syslog-ng Premium Edition 7.0.9 - Mutual authentication using TLS

Introduction

Collecting log messages is an essential part of managing, maintaining, and troubleshooting IT systems. Since your log messages can contain all kinds of sensitive information, you should make sure that they are kept safe. The easiest way to protect the log messages as they are transferred from your clients to your logserver is to authenticate and encrypt the connection between the client and the server.

This tutorial shows you step-by-step how to create the certificates required to authenticate your server and your clients, and how to configure syslog-ng Premium Edition (syslog-ng PE) to send your log messages in an encrypted connection. Installing syslog-ng PE is not covered, for details, see Administration Guide.

The tutorial is organized as follows:

  • Creating self-signed certificates describes how to create the required certificates to encrypt and authenticate the connection between your logserver and your clients. Actually, you can use this part of the tutorial even if you do not use syslog-ng PE, as it is independent from the logging application you use.

  • Configuring syslog-ng PE describes how to configure syslog-ng PE on your clients and your logserver.

  • Testing what you have done gives you tips on how to test your configuration to make sure it is really working.


Was this topic helpful?

[Select Rating]



Creating self-signed certificates

TLS-encryption uses certificates to authenticate the server, and in case of mutual authentication, the client as well. The following sections show you how to create the required certificates.

To use mutual authentication in syslog-ng PE, certificates are required. There are several commercial certificate authorities (CAs) who can help you, but the process costs both money and time (waiting until the submitted certificate is signed). This guide demonstrates how to create your very own Certificate Authority (CA) for creating self-signed certificates. It does not cover all the details, for example, changing expiration dates, only the minimally required steps to be able to use mutual authentication in syslog-ng PE.

There are handy tools, such as CA.pl, which can make certificate creation and signing easier, but they are not available on all platforms, even if it is part of the OpenSSL software suite. On the other hand, the OpenSSL command line tool is available on all Linux distributions and BSD variants, so this tool will be used in the guide.


Was this topic helpful?

[Select Rating]



Creating a CA

Purpose:

To create a CA, complete the following steps:

Steps:
  1. Create an empty directory and navigate into that directory:

    mkdir CA

    cd CA

  2. Create a few directories and give starting values to some support files:

    mkdir certs crl newcerts private

    echo "01" > serial

    cp /dev/null index.txt

  3. Copy openssl.conf to the current directory. Depending on your distributions, the source directory might be different, so check the list of files in the OpenSSL package before copying:

    cp /etc/ssl/openssl.cnf openssl.cnf

  4. Edit openssl.conf in the current directory:

    vi openssl.cnf

  5. Search for the following part and replace ./DemoCA with a single dot:

    [ CA_default ]
    
    dir             = ./demoCA              # Where everything is kept
    certs           = $dir/certs            # Where the issued certs are kept 

    Change it to:

    [ CA_default ]
    
    dir             = .                     # Where everything is kept
    certs           = $dir/certs            # Where the issued certs are kept 
  6. As a last step, generate the certificate for the CA:

    openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf

    The following will be displayed. Answer the questions as in the example:

    Generating a 1024 bit RSA private key
    .++++++
    ......................++++++
    writing new private key to 'private/cakey.pem'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:HU
    State or Province Name (full name) [Some-State]:Budapest
    Locality Name (eg, city) []:Budapest
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Balabit
    Organizational Unit Name (eg, section) []:.
    Common Name (e.g. server FQDN or YOUR name) []:Peter Czanik
    Email Address []:czanik@balabit.com

Was this topic helpful?

[Select Rating]



Creating a server certificate

Purpose:

To create a server certificate, complete the following steps:

Steps:
  1. The next step is to create and sign a certificate for your syslog-ng PE server. The common name should contain the FQDN or IP address of your server, and the e-mail address should be left blank.

    openssl req -nodes -new -x509 -keyout serverkey.pem -out serverreq.pem -days 365 -config openssl.cnf

  2. The following will be displayed. Answer the questions as in the example:

    Generating a 1024 bit RSA private key
    ........................................++++++
    .++++++
    writing new private key to 'serverkey.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:HU
    State or Province Name (full name) [Some-State]:Budapest
    Locality Name (eg, city) []:Budapest
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Balabit
    Organizational Unit Name (eg, section) []:.
    Common Name (e.g. server FQDN or YOUR name) []:172.16.177.147
    Email Address []:
    czanik@linux-modi:~/CA> openssl x509 -x509toreq -in serverreq.pem -signkey serverkey.pem -out tmp.pem
    Getting request Private Key
    Generating certificate request
    czanik@linux-modi:~/CA> openssl ca -config openssl.cnf -policy policy_anything -out servercert.pem -infiles tmp.pem
    Using configuration from openssl.cnf
    Enter pass phrase for ./private/cakey.pem:
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 1 (0x1)
            Validity
                Not Before: Jun 25 10:27:39 2014 GMT
                Not After : Jun 25 10:27:39 2015 GMT
            Subject:
                countryName               = HU
                stateOrProvinceName       = Budapest
                localityName              = Budapest
                organizationName          = Balabit
                commonName                = 172.16.177.147
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                Netscape Comment:
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier:
                    55:4E:B1:47:33:CF:0C:83:5F:29:64:9B:E9:99:77:DF:0E:72:52:76
                X509v3 Authority Key Identifier:
                    keyid:D1:FF:ED:B4:0B:66:E6:45:EE:70:4F:DC:6C:C5:34:48:42:38:E9:38
    
    Certificate is to be certified until Jun 25 10:27:39 2015 GMT (365 days)
    Sign the certificate? [y/n]:y
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
        Data Base Updated 
  3. Enter the following:

    rm tmp.pem


Was this topic helpful?

[Select Rating]



Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents