Chat now with support
Chat with Support

syslog-ng Premium Edition 6.0.17 - Administration Guide

Preface Chapter 1. Introduction to syslog-ng Chapter 2. The concepts of syslog-ng Chapter 3. Installing syslog-ng Chapter 4. The syslog-ng PE quick-start guide Chapter 5. The syslog-ng PE configuration file Chapter 6. Collecting log messages — sources and source drivers Chapter 7. Sending and storing log messages — destinations and destination drivers Chapter 8. Routing messages: log paths, reliability, and filters Chapter 9. Global options of syslog-ng PE Chapter 10. TLS-encrypted message transfer Chapter 11. FIPS-compliant syslog-ng Chapter 12.  Reliable Log Transfer Protocol™ Chapter 13. Reliability and minimizing the loss of log messages Chapter 14. Manipulating messages Chapter 15. Parsing and segmenting structured messages Chapter 16. Processing message content with a pattern database Chapter 17. Statistics and metrics of syslog-ng Chapter 18. Multithreading and scaling in syslog-ng PE Chapter 19. Troubleshooting syslog-ng Chapter 20. Best practices and examples

Chapter 11. FIPS-compliant syslog-ng

Starting from syslog-ng PE version 5.0.4, LTS versions are Federal Information Processing Standards (FIPS)-compliant. Note that only the LTS versions of syslog-ng PE are FIPS-compliant, feature releases are not. For details on the versioning policy of syslog-ng PE see the section called “Versions and releases of syslog-ng PE.

Installing FIPS-compliant syslog-ng PE

For the FIPS-compliant version of syslog-ng PE, you are required to use the new license file. It uses SHA-512 algorithm, and therefore is accepted by the FIPS-compliant version. The non-FIPS-compliant syslog-ng PE will accept both the previously released license files and the new license files as well.

The following Linux platforms are supported:

  • debian-etch, debian-lenny, debian-squeeze

  • suse-10.1, sles-10.2, sles-11.0, sles-11.1

  • rhel-4, rhel-5, rhel-6

  • ubuntu-hardy, ubuntu-lucid

The FIPS-compliant version of syslog-ng PE is installed using a dedicated installer. The FIPS-compliant syslog-ng PE installer will replace the existing non-FIPS-compliant syslog-ng PE and the tools shipped with it to its FIPS-compliant counterpart. For the supported plaforms both .run and native installers are available. The name of the FIPS-compliant syslog-ng PE installers includes the 'fips' specifier, for example: syslog-ng-premium-edition-fips-5.0.4-linux-glibc2.3.6-amd64.run.

Upgrading from a non-FIPS-compliant version of syslog-ng PE to a FIPS-compliant version is simple, in most cases you can use your old configuration files. After starting the FIPS-compliant version of syslog-ng PE, it will print those options in your configuration that cannot be used with the FIPS-compliant version of syslog-ng PE.

To check the version of syslog-ng PE, use the -V command line option. It will display version details, modules, and enabled options. In the FIPS-compliant version the Enable-FIPS option is set to on while in the non-FIPS-compliant version it is set to off.

The startup message will also indicate this, the FIPS-compliant version of syslog-ng PE will display the following: FIPS-mode='enabled' .

Limitations of the FIPS-compliant syslog-ng PE

Limitations of the FIPS-compliant syslog-ng PE

The FIPS-compliant syslog-ng PE is compatible with the non-FIPS-compliant version with the following limitations:

  • The current FIPS-compliant version can only be run on Linux platforms.

  • The FIPS-compliant version of syslog-ng PE uses only those cryptographic algorithms that are considered to be secure according to the FIPS-140 standard, therefore the support of some hashing and encryption algorithms have been removed (for example MD5 and DES).

  • Currently there is no database support in the FIPS-compliant version (neither as source nor as destination).

  • The layout of the Certiface Authority directory (ca-dir) and the Certificate Revocation List directory (crl-dir) cannot be hashed with MD5. If the layout of your Certiface Authority directory (ca-dir) or the Certificate Revocation List directory is hashed with MD5, you must rehash it with SHA-1 to be able to use it with the FIPS-compliant version of syslog-ng PE.

  • To use verified TLS/SSL communtication in the FIPS-compliant version of syslog-ng PE, you are required to use certificates that are using one of the SHA-1 or SHA-2 algorithms ('SHA-1', 'SHA-224', 'SHA-256', 'SHA-384' or 'SHA-512').

  • The FIPS-compliant version of syslog-ng PE is unable to use DES or MD5 during the SNMP-authentication.

  • To use logstore with the FIPS-compliant version of syslog-ng PE you are required to set the cipher to one of the AES-based algorithms and to set the digest to one of the SHA-1 or SHA-2 algorithms ('SHA-1', 'SHA-224', 'SHA-256', 'SHA-384' or 'SHA-512').

  • With the FIPS-compliant version of syslog-ng PE, you will be unable to use the previously generated logstores that do not meet the abovementioned requirements. However, previously generated logstores that meet those requirements can be used.

For details on FIPS security functions, see Security Requirements for Cryptographic Modules.

