-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Navid Paya wrote: > Hi > I've setup my logging solution but there's one more step that needs to > be taken. I'm using SuSE 10 which uses syslog-ng as its logging > facility. The problem is syslog-ng uses raw tcp traffica which is not > secure at all. Now I really need to encrypt the traffic. I've read about > using stunnel to pipe an encrypted traffic from syslog clients to the > server. I wanted to know if anyone has a experience in this matter, and > if yes should I make any changes to the ossec configuration? And do you > possibly know a better way? Just one thing, SuSE 10 is a must in this > scenario 'cause its part of the firm's policy and there's absolutely > nothing I can do to change it. Thank you all as always. This mailing > list has been a great help to me. > > > Navid
With syslog-ng v3 at least, you can use TLS between the syslog-ng client and server. You can download the manual at: http://www.balabit.com/dl/guides/syslog-ng-v3.0-guide-admin-en.pdf or view online at: http://www.balabit.com/dl/html/syslog-ng-v3.0-guide-admin-en.html/index.html Sections that talk about using TLS it: 2.7. Secure logging using TLS 3.13. Encrypting log messages with TLS 3.14. Mutual authentication using TLS For the actual options, and some examples, of what you'll use in your syslog-ng.conf: 8.10. TLS options By default it requires "Mutual authentication" where both server and client each have a cert and key, and all also have a copy of signing CA's cert. You can bypass Mutual authentication, such that only the server needs a key+cert, and the clients just need the signing CA's cert. There are many guides on how to create either self-signed certs, or even making your own CA. The commands are a little hairy looking, but very doable. I got tripped up just by having the system clocks too far out of sync, they need to be accurate for TLS encryption to succeed. Hope this helps. - -- Henry Blum -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkqT9xMACgkQp3KCFmAOXr7bmwCeKk1ic7wjMzvXMQUyvX5b26Kj YBYAn09hfBlGiKIB4EMWBTZ2ecFFLeQ0 =e0Zg -----END PGP SIGNATURE-----
