5.3. Using SSL-encrypted connections with the syslog-ng agent

When connecting to a syslog-ng server using an encrypted connection, the syslog-ng agent verifies the certificate of the server. The connection is established only if the Certificate Authority (CA) that issued the certificate of the server is available in the Certificate Store (in the CERT_SYSTEM_STORE_LOCAL_MACHINE\Root store) of the Windows-based host. Use one of the following methods to add the certificate of the CA to the host computers:

Note

The subject_alt_name parameter (or the Common Name parameter if the subject_alt_name parameter is empty) of the server's certificate must contain the hostname or the IP address (as resolved from the syslog-ng clients and relays) of the server (e.g., syslog-ng.example.com).

Alternatively, the Common Name or the subject_alt_name parameter can contain a generic hostname, e.g., *.example.com.

Note that if the Common Name of the certificate contains a generic hostname, do not specify a specific hostname or an IP address in the subject_alt_name parameter.

Select the certificate when installing or configuring the syslog-ng agent application. The certificate will be automatically added to the Certificates section of the Trusted Root Certificate Authorities on the Local Computer.

Import the certificate manually. Run the addcert.exe application from the command prompt and specify the certificate as a parameter. E.g.,

C:\Program Files\syslog-ng\addcert C:\temp\syslog-ng_CA.crt

The addcert.exe file is located in the same folder as the other syslog-ng agent files.

	Note
	The `addcert.exe` utility can import only the certificate of the syslog-ng server. Currently it cannot import certificates used for mutual authentication.

Import the certificate using the Microsoft Management Console application (MMC). See Importing the syslog-ng certificates with MMC for details.

Note

The certificate must be in DER format.

Procedure 5.2. Importing the syslog-ng certificates with MMC

Complete the following steps to import the certificates used by syslog-ng.

Note

The CA certificate used to authenticate the syslog-ng server must be in DER format.

The certificate used to authenticate the syslog-ng agent on the server for mutual authentication must be in PKCS12 format and must include the private key of the certificate.

Start Microsoft Management Console by executing mmc.exe (Start menu Run application).

Note

Running mmc.exe requires administrator privileges.
Click on the Add/Remove snap-in item of the File menu.
Click Add, select the Certificates module, and click Add.
Select Computer account in the displayed window and click Next.
Select Local computer and click Close.
To import the certificate of the syslog-ng server, navigate to Console Root \ Certificates \ Trusted Root Certificate Authorities \ Certificates.

To import a certificate for the syslog-ng agent to perform mutual authentication, navigate to Console Root \ Certificates \ Personal \ Certificates.
Right-click on the Certificates folder and from the appearing menu select All tasks / Import. The Certificate Import Wizard will be displayed. Click Next.
Select the certificate to import (e.g.: C:/tmp/mycert.crt) and click Next.

Optional step: Certificates used to authenticate the syslog-ng agent in mutual authentication include the private key. Provide the password for the private key when requested.
Windows offers a suitable certificate store by default, so click Next.
Click Finish on the summary window and OK on the window that marks the successful importing of the certificate. The main window of MMC is displayed with the imported certificate.

5.3.1. Using mutual authentication with syslog-ng agent

When the syslog-ng server is configured to use mutual authentication, it requests a certificate from the syslog-ng clients. The syslog-ng agent can automatically show the requested certificate to the server when the connection is established if it is available in the Personal Certificates store (in the CERT_SYSTEM_STORE_LOCAL_MACHINE\My store) of the Local Computer. Use the Microsoft Management Console application (MMC) to import this certificate. See Importing the syslog-ng certificates with MMC for details.

	Note
	If the syslog-ng agent cannot find a suitable certificate in the Local Computer/Personal Certificates store, it also checks the Personal Certificates store of the LogRelay service. If the syslog-ng agent was started manually, the Personal Certificates store of the current user is also checked.

	Note
	If a certificate revocation list (CRL) is available in the Local Computer/Personal Certificates store, the syslog-ng agent verifies that the certificate of the syslog-ng server is not on this list.

Procedure 5.3. Configuring mutual authentication with the syslog-ng Agent for Windows

If the syslog-ng server requests authentication from the syslog-ng Agent, complete the following steps.

Create certificates for the clients. By default, the syslog-ng agent will look for a certificate that contains the hostname or IP address of the central syslog-ng server in its Common Name. If you use a different Common Name, do not forget to complete Step 3 to set the Common Name in the registry.

The certificate must contain the private key and must be in PKCS12 format.

	Tip
To convert a certificate and a key from PEM format to PKCS12 you can use the following command: openssl pkcs12 -export -in agentcertificate.pem -inkey agentprivatekey.pem -out agentcertificatewithkey.pfx

Tip

To convert a certificate and a key from PEM format to PKCS12 you can use the following command:

openssl pkcs12 -export -in agentcertificate.pem -inkey agentprivatekey.pem -out agentcertificatewithkey.pfx

Import this certificate into the Personal Certificate store of the Local Computer using the Microsoft Management Console application (MMC). See Importing the syslog-ng certificates with MMC for details.

By default, the syslog-ng agent will look for a certificate that contains the hostname or IP address of the central syslog-ng server in its Common Name. If the certificate of the client has a different Common Name, complete the following steps:

Optional step: To explicitly specify the certificate that the client shows to the server, add the contents of the subject_alt_name parameter (or the Common Name parameter if the subject_alt_name parameter is empty) to the Windows registry. Complete the following steps:

Select Start > Run and enter regedit.
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\BalaBit\LogRelay\Destinations\Network\IPv4.
Create a new key called ClientCertSubject

Enter the contents of the subject_alt_name parameter (or the Common Name parameter if the subject_alt_name parameter is empty).

	Note
	A common way is to use the hostname or the IP address of the agent as the Common Name of the certificate (e.g., `syslog-ng-agent1.example.com`).

Prev	Up	Next
5.2. File sources and logrotation	Home \| Contents	5.4. Customizing the message format

The syslog-ng Administrator Guide

Document version: 1.0.20
Release date: April 11, 2008
Latest version available at the BalaBit Documentation Page