Skip to main content
Version: 2.16.0

Syslog configuration

Deployment

  • Deploy Glasswall Halo (with syslog-ng) from OVA/VHD (following the standard instructions).
  • Allow incoming traffic from Glasswall Halo VM to the syslog server port's (usually TCP 514) in the security group.

syslog-ng service configuration on Glasswall Halo VMs

Glasswall Halo OVA/VHD has the option to install and configure syslog-ng service. Once the Glasswall Halo instance is up and running, follow the steps below:

  1. Make sure the Glasswall Halo VM is registered with RHEL, so that packages can be installed from internet.
  2. Start the installation and configuration of syslog-ng script with:
sudo bash ~/syslog-ng-install.sh
  1. Once completed, run the next steps below:
sudo bash ~/syslog_setup.sh
Enter IP address of Syslog server: <Syslog server IP>
Enter Port of Syslog server: <Syslog server port>
Configuring Syslog server details.....
....

  1. From this point on all logs will be forwarded to the Syslog server and stored in the relevant Syslog server log file configured to receive remote logs. This includes:

    • Glasswall Halo VM logs (stored in /mnt/logging_data)
    • All container logs: (stored in/var/log/containers)
    • Pods logs: (stored in /var/log/pods)

  2. Verify connection to the syslog server with the following CLI command:

$ loggen -i -S -P <Syslog server IP> <Syslog server port>
count=1853, rate = 951.87 msg/sec
count=2329, rate = 951.65 msg/sec...

syslog-ng TLS configuration on Glasswall Halo VMs

In case the remote Syslog server uses TLS transport, the following configuration changes need to be made on the Glasswall Halo machine.

  1. Place the server certificate's root ca at a location in the Glasswall Halo machine (e.g. at /opt/syslog-ng/etc/syslog-ng/ca.d).

  2. In the syslog-ng configuration file at (/etc/syslog-ng/syslog-ng.conf), edit line number 42-0 From: destination remote tcp("..." port(**));;

  3. To: destination remote network("..." port(**) Transport("tls") Tls( ca-dir("/opt/syslog-ng/etc/syslog-ng/ca.d") Peer-verify(optional-untrusted) ) ); ;

  4. Where:

  • Port should be the TLS port of the remote syslog server.
  • Peer-verify should be optional-untrusted for untrusted/self-signed CAs or required-trusted for trusted CAs.
  • Restart syslog-ng with the commands below:
sudo systemctl restart syslog-ng
sudo systemctl restart gwsyslog.service

Glasswall syslog-ng on the Glasswall Halo machine should now be connected to the remote syslog server and sending secure logs on the TLS port.

Last updated on