng PE describes how to configure syslog-ng PE on your clients and your logserver.
-
Testing what you have done gives you tips on how to test your configuration to make sure it is really working.
NOTE: Some of the command line examples in this tutorial are quite long. You might need to scroll the example to read the whole example.
Creating self-signed certificates
TLS-encryption uses certificates to authenticate the server, and in case of mutual authentication, the client as well. The following sections show you how to create the required certificates.
To use mutual authentication in syslog-ng PE, certificates are required. There are several commercial certificate authorities (CAs) who can help you, but the process costs both money and time (waiting until the submitted certificate is signed). This guide demonstrates how to create your very own Certificate Authority (CA) for creating self-signed certificates. It does not cover all the details, for example, changing expiration dates, only the minimally required steps to be able to use mutual authentication in syslog-ng PE.
There are handy tools, such as CA.pl, which can make certificate creation and signing easier, but they are not available on all platforms, even if it is part of the OpenSSL software suite. On the other hand, the OpenSSL command line tool is available on all Linux distributions and BSD variants, so this tool will be used in the guide.
This section describes how to create a CA.
NOTE: Some of the command line examples in this section are quite long. You might need to scroll the example to read the whole example.
To create a CA
-
Create an empty directory and navigate into that directory:
mkdir CA
cd CA
-
Create a few directories and give starting values to some support files:
mkdir certs crl newcerts private
echo "01" > serial
cp /dev/null index.txt
-
Copy openssl.conf to the current directory. Depending on your distributions, the source directory might be different, so check the list of files in the OpenSSL package before copying:
cp /etc/ssl/openssl.cnf openssl.cnf
-
Edit openssl.conf in the current directory:
vi openssl.cnf
-
Search for the following part and replace ./DemoCA with a single dot:
[ CA_default ]
dir = ./demoCA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
Change it to:
[ CA_default ]
dir = . # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
-
As a last step, generate the certificate for the CA:
openssl req -new -x509 -keyout private/cakey.pem -newkey rsa:4096 -out cacert.pem -days 365 -config openssl.cnf
NOTE: By including and customizing the -newkey rsa:<key size> element in your command line, you can set the key size that is compliant with your organization policy.
The following will be displayed. Answer the questions as in the example:
Generating a 1024 bit RSA private key
.++++++
......................++++++
writing new private key to 'private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:HU
State or Province Name (full name) [Some-State]:Budapest
Locality Name (eg, city) []:Budapest
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mycompany
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:Example
Email Address []:example@mycompany.com
This section describes how to create a server certificate.
NOTE: Some of the command line examples in this section are quite long. You might need to scroll the example to read the whole example.
To create a server certificate
-
The next step is to create and sign a certificate for your syslog-ng PE server. The common name should contain the FQDN or IP address of your server, and the email address should be left blank.
openssl req -nodes -new -x509 -keyout serverkey.pem -newkey rsa:4096 -out serverreq.pem -days 365 -config openssl.cnf
NOTE: By including and customizing the -newkey rsa:<key size> element in your command line, you can set the key size that is compliant with your organization policy.
-
The following will be displayed. Answer the questions as in the example:
Generating a 1024 bit RSA private key
........................................++++++
.++++++
writing new private key to 'serverkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:HU
State or Province Name (full name) [Some-State]:Budapest
Locality Name (eg, city) []:Budapest
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mycompany
Organizational Unit Name (eg, section) []:.
Common Name (e.g. server FQDN or YOUR name) []:172.16.177.147
Email Address []:
example@linux-modi:~/CA> openssl x509 -x509toreq -in serverreq.pem -signkey serverkey.pem -out tmp.pem
Getting request Private Key
Generating certificate request
example@linux-modi:~/CA> openssl ca -config openssl.cnf -policy policy_anything -out servercert.pem -infiles tmp.pem
Using configuration from openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 25 10:27:39 2014 GMT
Not After : Jun 25 10:27:39 2015 GMT
Subject:
countryName = HU
stateOrProvinceName = Budapest
localityName = Budapest
organizationName = Mycompany
commonName = 172.16.177.147
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
55:4E:B1:47:33:CF:0C:83:5F:29:64:9B:E9:99:77:DF:0E:72:52:76
X509v3 Authority Key Identifier:
keyid:D1:FF:ED:B4:0B:66:E6:45:EE:70:4F:DC:6C:C5:34:48:42:38:E9:38
Certificate is to be certified until Jun 25 10:27:39 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
-
Enter the following:
rm tmp.pem