using syslog over TLS

Question

I need some info on syslog communication using TLS. Could you please help me on that.

Currently we are using syslog communication without any security. That is using UDP protocol with the server listening on port number 514. This is unsecure. We want to use syslog over TLS that is over TCP with port number 6514. Just wanted to how can we achieve this.

As of now syslogd daemon is used. Please let me know whether same syslogd can be used with enhancement or syslogd should be replaced with other daemon.

I'm voting to close this question as off-topic because we don't provide tutorials. — user9517, Nov 22 '15 at 07:35

score 1 · Answer 1 · answered Nov 22 '15 at 06:35

rsyslog: http://www.rsyslog.com/doc/v8-stable/tutorials/tls_cert_summary.html

Or you could use the ELK stash if you want nice shiny consoles. It uses something called Logstash (https://www.elastic.co/products/logstash) that accepts tls inputs. On the client side you need a logstash forwarder (written in go, just a binary, https://github.com/elastic/logstash-forwarder).

Obviously some systems will never use tls (syslog in appliances, or network devices, for instance).

Thanks for info. Please let me know whether syslog-ng or rsyslog which is better — Girish, Nov 22 '15 at 08:23

sam_pan_mariusz · Answer 2 · 2015-11-22T08:41:06.907

0

Syslog-ng daemon supports TLS over TCP transport.It is popular and available as a package for any major GNU/Linux distros. You can use it on both logserver and logging servers (syslog clients) to achieve full compatibility.

Be aware that many applications and hardware appliances may only support classic, plaintext UDP protocol for syslog, so you will likely have to keep it enabled.

I can't help you with the original syslogd daemon as I've zero experience with it. There are however universal solutions like stunnel which can solve your problem by adding a secure layer on top of any existing solution.

edited Nov 22 '15 at 08:41

answered Nov 22 '15 at 06:51

sam_pan_mariusz

2,133
1
14
15

Thanks for info. I believe syslog-ng is a new daemon. Please let me know whether I can use my existing syslog daemon itself with some modification. My idea is to achieve TLS from syslog daemon itself. If this is not possible then i will go ahead with syslog-ng or rsyslog daemon. Also please let me know syslog-ng or rsyslog which is better – Girish Nov 22 '15 at 08:22
Check my added paragraph. I use *Syslog-ng* on my logservers and find it more stable compared to *Rsyslog*, at least under *Ubuntu* server and trying to log from *Apache httpd*. But you won't get an easy answer like "which one is better" here... Rsyslog in turn supports RELP protocol, which adds reliability. – sam_pan_mariusz Nov 22 '15 at 08:46

using syslog over TLS

2 Answers2