TLS-Encryption
The syslog-ng application can send and receive log messages securely over the network using the Transport Layer Security (TLS) protocol using the network() and syslog() drivers.
Status
Driver
Architecture
Source
Destination
network
x86
Works
Works
network
ARM
Works
Works
syslog
x86
Works
Works
syslog
ARM
Works
Works
How to test
To test TLS-encrypted message transfer, we first need to set up an SSL certificate on the server end and share the public key to the encrypting channel, ie, the clients. This test is using non-mutual authentication. In other words, the clients use the server public key to encrypt the syslog-ng messages sent to the server but the server does not check the identity of the clients. In our test, of course, we will stimulate the server-client set-up by running two instances of syslog-ng.
On a mac system, the default configuration file is stored at /usr/local/etc
. So we will navigate to this folder and make a folder named SSL to store all that's necessary for TLS encryption.
Below are the steps I took to set up the source instance of syslog-ng. The following commands will generate both the CA certificate as well as the private key. Of course, your private key should always stay private and the public key (ca-key) is what we will hand out to clients.
Note:
These instruction are pertaining to openssl, not LibreSSL which is the provided by macOS. You can check using the openssl version
command.
If you need to have openssl@1.1 first in your PATH, run:
echo 'export PATH="/opt/homebrew/opt/openssl@1.1/bin:$PATH"' >> ~/.zshrc
Now, to set up the destination instance of syslog-ng. In a multi-machine set up, we would share the cacert.pem file with the client nodes so they can encrypt the messages accordingly. However, since we are stimulating both instances on the same machine, we will create a new folder named sslClient. The following steps will set up the client-side TLS needs.
We are basically sharing the public key of the certification with the client machines. We also view the hash of the certificate and create a symbolic link to the certificate.
Now that we have the certificate made, and the appropriate keys shared, we can test the TLS-encrypted messaging using network() and syslog() drivers.
Last updated