Nagios Support Forum

Hello,

I have a question about how we would have to configure an SSL encrypted syslog input? We recently switched to Cylance for Antivirus, which is cloudbased, but has an option to send logs to a syslog server over SSL.

Here you can fnd a screenshot about how it looks on the Cylance side of things:
https://help.sumologic.com/Apps/Preview ... or_Cylance

The syslog would be sent to an F5 load balancer pool with an external URL which would direct the encrypted syslog to an available logserver node. But as we need the SSL checkbox to be ticked we are not sure how this can be done with NLS. Any advice is welcome.

Somebody must have done a similar setup like this before?

Grtz

Willem

Normally a load balancer like an F5 would also do SSL termination as well. If you need end to end SSL, then you're going to need to configure Logstash for SSL as well.

https://www.elastic.co/guide/en/beats/f ... stash.html

Or our related documentation:

https://assets.nagios.com/downloads/nag ... th-SSL.pdf

As @avendemore pointed out, you could let the F5 worry about decrypting the traffic prior to routing it.

Alternatively, you should be able to configure the NLS cluster with a dedicated TCP input and leverage the various SSL settings present in logstash-input-tcp:
https://www.elastic.co/guide/en/logstas ... s-tcp.html

Then you'd just point Cylance at the F5, in theory. If the F5 is just routing the traffic, the individual nodes should be able to handle the decryption. Tricky to know for sure without knowing exactly what Cylance is doing on the back-end though.

This sure is going to be a nice experiment. I'll keep you posted once I get more information or have the time to test this more in detail.

We await results!

It seems Cylance needs a token for authentication, how can I provide this with NLS?

In this article this token is mentioned.
https://help.sumologic.com/Send_Data/Da ... or_Cylance

Can't find any documentation about tcp tokens.

That looks like something specific to SumoLogic's could-base syslog service. It's hard to say if/how that particular piece needs to be integrated with Nagios Log Server without having a closer look at some things Cylance is doing on the back-end.

Are you required to enter a token while running through this setup?

Well as it seems impossible to import or export certificates in the Cylance appliance, we're a bit stuck on getting this to work with SSL. It does work without SSL it seems. Apart from the encryption part, to prevent everyone from being able to send logs to the public address, I guess a token is required. There are multipe ip addresses on the Cylance side, which seem to be shifting too, so filtering on ip might not be possible.

If you're limited as to what you can do on the appliance, a workaround would be to setup a VPN that at least NLS and the Cylance have access to and send log over that. Not as good or easy as being supported at the app level, but assuming you have control over network infrastructure it could work with any device.