28. Encrypted Transfer
In order to protect log data from being modified or viewed by an attacker during transit, NXLog provides SSL/TLS data encryption support in many input and output modules. Benefits of using SSL/TLS encrypted log transfer include:
-
strong authentication,
-
message integrity (assures that the logs are not changed), and
-
message confidentiality (assures that the logs cannot be viewed by an unauthorized party).
|
Warning
|
It is important that certificates be renewed before expiration. The NXLog Manager dashboard can be configured with a "Certificate summary" which lists soon-to-expire certificates in a separate group. |
28.1. SSL/TLS Encryption in NXLog
The SSL/TLS protocol encrypts the log data on the client side and then decrypts it on the server side. It’s recommended to use at least 2048-bits keys.
There are several modules in NXLog Enterprise Edition that support SSL/TLS encryption:
-
im_batchcompress and om_batchcompress support encryption of compressed log batches transferred between NXLog instances.
When using the SSL/TLS, there are two ways to handle authentication.
-
With mutual authentication, both client and log server agents are authenticated, and certificates/keys must be deployed for both agents. This is the most secure and prevents log collection if the client’s certificate is untrusted or expires.
-
With server-side authentication only, only the log server is authenticated. A certificate/key must be deployed for the server only. On the log server, the im_ssl AllowUntrusted directive (or corresponding directive for im_http or im_batchcompress) must be set to TRUE. The client is prevented from sending logs to an untrusted server but the server accepts logs from untrusted clients.
With the following configurations, a client reads logs from all log files
under the /var/log directory, parses the events with
parse_syslog(), converts to JSON with
to_json(), and forwards them over a secure connection
to the central server.
These configurations use mutual authentication: both agents are authenticated and certificates must be created for both agents.
![[Download file]](images/icons/download_icon.png "Download file"){kind=icon}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _json>
Module xm_json
</Extension>
<Input messages>
Module im_file
File "/var/log/*"
Exec parse_syslog();
</Input>
<Output central_ssl>
Module om_ssl
Host 192.168.56.103
Port 516
CAFile /opt/ssl/rootCA.pem
CertFile /opt/ssl/client.crt
CertKeyFile /opt/ssl/client.key
KeyPass password
Exec to_json();
</Output>
The server receives the logs on port 516 and writes them to
/var/log/logmsg.log.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
<Extension _syslog>
Module xm_syslog
</Extension>
<Input input_ssl>
Module im_ssl
Host 0.0.0.0
Port 516
CAFile /opt/ssl/rootCA.pem
CertFile /opt/ssl/central.crt
CertKeyFile /opt/ssl/central.key
KeyPass password
</Input>
<Output fileout>
Module om_file
File "/var/log/logmsg.log"
</Output>
28.2. OpenSSL Certificate Creation
NXLog Manager provides various features for creating, deploying, and managing SSL/TLS certificates, and is especially helpful when managing many NXLog agents across an organization. This section, however, provides steps for creating self-signed certificates with OpenSSL, a Linux-based SSL/TLS cryptography toolkit.
-
Generate the private root key for your Certification Authority (CA).
$ openssl genrsa -out rootCA.key 2048 -
Self-sign the key and create a CA certificate.
$ openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 730 -out rootCA.pem -
Create a certificate for each server.
-
Generate a private key for the server.
$ openssl genrsa -out server.key 2048 -
Generate the certificate signing request for the CA. When prompted for the
Common Name, enter the server’s name or IP address.$ openssl req -new -key server.key -out server.csr -
Sign the request.
$ openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key \ -CAcreateserial -out server.crt -days 500 -sha256
-