The Collector does not currently support receiving TLS syslog data directly with a Syslog Source. You will need to set up an intermediary service such as stunnel to receive the TLS data and then forward the plain text to the Syslog Source on your Collector. As described on https://www.stunnel.org, "Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code."
You can download stunnel from https://www.stunnel.org/downloads.html. Or on CentOS/RedHat, you can run the following command to install stunnel:
> yum install stunnel
Once installed, generate a key/cert on the host, and then use a stunnel config similar to the following to proxy the syslog data:
cert = /etc/stunnel/stunnel.pem
sslVersion = TLSv1.2
chroot = /var/run/stunnel/
setuid = nobody
setgid = nobody
pid = /stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
output = stunnel.log
client = no
[syslog]
accept = 1543
connect = 1514
In this example, we're listening for incoming TLS connections on the host port 1543/TCP ("accept = 1543"). Then this forwards the plaintext data to port 1514/TCP, ("connect = 1514") or the port defined in the Collector Syslog config, via the loopback.
For complete instructions, see Configuring a Syslog Source.
Note: Your Collector Syslog source must be configured to listen over TCP for this proxy to work correctly.
Find more information on Stunnel and its available configuration options, see:
https://www.stunnel.org/docs.html
Comments
2 comments
SSLv3? Use TLS or don't bother encrypting it! Preferably only supporting TLS 1.2 if you must 1.1 is still safe for the moment.
SSLv3 was broken in 2014: https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3566
Please sign in to leave a comment.