topic Re: FTD Secure Syslog in Network Security

FTD Secure Syslog

goudier2001 — Tue, 01 Aug 2023 14:40:43 GMT

Can anyone provide documentation on configuring Secure Syslog from FTD's.

Documentation is limited from Cisco.

Re: FTD Secure Syslog

MHM Cisco World — Tue, 01 Aug 2023 15:59:28 GMT

You meaning config syslog for FTD by FDM or FMC ?

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200479-Configure-Logging-on-FTD-via-FMC.html

Re: FTD Secure Syslog

goudier2001 — Tue, 01 Aug 2023 17:49:15 GMT

I mean configuring secure Syslog FTD by FMC

Re: FTD Secure Syslog

MHM Cisco World — Tue, 01 Aug 2023 17:58:10 GMT

Then check link I share above

Re: FTD Secure Syslog

goudier2001 — Tue, 01 Aug 2023 18:10:24 GMT

Thanks, I've seen the document you provided, but its doesn't cover off the certificate side of the secure syslog element for FTD which is what I'm after if you could help?

Re: FTD Secure Syslog

Jonatan Jonasson — Tue, 01 Aug 2023 22:39:23 GMT

There's a bit better description, although not superb, in the Platform Settings part of the documentation:
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/interfaces-settings-platform.html

"Check the Enable Secure Syslog check box to encrypt the connection between the device and server using SSL/TLS over TCP.

Note You must select TCP as the protocol to use this option. You must also upload the certificate required to communicate with the syslog server on the Devices > Certificates page. Finally, upload the certificate from the threat defense device to the syslog server to complete the secure relationship and allow it to decrypt the traffic. The Enable Secure Syslog option is not supported on the device Management interface. "

Re: FTD Secure Syslog

goudier2001 — Tue, 01 Aug 2023 22:44:57 GMT

Thanks, I read that as well, but as you mention its vague around the certificate as there is a need to create certificate enrolment objects as part of the identity certificate.

Re: FTD Secure Syslog

Jonatan Jonasson — Tue, 01 Aug 2023 23:26:36 GMT

Hi again, I tested this in my lab using FMC and rsyslog, and to share with you my results.

The syslog server has it's certificate and private key, and most servers only support one certificate per instance.
My rsyslog setup was based on the following tutorial: https://www.rsyslog.com/doc/master/tutorials/tls.html

The certificate I had on my syslog server was signed by an intermediate cert which in turn is signed by a root ca.

I started by only adding the public key of my syslog certificate to the managed device via FMC (device->certificates). I noticed that the device tried to communicate with my syslog but I did not get anything in my logs.
I then added the intermediate certificate to the device, and now I'm logs successfully.
I then removed the syslog identify certificate from the FMC/device, and syslog still works.

While I haven't tested with self-signed certificates, my conclusion is:

You only need to add the signing certificate of the syslog certificate (ie the intermediate, or root ca depending on your setup) to the device managed by FMC, and then check the "enable secure syslog", and since the device trusts the syslog issuer, TLS encrypted syslogs flow.

Re: FTD Secure Syslog

Jonatan Jonasson — Tue, 01 Aug 2023 23:33:19 GMT

to clarify with demo data:
My root CA: CN = Natti Root CA
My intermediate CA: CN = Natti Intermediate CA (issued by Natti root CA)
My rsyslog certificate: CN = rsyslog (issued by Natti Intermediate CA)

I installed the "Natti Intermediate CA" (pubkey only) certificate on the managed FTD device via FMC -> Devices -> Certificates
And then added the syslog server with the "Enable secure syslog" checked.