Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1661
Views
5
Helpful
8
Replies

FTD Secure Syslog

Go to solution
goudier2001
Level 1
Level 1

‎08-01-2023 07:40 AM

Can anyone provide documentation on configuring Secure Syslog from FTD's.

Documentation is limited from Cisco.

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jonatan Jonasson
Level 4
Level 4
In response to goudier2001

‎08-01-2023 04:26 PM

Hi again, I tested this in my lab using FMC and rsyslog, and to share with you my results.

The syslog server has it's certificate and private key, and most servers only support one certificate per instance.
My rsyslog setup was based on the following tutorial: https://www.rsyslog.com/doc/master/tutorials/tls.html

The certificate I had on my syslog server was signed by an intermediate cert which in turn is signed by a root ca.

I started by only adding the public key of my syslog certificate to the managed device via FMC (device->certificates). I noticed that the device tried to communicate with my syslog but I did not get anything in my logs.
I then added the intermediate certificate to the device, and now I'm logs successfully.
I then removed the syslog identify certificate from the FMC/device, and syslog still works.

While I haven't tested with self-signed certificates, my conclusion is:

You only need to add the signing certificate of the syslog certificate (ie the intermediate, or root ca depending on your setup) to the device managed by FMC, and then check the "enable secure syslog", and since the device trusts the syslog issuer, TLS encrypted syslogs flow.

 

View solution in original post

8 Replies 8

Go to solution
goudier2001
Level 1
Level 1
In response to MHM Cisco World

‎08-01-2023 10:49 AM

I mean configuring secure Syslog FTD by FMC

Go to solution
MHM Cisco World
VIP
VIP
In response to goudier2001

‎08-01-2023 10:58 AM

Then check link I share above 

Go to solution
goudier2001
Level 1
Level 1
In response to MHM Cisco World

‎08-01-2023 11:10 AM

Thanks, I've seen the document you provided, but its doesn't cover off the certificate side of the secure syslog element for FTD which is what I'm after if you could help? 

0 Helpful

Go to solution
Jonatan Jonasson
Level 4
Level 4
In response to goudier2001

‎08-01-2023 03:39 PM

There's a bit better description, although not superb, in the Platform Settings part of the documentation:
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/interfaces-settings-platform.html


"Check the Enable Secure Syslog check box to encrypt the connection between the device and server using SSL/TLS over TCP.

Note You must select TCP as the protocol to use this option. You must also upload the certificate required to communicate with the syslog server on the Devices > Certificates page. Finally, upload the certificate from the threat defense device to the syslog server to complete the secure relationship and allow it to decrypt the traffic. The Enable Secure Syslog option is not supported on the device Management interface. "



Go to solution
goudier2001
Level 1
Level 1
In response to Jonatan Jonasson

‎08-01-2023 03:44 PM

Thanks, I read that as well, but as you mention its vague around the certificate as there is a need to create certificate enrolment objects as part of the identity certificate. 

0 Helpful

Go to solution
Jonatan Jonasson
Level 4
Level 4
In response to goudier2001

‎08-01-2023 04:26 PM

Hi again, I tested this in my lab using FMC and rsyslog, and to share with you my results.

The syslog server has it's certificate and private key, and most servers only support one certificate per instance.
My rsyslog setup was based on the following tutorial: https://www.rsyslog.com/doc/master/tutorials/tls.html

The certificate I had on my syslog server was signed by an intermediate cert which in turn is signed by a root ca.

I started by only adding the public key of my syslog certificate to the managed device via FMC (device->certificates). I noticed that the device tried to communicate with my syslog but I did not get anything in my logs.
I then added the intermediate certificate to the device, and now I'm logs successfully.
I then removed the syslog identify certificate from the FMC/device, and syslog still works.

While I haven't tested with self-signed certificates, my conclusion is:

You only need to add the signing certificate of the syslog certificate (ie the intermediate, or root ca depending on your setup) to the device managed by FMC, and then check the "enable secure syslog", and since the device trusts the syslog issuer, TLS encrypted syslogs flow.

 

Go to solution
Jonatan Jonasson
Level 4
Level 4
In response to Jonatan Jonasson

‎08-01-2023 04:33 PM

to clarify with demo data:
My root CA: CN = Natti Root CA
My intermediate CA: CN = Natti Intermediate CA  (issued by Natti root CA)
My rsyslog certificate: CN = rsyslog (issued by Natti Intermediate CA)

I installed the "Natti Intermediate CA" (pubkey only) certificate on the managed FTD device via FMC -> Devices -> Certificates
And then added the syslog server with the "Enable secure syslog" checked.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card