topic Re: Encrypted Syslog in Network Security

Encrypted Syslog

rondcisco — Fri, 21 Feb 2020 11:51:36 GMT

Hello,

Where can I find info/documentation regarding the "enable secure syslog using SSL/TLS" capability of the ASA? Are there any syslog servers out there that support this? I've been researching this for a while now...it appears there's not much documentation regarding this feature (or at least regarding its setup).

I'm aware that you can build IPSEC tunnels to encrypt plaintext syslog, but SSL/TLS encrypted syslog is a very attractive option.

Anyone doing this?

Re: Encrypted Syslog

Panos Kampanakis — Sun, 31 Jan 2010 16:35:33 GMT

You cannot encrypt syslogs. You have 2 options though:

- Send them over a tunnel like you are saying

- send them with snmp traps and use the community string to encrypt snmp

I hope it helps.

Re: Encrypted Syslog

rondcisco — Wed, 03 Feb 2010 15:58:29 GMT

If this is true, why does does the ASA have "Enable secure syslog using SSL/TLS" as an option?

Re: Encrypted Syslog

Panos Kampanakis — Wed, 03 Feb 2010 16:57:54 GMT

Is that a doc you are referring to?

Panos

Re: Encrypted Syslog

rondcisco — Wed, 03 Feb 2010 17:03:57 GMT

Not so much a doc as the ASDM interface I'm looking at right now... ASA version 8+ and ASDM 6.2. Configuration > Device Management > Logging > Syslog Server > Add > Choose TCP.... look for check box "Enable secure syslog using SSL/TLS"...

Re: Encrypted Syslog

Panos Kampanakis — Wed, 03 Feb 2010 18:52:50 GMT

I see.

That chcekbox is greyed out when there is no VPN configured. If there is VPN then it will just match the syslog traffic in the crypto ACL.

I hope it makes sense.

Re: Encrypted Syslog

rondcisco — Wed, 03 Feb 2010 19:11:11 GMT

That appears to be incorrect. You need to choose TCP syslog for the "enable secure syslog using SSL/TLS" option to become available. I just disabled IPSEC on all interfaces and verified the tunnels are no longer avaiable, yet this option still exists. I'm fairly certain syslog with the SSL/TLS option and what IPSEC tunnels are present on the device are completely unrelated.

Re: Encrypted Syslog

Panos Kampanakis — Wed, 03 Feb 2010 19:33:37 GMT

It will not work.

I tested on my ASDM, without any VPN config it is grayed out.

Enable preview commands on ASDM and check that checkbox and see what command ASDM will push, that will tell you what that checkbox does and will clarify it for you.

Please do post a reply if I am mistaken.

Panos

Re: Encrypted Syslog

rondcisco — Wed, 03 Feb 2010 19:44:18 GMT

The command preview is: "logging host inside 1.2.3.4 6/1470 secure", and it will apply. Sitting on the syslog server, I get one message that appears to be the initial handshake for a TLS connection and then nothing. I just need the documentation on setting this up such as: where do you configure the TLS settings for syslog? It doesn't appear Cisco has ANY documentation regarding this from my two+ hours of searching...

Re: Encrypted Syslog

Panos Kampanakis — Wed, 03 Feb 2010 20:14:12 GMT

OK, it ends up that you are right, it has been addede in 8.0.2 and later.

Explained here http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1772754

The secure keyword specifies that the connection to the remote logging host should use SSL/TLS. This option is valid only if the protocol selected is TCP.

Note A secure logging connection can only be established with a SSL/TLS- capable syslog server. If a SSL/TLS connection cannot be established, all new connections will be denied. You may change this default behavior by entering the logging permit-hostdown command.

I believe it is clear now.

Re: Encrypted Syslog

rondcisco — Wed, 03 Feb 2010 20:55:23 GMT

Do you know of any SSL/TLS capable log servers? Anyone know of any configuration examples for doing this?

Re: Encrypted Syslog

rgerhards — Thu, 04 Feb 2010 14:15:24 GMT

Hi,

I am Rainer Gerhards, author of rsyslog [1]. I guess Cisco has implemented RFC5424/5425. Rsyslog served as test bed during standard definition. It has a fairly decent implementation of TLS syslog, but I did not yet have any chance to do any interop testing. It may work out of the box, but (likely) it may also require some code changes.

If someone here has the necessary equipment, I would appreciate if you could give rsyslog a try. I will try my best to solve any issues as quickly as possible.

You can also contact me at rgerhards@adiscon.com - I dont' know if I will receive automatic notifications of any replies here (I just registered for this posting ).

Thanks,

Rainer

[1] http://www.rsyslog.com

I believe you can use an ACS

hammack.ryan — Tue, 09 Feb 2016 20:20:16 GMT

I believe you can use an ACS server to encrypt syslog.

Well I have the same problem.

patrykkandziora — Thu, 20 Apr 2017 10:35:24 GMT

Well I have the same problem. The syslog server I use is logstash. Problem is that I use SSL to send the logs from other hosts over the INET. I would need to upload my cert to ASA and tell ASA to use it when logs are sent to logstash.

Unfortunately there is not such option or I cannot see it. ASA 5520 9.1(5)

Anybody found solution?

Hi All,

IBMintdev — Thu, 01 Jun 2017 08:15:54 GMT

Hi All,

I know this is quiet old 🙂

but as it appear in search, I used syslog-ng on linux and it is working fine

Re: Hi All,

p.juarezponte — Fri, 14 Sep 2018 08:41:57 GMT

Hello everybody

I know this is an old post, but i'm trying to implement this.

Could anybody tell me if this can be done?

I added a cert (syslog's cert) as a trustpoint, but don't know hot to associate to logg configuration.

It asks for a "reference identity".

Does anybody has any configuraion guide?????