Configure a syslog client to send TLS-secured data

Work with a rsyslog system file on a Web Gateway appliance to configure a syslog client that sends TLS-secured data.

Task

  1. On the user interface, select ConfigurationFile Editor.
  2. On the appliances tree, select the appliance that you want to configure a syslog client on, then select rsyslog.conf.
    The content of the system file appears in the configuration frame.
  3. Add the following lines to the file content.
    $template TEST-MESSAGE, "%HOSTNAME" ClientText: %syslogtag%%msg%"
    $WorkDirectory /var/spool/rsyslog #Specifies where to store spool files.
    
    $ActionQueueFileName fwdRule1 #Provides a unique name prefix for spool files.
    $ActionQueueMaxDiskSpace 1g 	#Sets a space limit of 1 GB.
    $ActionQueueSaveOnShutdown on	#Saves messages to disk upon shutdown.
    $ActionQueueType LinkedList	#Lets the process run asynchronously.
    $ActionResumeRetryCount -1	#Triggers an unlimited number of retries if the server is down
    
    $DefaultNetstreamDriver gtls #Requires use of the netstream driver.                                                                 
    $DefaultNetstreamDriverCAFile /etc/rsyslog.d/cert/ca.pem #Specifies the root CA.
    $DefaultNetstreamDriverCertFile /etc/rsyslog.d/cert/client.cert.pem #Specifies the certificate for the client.
    $DefaultNetstreamDriverKeyFile  /etc/rsyslog.d/cert/client.key.pem #Specifies the certificate key for the client.
    
    $InputTCPServerStreamDriverAuthMode x509/name
    $InputTCPServerStreamDriverPermittedPeer <server host name or IP address> #Specifies the server through its host name or IP address.
    $InputTCPServerStreamDriverMode 1 #Requires the server to run in TLS mode only.
    $InputTCPServerRun 10514 #Specifies the listener port that the syslog communication starts at.    
  4. Log on to the appliance from a local system console or remotely using SSH.
  5. Run the following command to restart the rsyslog function on the appliance.
    /etc/init.d/rsyslog restart

    After restarting rsyslog, a TLS-secured connection is set up, using the settings in the configuration file and the certificates.

  6. Verify that the TLS-secured connection has been set up successfully.
    cat /var/log/messages

    After running the verification command, you should see messages like the following displayed.

    Nov 15 11:23:37 HyperVMlos2AD kernel: Kernel logging (proc) stopped.
    Nov 15 11:23:37 HyperVMlos2AD rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="53727" x-info="http://www.rsyslog.com"] exiting on
    signal 15.
    Nov 15 11:23:37 HyperVMlos2AD kernel: imklog 5.8.10, log source = /prog/kmsd started.
    Nov 15 11:23:37 HyperVMlos2AD rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="57261" x-info="http://www.rsyslog.com"] start
    [root@HyperVMlos2AD rsyslog.d]
    

Results

You can now send TLS-secured syslog messages. Run the following command to send a test message:

logger "TLS-secured test message"