Configuring Syslog-ng relay

You can automate the log collection using the Syslog-ng relay. This topic covers how to automate log collection using the Syslog-ng relay.

Before you begin

You will need to configure the syslog-ng configuration file (syslog-ng.conf) before you automate the log collection using Syslog-ng relay.

Steps

  1. Add a source statement that accepts logs forwarded by any firewall/proxy.
    Example: source s_relay { syslog(ip(0.0.0.0) port(514) transport("tcp") flags(no-parse); };

    The port and transport can be adjusted if necessary.

  2. Add a destination statement that includes the following:
    • A template statement to prepend your customer token to every log message.
    • TLS forwarding details referencing the directory of Forcepoint ONE SSE' server CA certificate, the client's certificate public and private key.

      Refer to Sample syslog-ng.conf file.

    1. Download the certificate from the Certificate link under the Syslog Collector section on the Discovery page. Use the included token as a password.
    2. Copy the client certificate and private key to the syslog-ng client host as follows (The path locations are examples only).
      • Copy the bitglass_collector_client_cert_key.key file to /opt/bg/deploy/syslog-ng/etc/key.d/bitglass_collector_client_cert_key.key
      • Copy the bitglass_collector_clientcert.crt file to /opt/bg/deploy/syslog-ng/etc/cert.d/
    3. Setup the CA certificates used by syslog-ng to validate syslog.bitglass.com server as follows:
      • Copy the CHAIN.CRT cert file to /opt/bg/deploy/syslog-ng/etc/ca.d.
      • Change directory to /opt/syslog-ng/etc/syslog-ng/ca.d.
      • Open the file and copy the first certificate. Certificates start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
      • Create a file such as CA1.pem and paste the copied content.
      • Issue the $ openssl x509 -noout -hash -in CA1.pem command to generate a hash of the CA1.pem cert:
      • Issue the $ ln -s CA1.pem <HASH>.0 command to create a symbolic link of the hash to the certificate.

        Replace HASH with the value you just obtained.

      • Repeat the above sub-steps for each of the certificates in the CHAIN.CRT file.
  3. Add a log statement to relays logs from sources to the syslog.bitglass.com server destination to your syslog-ng.conf file.
    Sample syslog-ng.conf file
    @version: 3.5
    @include "scl.conf"
    
    ########################
    # Global options
    ########################
    options { 
        chain_hostnames(no); 
        keep_hostname(yes);
        flush_lines(0); 
        use_dns(no); 
        use_fqdn(no);
    	perm(0640); 
    	stats_freq(0);
    };
    ########################
    # Sources
    ########################
    source s_relay { 
        syslog(
            ip(0.0.0.0) 
            port(514)
            transport("udp")
    		flags(no-parse)    
        ); 
    };
    ########################
    # Destinations
    ########################
    # Network Destination for Bitglass
    destination d_collect {
        syslog("syslog.bitglass.com"
            template("0_ih7nzDU9yuRpESFwgtYNsOUKWlM= ${MSG}\n") 
    ### The above token "0_ih7nzDU9yuRpESFwgtYNsOUKWlM=" should be replaced with the token from your Forcepoint ONE SSE tenant found on the Discovery page ###
            port(1999)
    	    transport("tls")
            tls( 
                key-file("/opt/bg/deploy/syslog-ng/etc/key.d/bitglass_collector_client_cert_key.key")
                cert-file("/opt/bg/deploy/syslog-ng/etc/cert.d/bitglass_collector_client_cert.crt")
                ca-dir("/opt/bg/deploy/syslog-ng/etc/ca.d")
            )
        );
    };
    ########################
    # Log paths
    ########################
    # Relay logs received on port 514 over tcp to Bitglass
    log { 
        source(s_relay); 
        destination(d_collect); 
    };
    Note: If you are using Cisco ASA, make sure that you enable the Send timestamp in the logstream under Configuration > Device Management > Logging > Syslog Setting.