Is there a way to encrypt Syslog traffic using TLS like syslog-ng or rsyslog do? I'm trying to avoid having to set up syslog-ng or rsyslog on the Sumo Logic Collector box in order to receive the encrypted Syslog traffic and forward it to the Sumo Logic Collector.
Unfortunately, the Collector does not currently support receiving TLS syslog data directly with a Syslog Source. You need to set up an intermediary service to receive the TLS data and then forward the plain text to the Source. An alternative to using syslog-ng or rsyslog for this is to use stunnel. As described on https://www.stunnel.org, "Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code."
Downloaded from https://www.stunnel.org/downloads.html. Or on CentOS/RedHat, you can also run the following command to install stunnel:
> yum install stunnel
Once installed, generate a key/cert on the host, and then use a stunnel config similar to the following to proxy the syslog data:
cert = /etc/stunnel/stunnel.pem
sslVersion = SSLv3
chroot = /var/run/stunnel/
setuid = nobody
setgid = nobody
pid = /stunnel.pid
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
output = stunnel.log
client = no
accept = 1543
connect = 1514
In this example, we're listening for incoming TLS connections on the host port 1543/TCP ("accept = 1543"). Then this forwards the plain text data to port 1514/TCP, ("connect = 1514") or the port defined in the Collector Syslog config, via the loop back.
For complete instructions, see Configuring a Syslog Source.
Note: Your Collector Syslog source must be configured to listen over TCP for this proxy to work correctly.
Find more information on Stunnel and its available configuration options, see: