Syslog over TLS
To receive syslog over TLS, a port must be enabled and certificates must be defined. The following configurations are already added to phoenix_config.txt
in Super/Worker and Collector nodes.
FortiSIEM 5.x:
listen_tls_port_list=6514
tls_certificate_file=/etc/pki/tls/certs/tls_self_signed.crt
tls_key_file=/etc/pki/tls/private/tls_self_signed.key
FortiSIEM 6.x:
listen_tls_port_list=6514
tls_certificate_file=/etc/pki/tls/certs/localhost.crt
tls_key_file=/etc/pki/tls/private/localhost.key
Note: The syslog over TLS client must be configured to communicate properly with FortiSIEM.
Common Reasons to use Syslog over TLS
-
You are trying to send syslog across an unprotected medium such as the public internet.
-
A SaaS product on the Public internet supports sending Syslog over TLS.
Common Integrations that require Syslog over TLS
-
SentinelOne Portal Syslog Integration
Prerequisites
-
If using Syslog over TLS over the public internet or with a public DNS, a public IP or port forwarding is required.
-
Add a whitelist to restrict all traffic only from the senders source IPs if possible. Certain SaaS products may publish an IP whitelist, while for others, it may not be possible.
How to Generate a Public SSL/TLS Certificate
Take the following steps:
-
Generate a SSL/TLS certificate using a public certificate. A public certificate can be signed by a public certificate authority (CA) such as DigiCert, or GoDaddy.
-
Run the following command on your collector to generate a CSR (Certificate Signing Request)
cd /tmp
openssl req -new -newkey rsa:4096 -nodes -keyout /etc/pki/tls/private/tls-collector1.key -out tls-collector1.csr
-
Take the following actions when prompted.
-
When Prompted for Country Name, enter your Country Abbreviation. For example, the United States is "US".
-
Enter your State or Province. For example, California would be "CA".
-
Enter your Locality. For example, a city would be "Sunnyvale".
-
Enter your desired org name. For example, "Fortinet".
-
Enter Unit Name, which is optional. For example, "IT".
-
Enter Common Name. It must match the FQDN of collector. For example, "collector1.myorg.fortinet.com".
-
Email Address. This can be left blank. Hit "enter" to continue.
-
If prompted for a challenge password, hit "enter" to leave blank and continue.
-
Hit enter again to confirm.
A Certificate Signing Request is created in/tmp/tls-collector1.csr
.
-
-
Using WinScp or another SCP utility, download this CSR file to your desktop.
-
Go to your preferred public CA, and upload this CSR when prompted to generate a new SSL certificate file.
When you have your new Certificate ZIP file, it will normally contain 2-3 files.
-
WinSCP zip file to
/tmp
of the Collector. -
Unzip the file if needed, by using the following command.
unzip <filename>.zip
The .crt file is your certificate, and is usually a concatenation of all chain certificates.
-
Rename the cert files if needed using similar commands here.
cd /tmp
mv 11111111.crt tls-collector1.crt
-
Copy the cert to the correct folder using the following command.
cp tls-collector1.crt /etc/pki/tls/certs/tls-collector1.crt
-
Set permissions using the following command.
chmod 644 /etc/pki/tls/certs/tls-collector1.crt
chmod 640 /etc/pki/tls/private/tls-collector1.key
chown root:admin /etc/pki/tls/private/tls-collector1.key
-
On the Collector, update the
/opt/phoenix/config/phoenix_config.txt
file to reference the new tls cert using the following command.vi /opt/phoenix/config/phoenix_config.txt
-
Locate the following lines in your
phoenix_config.txt
file.listen_tls_port_list=6514
tls_certificate_file=/etc/pki/tls/certs/localhost.crt
tls_key_file=/etc/pki/tls/private/localhost.key
and replace the cert and key file with the following:
listen_tls_port_list=6514
tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt
tls_key_file=/etc/pki/tls/private/tls-collector1.key
-
Save the file, and as root, restart phParser using the following command.
killall -9 phParser
How to Generate a Self Signed SSL/TLS Certificate
Take the following steps:
-
On the Collector, run the following commands as root.
cd /tmp
openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout /etc/pki/tls/private/tls-collector1.key -out /etc/pki/tls/certs/tls-collector1.crt
-
Take the following actions when prompted.
-
When Prompted for Country Name, enter your Country Abbreviation. For example, the United States is "US".
-
Enter your State or Province. For example, California would be "CA".
-
Enter your Locality. For example, a city would be "Sunnyvale".
-
Enter your desired org name. For example, "Fortinet".
-
Enter Unit Name, which is optional. For example, "IT".
-
Enter Common Name. It must match the FQDN of collector. For example, "collector1.myorg.fortinet.com".
-
Email Address. This can be left blank. Hit "enter" to continue.
-
If prompted for a challenge password, hit "enter" to leave blank and continue.
-
Hit enter again to confirm.
-
-
Set the appropriate permissions for the private key and certificate generated, by running the following commands.
chmod 640 /etc/pki/tls/private/tls-collector1.key
chown root:admin /etc/pki/tls/private/tls-collector1.key
chmod 644 /etc/pki/tls/certs/tls-collector1.crt
-
On the collector, update the
/opt/phoenix/config/phoenix_config.txt
file to reference the new tls certificate by editing the file, running the following command.vi /opt/phoenix/config/phoenix_config.txt
-
Find the following lines in the file.
listen_tls_port_list=6514
tls_certificate_file=/etc/pki/tls/certs/localhost.crt
tls_key_file=/etc/pki/tls/private/localhost.key
and replace the cert and key file with the following:
listen_tls_port_list=6514
tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt
tls_key_file=/etc/pki/tls/private/tls-collector1.key
-
Save the file, and as root, restart phParser using the following command.
killall -9 phParser
-
Make a copy of the certificate file to
/tmp
, and using WinSCP or another SCP utility, download the Collector Certificate file. For example, you may run the following command.cp /etc/pki/tls/certs/tls-collector1.crt /tmp
-
Download
/tmp/tls-collector1.crt
to your desktop.Note: You only need the Certificate file and not the private key. The private key will never leave the collector.