Syslog Configuration
    • PDF

    Syslog Configuration

    • PDF

    Article summary

    Deployment

    • Deploy Glasswall Halo (with Syslog-ng) from OVA/VHD (following the standard instructions).
    • Allow incoming traffic from Glasswall Halo VM to the Syslog server port's (usually TCP 514) in the Security Group.

    Syslog-ng Service Configuration on Glasswall Halo VMs

    Glasswall Halo OVA/VHD has the option to install and configure Syslog-ng service. Once the Glasswall Halo Instance is up and running, follow the steps below:

    • Make sure the Glasswall Halo VM is registered with RHEL, so that packages can be installed from internet.
    • Start the installation and configuration of syslog-ng script with:
    sudo bash ~/syslog-ng-install.sh
    
    • Once completed, run the next steps below
    sudo bash ~/syslog_setup.sh
    Enter IP address of Syslog server: <Syslog server IP>
    Enter Port of Syslog server: <Syslog server port>
    Configuring Syslog server details.....
    ....
    
    • From this point on all logs will be forwarded to the Syslog server and stored in the relevant syslog server log file configured to receive remote logs. This includes:

      • Glasswall Halo VM logs (stored in /mnt/logging_data)
      • All container logs: (stored in/var/log/containers)
      • Pods logs: (stored in /var/log/pods)
    • Verify connection to the Syslog server with the following CLI command:

    $ loggen -i -S -P <Syslog server IP> <Syslog server port>
    count=1853, rate = 951.87 msg/sec
    count=2329, rate = 951.65 msg/sec...
    

    Syslog-ng TLS configuration on Glasswall Halo VMs

    In case the remote syslog server uses TLS transport, the following configuration changes need to be made on the Glasswall Halo machine.

    • Place the server certificate's root CA at a location in the Glasswall Halo machine (e.g. at /opt/syslog-ng/etc/syslog-ng/ca.d)
    • In the syslog-ngconfiguration file at (/etc/syslog-ng/syslog-ng.conf), edit line number 42
      -0 From: destination remote { tcp("..." port(**));};
    • To: destination remote { network("..." port(**)
      transport("tls")
      tls( ca-dir("/opt/syslog-ng/etc/syslog-ng/ca.d")
      peer-verify(optional-untrusted)
      )
      );
      };
    • Where:
      • port should be the TLS port of the remote syslog server
      • peer-verify should be optional-untrusted for untrusted/self-signed CAs or required-trusted for trusted CAs
      • Restart syslog-ng with the commands below:
    sudo systemctl restart syslog-ng
    sudo systemctl restart gwsyslog.service
    

    Glasswall syslog-ng on the Glasswall Halo machine should now be connected to the remote syslog server and sending secure logs on the TLS port.


    Was this article helpful?