You are here

Secure remote logging via syslog using SSL

Affects product: 
Airlock WAF
Affects version(s): 
4.1
4.2

If you forward your log messages via syslog, you might want to use SSL to protected the data in transit. This article explains how to configure syslog via SSL.

Simple setup

It's possible to do secure remote logging using an SSL connection. This means all log data forwarded to the loghost is encrypted while beeing sent over the network.

To enable logging via SSL simply enable SSL/TLS in the "Loghost settings" under "Log settings" in the Configuration Center.

After activating the new configuration, all log messages are sent over an encrypted network connection.

Advanced setup using client certificates

To enhance security even more, Airlock can use client certificates to authenticate itself against the loghost . This means that only authenticated log clients are allowed to connect to the remote loghost.

Client certificates can be enabled easily:

  1. ssh root@yourairlock
  2. vi /opt/slt/ses/stunnel-syslog/etc/user.include
    and uncomment the section for the mode you wish to use. See further explanations below for all the available modes.
  3. copy your client certs (and CA related files if needed) to /opt/slt/ses/stunnel-syslog/cert
  4. adjust the permissions with
    chmod -R 040 /opt/slt/ses/stunnel-syslog/cert/*
  5. change ownership with
    chown -R www_inst:ssllog /opt/slt/ses/stunnel-syslog/cert
  6. activate the current configuration in the Airlock Configuration Center
  7. restart stunnel with
    /etc/init.d/slt.stunnel-syslog restart

Make sure to adjust the file permissions of the private keys and certificates properly to ensure that no other user can read this sensible data.

 

There are three different modes to choose from when using client certificates:

  1. Simple means your Airlock is only allowed to connect to a remote loghost if it is able to provide a valid client certificate, but it wont verify anything of the server
  2. Server CA includes Simple, but Airlock additionaly verifies the remote loghosts certificate against a locally stored CA certificate.
  3. Server Cert is the strongest method where Airlock verifies the loghosts certificate must match a locally stored certificate and be issued by a locally known CA.

Further information regarding the use of stunnel with client certificates can be found at the stunnel homepage.

Knowledge Base Categories: