10.2.2. Procedure – Configuring TLS on the syslog-ng server

Purpose: 

Complete the following steps on the syslog-ng server:

Steps: 

  1. Copy the certificate (for example syslog-ng.cert) of the syslog-ng server to the syslog-ng server host, for example into the /opt/syslog-ng/etc/syslog-ng/cert.d directory. The certificate must be a valid X.509 certificate in PEM format.

  2. Copy the private key (for example syslog-ng.key) matching the certificate of the syslog-ng server to the syslog-ng server host, for example into the /opt/syslog-ng/etc/syslog-ng/key.d directory. The key must be in PEM format, and must not be password-protected.

  3. Add a source statement to the syslog-ng configuration file that uses the tls( key-file(key_file_fullpathname) cert-file(cert_file_fullpathname) ) option and specify the key and certificate files. The source must use the source driver (network() or syslog()) matching the destination driver used by the syslog-ng client.

    Example 10.2. A source statement using TLS

    The following source receives log messages encrypted using TLS, arriving to the 1999/TCP port of any interface of the syslog-ng server.

    source demo_tls_source {
        network(ip(0.0.0.0) port(1999)
            transport("tls")
                   tls( key-file("/opt/syslog-ng/etc/syslog-ng/key.d/syslog-ng.key")
                 cert-file("/opt/syslog-ng/etc/syslog-ng/cert.d/syslog-ng.cert"))
        );
    };

    A similar source for receiving messages using the IETF-syslog protocol:

    source demo_tls_syslog_source {
                        syslog(ip(0.0.0.0) port(1999)
                        transport("tls")
                        tls( key-file("/opt/syslog-ng/etc/syslog-ng/key.d/syslog-ng.key")
                 cert-file("/opt/syslog-ng/etc/syslog-ng/cert.d/syslog-ng.cert"))
        );
    };
  4. Disable mutual authentication for the source by setting the following TLS option in the source statement: tls( peer-verify(optional-untrusted);

    For details on how to configure mutual authentication, see Section 10.3, Mutual authentication using TLS.

    For the details of the available tls() options, see Section 10.4, TLS options.

    Example 10.3. Disabling mutual authentication

    The following source receives log messages encrypted using TLS, arriving to the 1999/TCP port of any interface of the syslog-ng server. The identity of the syslog-ng client is not verified.

    source demo_tls_source {
        network(ip(0.0.0.0) port(1999)
            transport("tls")
                   tls( key-file("/opt/syslog-ng/etc/syslog-ng/key.d/syslog-ng.key")
                        cert-file("/opt/syslog-ng/etc/syslog-ng/cert.d/syslog-ng.cert")
                 peer-verify(optional-untrusted))
        );
    };

    A similar source for receiving messages using the IETF-syslog protocol:

    source demo_tls_syslog_source {
                            syslog(ip(0.0.0.0) port(1999)
                            transport("tls")
                            tls( key-file("/opt/syslog-ng/etc/syslog-ng/key.d/syslog-ng.key")
                            cert-file("/opt/syslog-ng/etc/syslog-ng/cert.d/syslog-ng.cert")
                 peer-verify(optional-untrusted))
        );
    };
    Warning

    Do not forget to update the certificate and key files when they expire.