Nexus 9K Secure Syslog not working

towabis772 · ‎08-08-2023

Hello everyone,

I've been trying to setup Secure Syslog for hours, but I can't get it to work. I tried following the NX-OS System Management Configuration Guide, but it doesn't go really in depth on the topic. This is what I did:

conf t

logging server IP ADDRESS secure use-vrf management

After that I generated a CA cert on my Syslog server, used it to create a self signed certificate and added them to the Syslog config. The Configuration looks ok on the server side, port 6514 is correctly open and listening.

This is where I'm getting lost. Following the Cisco Guide, I should just do this:

crypto ca trustpoint trustpoint-name

crypto ca authenticate trustpoint-name (adding the certificate from CA generated earlier)

The certificate authentication looks to be successful, but I still cannot see any TLS traffic coming from the switch. I would expect at least some sort of client hello, even if there were any misconfiguration, but I can't see anything.

Anyone can assist me on that? I couldn't find any documentation related to this for NXOS. Forgive me for the bad formatting, I'm on mobile right now. I'll try to fix it asap

r.heitmann · ‎08-12-2023

can you establish a tcp-session to your secure-syslog-server?

for example, if

logging server <IP ADDRESS> secure use-vrf management

is configured, did you try

telnet <IP ADDRESS> 6514 vrf management

(avoid any further keys in your session, no return...)

with rsyslogd this works - looking at your linux/syslogd

netstat -tn | egrep "6514"
tcp 0 0 <RSYSLOG-IP>:6514 <NEXUS-IP>:<random-client-port> ESTABLISHED

?

towabis772 · ‎08-14-2023

Thank you for your time.

I was under the impression that secure syslog would open port 6514 by default. I tried your approach using 6514 instead of 514 and I get:

netstat -tn | egrep "6514" tcp 0 0 <RSYSLOG-IP>:6514 <NEXUS-IP>:<random-client-port> ESTABLISHED

As expected.

r.heitmann · ‎08-14-2023

yes, of course - I edited my cli-commands/output to death... TCP-Port 6514 is the correct-default-port for secure syslog. (I'll fix that in my original posting)

But your result looks fine, it's no network/firewall-etc issue between your Nexus-Switch and the Syslog-Receiver.

It might be a certificate issue - you wrote, you use a self-signed certificate at your syslogd... I never tried that, did you import your self-signed-cert as "CA"-cert into your NXOS-Trustpoint-config?

r.heitmann · ‎08-30-2023

first day in lab after holiday.

=> secure syslog works fine here

using hostname to point to syslogd
to enable certificate check
- since the certificate my rsyslogd uses only contains CN=rsyslog.lab.local and no IP

ip host rsyslog.lab.local 192.168.1.22

logging server rsyslog.lab.local 7 port 6514 secure use-vrf management
logging source-interface mgmt0
logging monitor 7

This is the self-signed certificate my rsyslogd uses:

NXOS# show crypto ca certificates
Trustpoint: TP
CA certificate 0:
subject=C = DE, ST = HAM, L = HH, O = ORG, OU = OUOU, CN = rsyslog.lab.local
issuer=C = DE, ST = HAM, L = HH, O = ORG, OU = OUOU, CN = rsyslog.lab.local
serial=6D1945E2613F14635A84711FF7A4FAKED3EE3F71
notBefore=Aug  30 19:21:29 2023 GMT
notAfter=Aug  29 19:21:29 2033 GMT
SHA1 Fingerprint=4E:3C:13:5A:77:F1:P1:1C:12:FA:KE:Q8:55:51:64:19:89:5A:D2:7D
purposes: sslserver sslclient

which was added using

crypto ca trustpoint TP
ex
crypto ca authenticate TP
...
end

having

valid Time/NTP-settings

makes sense, too, of course.

I'm running NXOS 10.2(2F) here.

S1# show sockets connection tcp

Total number of netstack tcp sockets: 5
Active connections (including servers)
        Protocol State/       Recv-Q/   Local Address(port)/
                 Context      Send-Q    Remote Address(port)
...
[host]: tcp      ESTABLISHED  0         10.1.2.3(59261)
                 management   0         192.168.1.22(6514)