Syslog Configuration

Prev Next

Deployment

  • Deploy Glasswall Halo (with Syslog-ng) from OVA/VHD (following the standard instructions).
  • Allow incoming traffic from Glasswall Halo VM to the Syslog server port's (usually TCP 514) in the Security Group.

Syslog-ng Service Configuration on Glasswall Halo VMs

Glasswall Halo OVA/VHD has the option to install and configure Syslog-ng service. Once the Glasswall Halo Instance is up and running, follow the steps below:

  • Make sure the Glasswall Halo VM is registered with RHEL, so that packages can be installed from internet.
  • Start the installation and configuration of syslog-ng script with:
sudo bash ~/syslog-ng-install.sh
  • Once completed, run the next steps below
sudo bash ~/syslog_setup.sh
Enter IP address of Syslog server: <Syslog server IP>
Enter Port of Syslog server: <Syslog server port>
Configuring Syslog server details.....
....

  • From this point on all logs will be forwarded to the Syslog server and stored in the relevant syslog server log file configured to receive remote logs. This includes:

    • Glasswall Halo VM logs (stored in /mnt/logging_data)
    • All container logs: (stored in/var/log/containers)
    • Pods logs: (stored in /var/log/pods)

  • Verify connection to the Syslog server with the following CLI command:

$ loggen -i -S -P <Syslog server IP> <Syslog server port>
count=1853, rate = 951.87 msg/sec
count=2329, rate = 951.65 msg/sec...

Syslog-ng TLS configuration on Glasswall Halo VMs

In case the remote syslog server uses TLS transport, the following configuration changes need to be made on the Glasswall Halo machine.

  • Place the server certificate's root CA at a location in the Glasswall Halo machine (e.g. at /opt/syslog-ng/etc/syslog-ng/ca.d)
  • In the syslog-ngconfiguration file at (/etc/syslog-ng/syslog-ng.conf), edit line number 42
    -0 From: destination remote { tcp("..." port(**));};
  • To: destination remote { network("..." port(**)
    transport("tls")
    tls( ca-dir("/opt/syslog-ng/etc/syslog-ng/ca.d")
    peer-verify(optional-untrusted)
    )
    );
    };
  • Where:
    • port should be the TLS port of the remote syslog server
    • peer-verify should be optional-untrusted for untrusted/self-signed CAs or required-trusted for trusted CAs
    • Restart syslog-ng with the commands below:
sudo systemctl restart syslog-ng
sudo systemctl restart gwsyslog.service

Glasswall syslog-ng on the Glasswall Halo machine should now be connected to the remote syslog server and sending secure logs on the TLS port.