Chat now with support
Chat with Support

syslog-ng Premium Edition 7.0.34 - Mutual authentication using TLS

Introduction

Collecting log messages is an essential part of managing, maintaining, and troubleshooting IT systems. Since your log messages can contain all kinds of sensitive information, you should make sure that they are kept safe. The easiest way to protect the log messages as they are transferred from your clients to your logserver is to authenticate and encrypt the connection between the client and the server.

This tutorial shows you step-by-step how to create the certificates required to authenticate your server and your clients, and how to configure syslog-ng Premium Edition (syslog-ng PE) to send your log messages in an encrypted connection. Installing syslog-ng PE is not covered, for details, see Installing syslog-ng PE in the Administration Guide.

The tutorial is organized as follows:

  • Creating self-signed certificates describes how to create the required certificates to encrypt and authenticate the connection between your logserver and your clients. Actually, you can use this part of the tutorial even if you do not use syslog-ng PE, as it is independent from the logging application you use.

  • Configuring syslog-ng PE describes how to configure syslog-ng PE on your clients and your logserver.

  • Testing what you have done gives you tips on how to test your configuration to make sure it is really working.

NOTE: Some of the command line examples in this tutorial are quite long. You might need to scroll the example to read the whole example.

Creating self-signed certificates

TLS-encryption uses certificates to authenticate the server, and in case of mutual authentication, the client as well. The following sections show you how to create the required certificates.

To use mutual authentication in syslog-ng PE, certificates are required. There are several commercial certificate authorities (CAs) who can help you, but the process costs both money and time (waiting until the submitted certificate is signed). This guide demonstrates how to create your very own Certificate Authority (CA) for creating self-signed certificates. It does not cover all the details, for example, changing expiration dates, only the minimally required steps to be able to use mutual authentication in syslog-ng PE.

There are handy tools, such as CA.pl, which can make certificate creation and signing easier, but they are not available on all platforms, even if it is part of the OpenSSL software suite. On the other hand, the OpenSSL command line tool is available on all Linux distributions and BSD variants, so this tool will be used in the guide.

Creating a CA

This section describes how to create a CA.

NOTE: Some of the command line examples in this section are quite long. You might need to scroll the example to read the whole example.

To create a CA

  1. Create an empty directory and navigate into that directory:

    mkdir CA

    cd CA

  2. Create a few directories and give starting values to some support files:

    mkdir certs crl newcerts private

    echo "01" > serial

    cp /dev/null index.txt

  3. Copy openssl.conf to the current directory. Depending on your distributions, the source directory might be different, so check the list of files in the OpenSSL package before copying:

    cp /etc/ssl/openssl.cnf openssl.cnf

  4. Edit openssl.conf in the current directory:

    vi openssl.cnf

  5. Search for the following part and replace ./DemoCA with a single dot:

    [ CA_default ]
    
    dir             = ./demoCA              # Where everything is kept
    certs           = $dir/certs            # Where the issued certs are kept 

    Change it to:

    [ CA_default ]
    
    dir             = .                     # Where everything is kept
    certs           = $dir/certs            # Where the issued certs are kept 
  6. As a last step, generate the certificate for the CA:

    openssl req -new -x509 -keyout private/cakey.pem -newkey rsa:4096 -out cacert.pem -days 365 -config openssl.cnf

    NOTE: By including and customizing the -newkey rsa:<key size> element in your command line, you can set the key size that is compliant with your organization policy.

    The following will be displayed. Answer the questions as in the example:

    Generating a 1024 bit RSA private key
    .++++++
    ......................++++++
    writing new private key to 'private/cakey.pem'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:HU
    State or Province Name (full name) [Some-State]:Budapest
    Locality Name (eg, city) []:Budapest
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mycompany
    Organizational Unit Name (eg, section) []:.
    Common Name (e.g. server FQDN or YOUR name) []:Example
    Email Address []:example@mycompany.com

Creating a server certificate

This section describes how to create a server certificate.

NOTE: Some of the command line examples in this section are quite long. You might need to scroll the example to read the whole example.

To create a server certificate

  1. The next step is to create and sign a certificate for your syslog-ng PE server. The common name should contain the FQDN or IP address of your server, and the email address should be left blank.

    openssl req -nodes -new -x509 -keyout serverkey.pem -newkey rsa:4096 -out serverreq.pem -days 365 -config openssl.cnf

    NOTE: By including and customizing the -newkey rsa:<key size> element in your command line, you can set the key size that is compliant with your organization policy.

  2. The following will be displayed. Answer the questions as in the example:

    Generating a 1024 bit RSA private key
    ........................................++++++
    .++++++
    writing new private key to 'serverkey.pem'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:HU
    State or Province Name (full name) [Some-State]:Budapest
    Locality Name (eg, city) []:Budapest
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mycompany
    Organizational Unit Name (eg, section) []:.
    Common Name (e.g. server FQDN or YOUR name) []:172.16.177.147
    Email Address []:
    example@linux-modi:~/CA> openssl x509 -x509toreq -in serverreq.pem -signkey serverkey.pem -out tmp.pem
    Getting request Private Key
    Generating certificate request
    example@linux-modi:~/CA> openssl ca -config openssl.cnf -policy policy_anything -out servercert.pem -infiles tmp.pem
    Using configuration from openssl.cnf
    Enter pass phrase for ./private/cakey.pem:
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number: 1 (0x1)
            Validity
                Not Before: Jun 25 10:27:39 2014 GMT
                Not After : Jun 25 10:27:39 2015 GMT
            Subject:
                countryName               = HU
                stateOrProvinceName       = Budapest
                localityName              = Budapest
                organizationName          = Mycompany
                commonName                = 172.16.177.147
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                Netscape Comment:
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier:
                    55:4E:B1:47:33:CF:0C:83:5F:29:64:9B:E9:99:77:DF:0E:72:52:76
                X509v3 Authority Key Identifier:
                    keyid:D1:FF:ED:B4:0B:66:E6:45:EE:70:4F:DC:6C:C5:34:48:42:38:E9:38
    
    Certificate is to be certified until Jun 25 10:27:39 2015 GMT (365 days)
    Sign the certificate? [y/n]:y
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
        Data Base Updated 
  3. Enter the following:

    rm tmp.pem

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating