Contents x
Syslog Configuration
    • PDF
    Contents

    Syslog Configuration

      • PDF
      Article summary

      Deployment

      • Deploy Glasswall Halo (with Syslog-ng) from OVA/VHD (following the standard instructions).
      • Allow incoming traffic from Glasswall Halo VM to the Syslog server port's (usually TCP 514) in the Security Group.

      Syslog-ng Service Configuration on Glasswall Halo VMs

      Glasswall Halo OVA/VHD has the option to install and configure Syslog-ng service. Once the Glasswall Halo Instance is up and running, follow the steps below:

      • Make sure the Glasswall Halo VM is registered with RHEL, so that packages can be installed from internet.
      • Start the installation and configuration of syslog-ng script with:
      sudo bash ~/syslog-ng-install.sh
      • Once completed, run the next steps below
      sudo bash ~/syslog_setup.sh
Enter IP address of Syslog server: <Syslog server IP>
Enter Port of Syslog server: <Syslog server port>
Configuring Syslog server details.....
....

      • From this point on all logs will be forwarded to the Syslog server and stored in the relevant syslog server log file configured to receive remote logs. This includes:

        • Glasswall Halo VM logs (stored in /mnt/logging_data)
        • All container logs: (stored in/var/log/containers)
        • Pods logs: (stored in /var/log/pods)

      • Verify connection to the Syslog server with the following CLI command:

      $ loggen -i -S -P <Syslog server IP> <Syslog server port>
count=1853, rate = 951.87 msg/sec
count=2329, rate = 951.65 msg/sec...

      Syslog-ng TLS configuration on Glasswall Halo VMs

      In case the remote syslog server uses TLS transport, the following configuration changes need to be made on the Glasswall Halo machine.

      • Place the server certificate's root CA at a location in the Glasswall Halo machine (e.g. at /opt/syslog-ng/etc/syslog-ng/ca.d)
      • In the syslog-ngconfiguration file at (/etc/syslog-ng/syslog-ng.conf), edit line number 42
        -0 From: destination remote { tcp("..." port(**));};
      • To: destination remote { network("..." port(**)
        transport("tls")
        tls( ca-dir("/opt/syslog-ng/etc/syslog-ng/ca.d")
        peer-verify(optional-untrusted)
        )
        );
        };
      • Where:
        • port should be the TLS port of the remote syslog server
        • peer-verify should be optional-untrusted for untrusted/self-signed CAs or required-trusted for trusted CAs
        • Restart syslog-ng with the commands below:
      sudo systemctl restart syslog-ng
sudo systemctl restart gwsyslog.service

      Glasswall syslog-ng on the Glasswall Halo machine should now be connected to the remote syslog server and sending secure logs on the TLS port.

      Was this article helpful?
      What's Next