Legal Notice of FIPS Compliance of Syslog-ng Premium Edition

Syslog-ng Premium Edition version 5.0.4 and the subsequent releases may claim FIPS compliance by use of the OpenSSL FIPS Object Module v2.0.5 cryptographic component. This component was certified by the Open Source Software Institute and obtained the FIPS-140-2 validation Level 1 (certificate number 1747) from the U.S. National Institute of Standards and Technology (NIST) and the Communications Security Establishment Canada (CSEC).

The FIPS-compliant version of syslog-ng Premium Edition v5.0.4 and the subsequent releases exclusively use the OpenSSL FIPS Object Module indicated above for crypthograpy. The build process of the FIPS-compliant version of syslog-ng Premium Edition complies with the OpenSSL FIPS 140-2 Security Policy Version 2.0.5f.

Chapter 12.  Reliable Log Transfer Protocol™

Logging using RLTP

The syslog-ng PE application can send and receive log messages in a reliable way over the TCP transport layer using the Reliable Log Transfer Protocol™ (RLTP™). RLTP™ is a proprietary transport protocol that prevents message loss during connection breaks. The transport is used between syslog-ng PE hosts (for example, a client and a server, or a client-relay-server), and interoperates with the flow-control and reliable disk-buffer mechanisms of syslog-ng PE, thus providing the best way to prevent message loss. The sender detects which messages has the receiver successfully received. If messages are lost during the transfer, the sender resends the missing messages, starting from the last successfully received message. Therefore, messages are not duplicated at the receiving end in case of a connection break (however, in failover mode this is not completely ensured). RLTP™ also allows to receive encrypted and non-encrypted connections on the same port, using a single source driver.

NOTE:

Because of the communication overhead, the RLTP™ protocol is slower than other transport protocols, which might be a problem if you need to collect a high amount (over 200000 messages per second) of log messages on your log server. For performance details of syslog-ng PE see the syslog-ng Premium Edition Performance Guideline at the syslog-ng Documentation page.

NOTE:

Make sure that you have set the value of the log_msg_size() parameter large enough in your configuration. If its size is less than the size of the sent messages, it might result in disk fill-up and no incoming logs.

Caution:

In the following cases, it is possible to lose log messages even if you use RLTP™:

  • If you use RLTP™ together with non-reliable disk-buffer, it is possible to lose logs.

  • When sending logs through a relay that is using a non-reliable disk-buffer, it is possible to lose logs if the relay crashes.

  • When sending logs through a relay that is using a non-reliable disk-buffer, it is possible that logs are duplicated if the relay crashes, or it is stopped.

  • If the underlying disk system of syslog-ng PE fails to write the log messages to the disk, but it does not return a write error, or some other hardware or operating-system error happens.

The RLTP™ protocol works on top of TCP, and can use STARTTLS for encryption. RLTP™ supports IPv4 and IPv6 addresses. Inside the RLTP™ message, the message can use any format, for example, RFC3164 (BSD-syslog) or RFC5424 (IETF-syslog). The default port of RLTP™ is 35514.

RLTP™ can be added to the configuration like a transport protocol within the syslog() driver and the network() driver.

Procedure 12.1. How RLTP™ connections work

Purpose: 

This procedure summarizes how two syslog-ng PE hosts (a sender and a receiver) communicate using the Reliable Log Transfer Protocol™ (RLTP™).

Prerequisites: 

The sender (also called the client) is the host that has RLTP™ configured in its destination driver. The receiver (also called the server) is the host that has RLTP™ configured in its source driver.

Steps: 

  1. The sender initiates the connection to the receiver.

  2. The sender and the receiver negotiate whether to encrypt the connection and to use compression or not.

  3. If the connection should be encrypted, the sender and the receiver perform authentication (as configured in the tls() options of their configuration).

  4. If the sender and the receiver have communicated earlier using RLTP™, the receiver indicates which was the last message received from the sender.

  5. The sender starts sending messages in batches. Batch size depends on the flush-lines() parameter of the sender.

    For optimal performance when sending messages to an syslog-ng PE server, make sure that the flush-lines() is smaller than the window size set using the log-iw-size() option in the source of your server.

  6. When the receiver has successfully processed the messages in the batch, it sends an acknowledgement of the processed messages to the sender.

    What "successfully processed" means depends on the configuration of the receiver, for example, written to disk in a destination, forwarded to a remote destination using notRLTP™, dropped because of filter settings, or written to the disk-buffer. (If the messages are forwarded using RLTP™, see the section called “Using RLTP™ in a client-relay-server scenario”.)

  7. After receiving the acknowledgement, the sender sends another batch of messages.

Using RLTP™ in a client-relay-server scenario

You can use RLTP™ between multiple syslog-ng PE hosts, for example, in a client-relay-server scenario. In such case, the communication described in Procedure 12.1, “How RLTP™ connections work” applies both between the client and the relay, and the relay and the server. However, note the following points:

  • Unless you use disk-buffer on the relay, the relay waits for acknowledgement from the server before acknowledging the messages to the client. If you send the messages in large batches, and the server can process the messages slowly (or the network connection is slow), you might have to adjust the message-acknowledgement-timeout() on the client.

  • If you use reliable disk-buffer on the relay, the relay will acknowledge the messages when the messages are written to the disk-buffer. That way, the client does not have to wait while the server acknowledges the messages.

Related Documents