cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
33846
Views
10
Helpful
15
Replies

Encrypted Syslog

rondcisco
Level 1
Level 1

Hello,

Where can I find info/documentation regarding the "enable secure syslog using SSL/TLS" capability of the ASA? Are there any syslog servers out there that support this? I've been researching this for a while now...it appears there's not much documentation regarding this feature (or at least regarding its setup).

I'm aware that you can build IPSEC tunnels to encrypt plaintext syslog, but  SSL/TLS encrypted syslog is a very attractive option.

Anyone doing this?

15 Replies 15

Panos Kampanakis
Cisco Employee
Cisco Employee

You cannot encrypt syslogs. You have 2 options though:

- Send them over a tunnel like you are saying

- send them with snmp traps and use the community string to encrypt snmp

I hope it helps.

PK

If this is true, why does does the ASA have "Enable secure syslog using SSL/TLS" as an option?

Is that a doc you are referring to?

Panos

Not so much a doc as the ASDM interface I'm looking at right now... ASA version 8+ and ASDM 6.2. Configuration > Device Management > Logging > Syslog Server > Add > Choose TCP.... look for check box "Enable secure syslog using SSL/TLS"...

I see.

That chcekbox is greyed out when there is no VPN configured. If there is VPN then it will just match the syslog traffic in the crypto ACL.

I hope it makes sense.

PK

That appears to be incorrect. You need to choose TCP syslog for the "enable secure syslog using SSL/TLS" option to become available. I just disabled IPSEC on all interfaces and verified the tunnels are no longer avaiable, yet this option still exists. I'm fairly certain syslog with the SSL/TLS option and what IPSEC tunnels are present on the device are completely unrelated.

It will not work.

I tested on my ASDM, without any VPN config it is grayed out.

Enable preview commands on ASDM and check that checkbox and see what command ASDM will push, that will tell you what that checkbox does and will clarify it for you.

Please do post a reply if I am mistaken.

Panos

The command preview is: "logging host inside 1.2.3.4 6/1470 secure", and it will apply. Sitting on the syslog server, I get one message that appears to be the initial handshake for a TLS connection and then nothing. I just need the documentation on setting this up such as: where do you configure the TLS settings for syslog? It doesn't appear Cisco has ANY documentation regarding this from my two+ hours of searching...

OK, it ends up that you are right, it has been addede in 8.0.2 and later.

Explained here http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1772754

The secure keyword specifies that the connection to the remote logging host should use SSL/TLS. This option is valid only if the protocol selected is TCP.

Note A secure logging connection can only be established with a SSL/TLS- capable syslog server. If a SSL/TLS connection cannot be established, all new connections will be denied. You may change this default behavior by entering the logging permit-hostdown command.

I believe it is clear now.

PK

Do you know of any SSL/TLS capable log servers? Anyone know of any configuration examples for doing this?

Hi,

I am Rainer Gerhards, author of rsyslog [1]. I guess Cisco has implemented RFC5424/5425. Rsyslog served as test bed during standard definition. It has a fairly decent implementation of TLS syslog, but I did not yet have any chance to do any interop testing. It may work out of the box, but (likely) it may also require some code changes.

If someone here has the necessary equipment, I would appreciate if you could give rsyslog a try. I will try my best to solve any issues as quickly as possible.

You can also contact me at rgerhards@adiscon.com - I dont' know if I will receive automatic notifications of any replies here (I just registered for this posting ).

Thanks,

Rainer

[1] http://www.rsyslog.com

Well I have the same problem. The syslog server I use is logstash. Problem is that I use SSL to send the logs from other hosts over the INET. I would need to upload my cert to ASA and tell ASA to use it when logs are sent to logstash. 

Unfortunately there is not such option or I cannot see it. ASA 5520 9.1(5)

Anybody found solution?

hammack.ryan
Level 1
Level 1

I believe you can use an ACS server to encrypt syslog.

IBMintdev
Level 1
Level 1

Hi All,

I know this is quiet old :)

but as it appear in search, I used syslog-ng on linux and it is working fine

Review Cisco Networking for a $25 gift card