08-08-2023 02:09 AM - edited 08-08-2023 02:12 AM
Hello everyone,
I've been trying to setup Secure Syslog for hours, but I can't get it to work. I tried following the NX-OS System Management Configuration Guide, but it doesn't go really in depth on the topic. This is what I did:
conf t
logging server IP ADDRESS secure use-vrf management
After that I generated a CA cert on my Syslog server, used it to create a self signed certificate and added them to the Syslog config. The Configuration looks ok on the server side, port 6514 is correctly open and listening.
This is where I'm getting lost. Following the Cisco Guide, I should just do this:
crypto ca trustpoint trustpoint-name
crypto ca authenticate trustpoint-name (adding the certificate from CA generated earlier)
The certificate authentication looks to be successful, but I still cannot see any TLS traffic coming from the switch. I would expect at least some sort of client hello, even if there were any misconfiguration, but I can't see anything.
Anyone can assist me on that? I couldn't find any documentation related to this for NXOS. Forgive me for the bad formatting, I'm on mobile right now. I'll try to fix it asap
08-12-2023 02:39 PM - edited 08-14-2023 05:48 AM
can you establish a tcp-session to your secure-syslog-server?
for example, if
logging server <IP ADDRESS> secure use-vrf management
is configured, did you try
telnet <IP ADDRESS> 6514 vrf management
(avoid any further keys in your session, no return...)
with rsyslogd this works - looking at your linux/syslogd
netstat -tn | egrep "6514"
tcp 0 0 <RSYSLOG-IP>:6514 <NEXUS-IP>:<random-client-port> ESTABLISHED
?
08-14-2023 02:25 AM
Thank you for your time.
I was under the impression that secure syslog would open port 6514 by default. I tried your approach using 6514 instead of 514 and I get:
netstat -tn | egrep "6514" tcp 0 0 <RSYSLOG-IP>:6514 <NEXUS-IP>:<random-client-port> ESTABLISHED
As expected.
08-14-2023 05:47 AM
yes, of course - I edited my cli-commands/output to death... TCP-Port 6514 is the correct-default-port for secure syslog. (I'll fix that in my original posting)
But your result looks fine, it's no network/firewall-etc issue between your Nexus-Switch and the Syslog-Receiver.
It might be a certificate issue - you wrote, you use a self-signed certificate at your syslogd... I never tried that, did you import your self-signed-cert as "CA"-cert into your NXOS-Trustpoint-config?
08-30-2023 10:54 AM - edited 08-30-2023 10:57 AM
first day in lab after holiday.
=> secure syslog works fine here
ip host rsyslog.lab.local 192.168.1.22
logging server rsyslog.lab.local 7 port 6514 secure use-vrf management
logging source-interface mgmt0
logging monitor 7
This is the self-signed certificate my rsyslogd uses:
NXOS# show crypto ca certificates
Trustpoint: TP
CA certificate 0:
subject=C = DE, ST = HAM, L = HH, O = ORG, OU = OUOU, CN = rsyslog.lab.local
issuer=C = DE, ST = HAM, L = HH, O = ORG, OU = OUOU, CN = rsyslog.lab.local
serial=6D1945E2613F14635A84711FF7A4FAKED3EE3F71
notBefore=Aug 30 19:21:29 2023 GMT
notAfter=Aug 29 19:21:29 2033 GMT
SHA1 Fingerprint=4E:3C:13:5A:77:F1:P1:1C:12:FA:KE:Q8:55:51:64:19:89:5A:D2:7D
purposes: sslserver sslclient
which was added using
crypto ca trustpoint TP
ex
crypto ca authenticate TP
...
end
having
makes sense, too, of course.
I'm running NXOS 10.2(2F) here.
S1# show sockets connection tcp
Total number of netstack tcp sockets: 5
Active connections (including servers)
Protocol State/ Recv-Q/ Local Address(port)/
Context Send-Q Remote Address(port)
...
[host]: tcp ESTABLISHED 0 10.1.2.3(59261)
management 0 192.168.1.22(6514)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide