cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2792
Views
5
Helpful
8
Replies

FTD Secure Syslog

goudier2001
Level 1
Level 1

Can anyone provide documentation on configuring Secure Syslog from FTD's.

Documentation is limited from Cisco.

2 Accepted Solutions

Accepted Solutions

Hi again, I tested this in my lab using FMC and rsyslog, and to share with you my results.

The syslog server has it's certificate and private key, and most servers only support one certificate per instance.
My rsyslog setup was based on the following tutorial: https://www.rsyslog.com/doc/master/tutorials/tls.html

The certificate I had on my syslog server was signed by an intermediate cert which in turn is signed by a root ca.

I started by only adding the public key of my syslog certificate to the managed device via FMC (device->certificates). I noticed that the device tried to communicate with my syslog but I did not get anything in my logs.
I then added the intermediate certificate to the device, and now I'm logs successfully.
I then removed the syslog identify certificate from the FMC/device, and syslog still works.

While I haven't tested with self-signed certificates, my conclusion is:

You only need to add the signing certificate of the syslog certificate (ie the intermediate, or root ca depending on your setup) to the device managed by FMC, and then check the "enable secure syslog", and since the device trusts the syslog issuer, TLS encrypted syslogs flow.

 

View solution in original post

8 Replies 8

I mean configuring secure Syslog FTD by FMC

Then check link I share above 

Thanks, I've seen the document you provided, but its doesn't cover off the certificate side of the secure syslog element for FTD which is what I'm after if you could help? 

There's a bit better description, although not superb, in the Platform Settings part of the documentation:
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/interfaces-settings-platform.html


"Check the Enable Secure Syslog check box to encrypt the connection between the device and server using SSL/TLS over TCP.

Note You must select TCP as the protocol to use this option. You must also upload the certificate required to communicate with the syslog server on the Devices > Certificates page. Finally, upload the certificate from the threat defense device to the syslog server to complete the secure relationship and allow it to decrypt the traffic. The Enable Secure Syslog option is not supported on the device Management interface. "




Thanks, I read that as well, but as you mention its vague around the certificate as there is a need to create certificate enrolment objects as part of the identity certificate. 

Hi again, I tested this in my lab using FMC and rsyslog, and to share with you my results.

The syslog server has it's certificate and private key, and most servers only support one certificate per instance.
My rsyslog setup was based on the following tutorial: https://www.rsyslog.com/doc/master/tutorials/tls.html

The certificate I had on my syslog server was signed by an intermediate cert which in turn is signed by a root ca.

I started by only adding the public key of my syslog certificate to the managed device via FMC (device->certificates). I noticed that the device tried to communicate with my syslog but I did not get anything in my logs.
I then added the intermediate certificate to the device, and now I'm logs successfully.
I then removed the syslog identify certificate from the FMC/device, and syslog still works.

While I haven't tested with self-signed certificates, my conclusion is:

You only need to add the signing certificate of the syslog certificate (ie the intermediate, or root ca depending on your setup) to the device managed by FMC, and then check the "enable secure syslog", and since the device trusts the syslog issuer, TLS encrypted syslogs flow.

 

to clarify with demo data:
My root CA: CN = Natti Root CA
My intermediate CA: CN = Natti Intermediate CA  (issued by Natti root CA)
My rsyslog certificate: CN = rsyslog (issued by Natti Intermediate CA)

I installed the "Natti Intermediate CA" (pubkey only) certificate on the managed FTD device via FMC -> Devices -> Certificates
And then added the syslog server with the "Enable secure syslog" checked.

Review Cisco Networking for a $25 gift card