01-27-2010 12:19 PM - edited 02-21-2020 03:51 AM
Hello,
Where can I find info/documentation regarding the "enable secure syslog using SSL/TLS" capability of the ASA? Are there any syslog servers out there that support this? I've been researching this for a while now...it appears there's not much documentation regarding this feature (or at least regarding its setup).
I'm aware that you can build IPSEC tunnels to encrypt plaintext syslog, but SSL/TLS encrypted syslog is a very attractive option.
Anyone doing this?
01-31-2010 08:35 AM
You cannot encrypt syslogs. You have 2 options though:
- Send them over a tunnel like you are saying
- send them with snmp traps and use the community string to encrypt snmp
I hope it helps.
PK
02-03-2010 07:58 AM
If this is true, why does does the ASA have "Enable secure syslog using SSL/TLS" as an option?
02-03-2010 08:57 AM
Is that a doc you are referring to?
Panos
02-03-2010 09:03 AM
Not so much a doc as the ASDM interface I'm looking at right now... ASA version 8+ and ASDM 6.2. Configuration > Device Management > Logging > Syslog Server > Add > Choose TCP.... look for check box "Enable secure syslog using SSL/TLS"...
02-03-2010 10:52 AM
I see.
That chcekbox is greyed out when there is no VPN configured. If there is VPN then it will just match the syslog traffic in the crypto ACL.
I hope it makes sense.
PK
02-03-2010 11:11 AM
That appears to be incorrect. You need to choose TCP syslog for the "enable secure syslog using SSL/TLS" option to become available. I just disabled IPSEC on all interfaces and verified the tunnels are no longer avaiable, yet this option still exists. I'm fairly certain syslog with the SSL/TLS option and what IPSEC tunnels are present on the device are completely unrelated.
02-03-2010 11:33 AM
It will not work.
I tested on my ASDM, without any VPN config it is grayed out.
Enable preview commands on ASDM and check that checkbox and see what command ASDM will push, that will tell you what that checkbox does and will clarify it for you.
Please do post a reply if I am mistaken.
Panos
02-03-2010 11:44 AM
The command preview is: "logging host inside 1.2.3.4 6/1470 secure", and it will apply. Sitting on the syslog server, I get one message that appears to be the initial handshake for a TLS connection and then nothing. I just need the documentation on setting this up such as: where do you configure the TLS settings for syslog? It doesn't appear Cisco has ANY documentation regarding this from my two+ hours of searching...
02-03-2010 12:14 PM
OK, it ends up that you are right, it has been addede in 8.0.2 and later.
Explained here http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1772754
The secure keyword specifies that the connection to the remote logging host should use SSL/TLS. This option is valid only if the protocol selected is TCP.
Note  A secure logging connection can only be established with a SSL/TLS- capable syslog server. If a SSL/TLS connection cannot be established, all new connections will be denied. You may change this default behavior by entering the logging permit-hostdown command.
A secure logging connection can only be established with a SSL/TLS- capable syslog server. If a SSL/TLS connection cannot be established, all new connections will be denied. You may change this default behavior by entering the logging permit-hostdown command.
I believe it is clear now.
PK
02-03-2010 12:55 PM
Do you know of any SSL/TLS capable log servers? Anyone know of any configuration examples for doing this?
02-04-2010 06:15 AM
Hi,
I am Rainer Gerhards, author of rsyslog [1]. I guess Cisco has implemented RFC5424/5425. Rsyslog served as test bed during standard definition. It has a fairly decent implementation of TLS syslog, but I did not yet have any chance to do any interop testing. It may work out of the box, but (likely) it may also require some code changes.
If someone here has the necessary equipment, I would appreciate if you could give rsyslog a try. I will try my best to solve any issues as quickly as possible.
You can also contact me at rgerhards@adiscon.com - I dont' know if I will receive automatic notifications of any replies here (I just registered for this posting ).
Thanks,
Rainer
04-20-2017 03:35 AM
Well I have the same problem. The syslog server I use is logstash. Problem is that I use SSL to send the logs from other hosts over the INET. I would need to upload my cert to ASA and tell ASA to use it when logs are sent to logstash.
Unfortunately there is not such option or I cannot see it. ASA 5520 9.1(5)
Anybody found solution?
02-09-2016 12:20 PM
I believe you can use an ACS server to encrypt syslog.
06-01-2017 01:15 AM
Hi All,
I know this is quiet old :)
but as it appear in search, I used syslog-ng on linux and it is working fine
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide