Encrypted syslog

Post by **WillemDH** » Wed Jan 25, 2017 1:10 pm

Hello,

I have a question about how we would have to configure an SSL encrypted syslog input? We recently switched to Cylance for Antivirus, which is cloudbased, but has an option to send logs to a syslog server over SSL.

Here you can fnd a screenshot about how it looks on the Cylance side of things:
https://help.sumologic.com/Apps/Preview ... or_Cylance

The syslog would be sent to an F5 load balancer pool with an external URL which would direct the encrypted syslog to an available logserver node. But as we need the SSL checkbox to be ticked we are not sure how this can be done with NLS. Any advice is welcome.

Somebody must have done a similar setup like this before?

Grtz

Willem

avandemore · Post by **avandemore** » Wed Jan 25, 2017 1:21 pm

Normally a load balancer like an F5 would also do SSL termination as well. If you need end to end SSL, then you're going to need to configure Logstash for SSL as well.

https://www.elastic.co/guide/en/beats/f ... stash.html

Or our related documentation:

https://assets.nagios.com/downloads/nag ... th-SSL.pdf

Post by **mcapra** » Wed Jan 25, 2017 1:26 pm

As @avendemore pointed out, you could let the F5 worry about decrypting the traffic prior to routing it.

Alternatively, you should be able to configure the NLS cluster with a dedicated TCP input and leverage the various SSL settings present in logstash-input-tcp:
https://www.elastic.co/guide/en/logstas ... s-tcp.html

Then you'd just point Cylance at the F5, in theory. If the F5 is just routing the traffic, the individual nodes should be able to handle the decryption. Tricky to know for sure without knowing exactly what Cylance is doing on the back-end though.

Post by **WillemDH** » Wed Jan 25, 2017 2:05 pm

This sure is going to be a nice experiment. I'll keep you posted once I get more information or have the time to test this more in detail.

dwhitfield · Post by **dwhitfield** » Wed Jan 25, 2017 4:42 pm

We await results!

Post by **WillemDH** » Mon Feb 27, 2017 4:59 am

It seems Cylance needs a token for authentication, how can I provide this with NLS?

In this article this token is mentioned.
https://help.sumologic.com/Send_Data/Da ... or_Cylance

Can't find any documentation about tcp tokens.

Post by **mcapra** » Mon Feb 27, 2017 12:43 pm

That looks like something specific to SumoLogic's could-base syslog service. It's hard to say if/how that particular piece needs to be integrated with Nagios Log Server without having a closer look at some things Cylance is doing on the back-end.

Are you required to enter a token while running through this setup?

Post by **WillemDH** » Wed Mar 01, 2017 9:15 am

Well as it seems impossible to import or export certificates in the Cylance appliance, we're a bit stuck on getting this to work with SSL. It does work without SSL it seems. Apart from the encryption part, to prevent everyone from being able to send logs to the public address, I guess a token is required. There are multipe ip addresses on the Cylance side, which seem to be shifting too, so filtering on ip might not be possible.

avandemore · Post by **avandemore** » Wed Mar 01, 2017 12:46 pm

If you're limited as to what you can do on the appliance, a workaround would be to setup a VPN that at least NLS and the Cylance have access to and send log over that. Not as good or easy as being supported at the app level, but assuming you have control over network infrastructure it could work with any device.

Nagios Support Forum

Encrypted syslog

Encrypted syslog

Re: Encrypted syslog

Re: Encrypted syslog

Re: Encrypted syslog

Re: Encrypted syslog

Re: Encrypted syslog

Re: Encrypted syslog

Re: Encrypted syslog

Re: Encrypted syslog