Configuring Syslog-ng relay
You can automate the log collection using the Syslog-ng relay. This topic covers how to automate log collection using the Syslog-ng relay.
Before you begin
Steps
-
Add a source statement that accepts logs forwarded by any firewall/proxy.
Example:
source s_relay { syslog(ip(0.0.0.0) port(514) transport("tcp") flags(no-parse); };
The port and transport can be adjusted if necessary.
-
Add a destination statement that includes the following:
- A template statement to prepend your customer token to every log message.
- TLS forwarding details referencing the directory of Forcepoint ONE SSE' server CA certificate, the client's certificate public and private
key.
Refer to Sample syslog-ng.conf file.
- Download the certificate from the Certificate link under the Syslog Collector section on the Discovery page. Use the included token as a password.
-
Copy the client certificate and private key to the syslog-ng client host as follows (The path locations are examples only).
- Copy the bitglass_collector_client_cert_key.key file to /opt/bg/deploy/syslog-ng/etc/key.d/bitglass_collector_client_cert_key.key
- Copy the bitglass_collector_clientcert.crt file to /opt/bg/deploy/syslog-ng/etc/cert.d/
-
Setup the CA certificates used by syslog-ng to validate syslog.bitglass.com server as follows:
- Copy the CHAIN.CRT cert file to /opt/bg/deploy/syslog-ng/etc/ca.d.
- Change directory to /opt/syslog-ng/etc/syslog-ng/ca.d.
- Open the file and copy the first certificate. Certificates start with
-----BEGIN CERTIFICATE-----
and end with-----END CERTIFICATE-----
. - Create a file such as CA1.pem and paste the copied content.
- Issue the
$ openssl x509 -noout -hash -in CA1.pem
command to generate a hash of the CA1.pem cert: - Issue the
$ ln -s CA1.pem <HASH>.0
command to create a symbolic link of the hash to the certificate.Replace HASH with the value you just obtained.
- Repeat the above sub-steps for each of the certificates in the CHAIN.CRT file.
-
Add a log statement to relays logs from sources to the syslog.bitglass.com server destination to your syslog-ng.conf file.
Sample syslog-ng.conf file
@version: 3.5 @include "scl.conf" ######################## # Global options ######################## options { chain_hostnames(no); keep_hostname(yes); flush_lines(0); use_dns(no); use_fqdn(no); perm(0640); stats_freq(0); }; ######################## # Sources ######################## source s_relay { syslog( ip(0.0.0.0) port(514) transport("udp") flags(no-parse) ); }; ######################## # Destinations ######################## # Network Destination for Bitglass destination d_collect { syslog("syslog.bitglass.com" template("0_ih7nzDU9yuRpESFwgtYNsOUKWlM= ${MSG}\n") ### The above token "0_ih7nzDU9yuRpESFwgtYNsOUKWlM=" should be replaced with the token from your Forcepoint ONE SSE tenant found on the Discovery page ### port(1999) transport("tls") tls( key-file("/opt/bg/deploy/syslog-ng/etc/key.d/bitglass_collector_client_cert_key.key") cert-file("/opt/bg/deploy/syslog-ng/etc/cert.d/bitglass_collector_client_cert.crt") ca-dir("/opt/bg/deploy/syslog-ng/etc/ca.d") ) ); }; ######################## # Log paths ######################## # Relay logs received on port 514 over tcp to Bitglass log { source(s_relay); destination(d_collect); };
Note: If you are using Cisco ASA, make sure that you enable the Send timestamp in the logstream under Configuration > Device Management > Logging > Syslog Setting.