Fortinet black logo

External Systems Configuration Guide

Syslog over TLS

Syslog over TLS

To receive syslog over TLS, a port must be enabled and certificates must be defined. The following configurations are already added to phoenix_config.txt in Super/Worker and Collector nodes.

FortiSIEM 5.x:

listen_tls_port_list=6514

tls_certificate_file=/etc/pki/tls/certs/tls_self_signed.crt

tls_key_file=/etc/pki/tls/private/tls_self_signed.key

FortiSIEM 6.x:

listen_tls_port_list=6514

tls_certificate_file=/etc/pki/tls/certs/localhost.crt

tls_key_file=/etc/pki/tls/private/localhost.key

Note: the syslog over TLS client must be configured to communicate properly with FortiSIEM.

Common Reasons to use Syslog over TLS

  • You are trying to send syslog across an unprotected medium such as the public internet.

  • A SaaS product on the Public internet supports sending Syslog over TLS.

Common Integrations that require Syslog over TLS

  • SentinelOne Portal Syslog Integration

  • Cortex XDR Syslog Integration

Prerequisites

  • If using Syslog over TLS over the public internet or with a public DNS, a public IP or port forwarding is required.

  • Add a whitelist to restrict all traffic only from the senders source IPs if possible. Certain SaaS products may publish an IP whitelist, while for others, it may not be possible.

How to Generate a Public SSL/TLS Certificate

Take the following steps:

  1. Generate a SSL/TLS certificate using a public certificate. A public certificate can be signed by a public certificate authority (CA) such as DigiCert, or GoDaddy.

  2. Run the following command on your collector to generate a CSR (Certificate Signing Request)

    cd /tmp

    openssl req -new -newkey rsa:4096 -nodes -keyout /etc/pki/tls/private/tls-collector1.key -out tls-collector1.csr

  3. Take the following actions when prompted.

    1. When Prompted for Country Name, enter your Country Abbreviation. For example, the United States is "US".

    2. Enter your State or Province. For example, California would be "CA".

    3. Enter your Locality. For example, a city would be "Sunnyvale".

    4. Enter your desired org name. For example, "Fortinet".

    5. Enter Unit Name, which is optional. For example, "IT".

    6. Enter Common Name. It must match the FQDN of collector. For example, "collector1.myorg.fortinet.com".

    7. Email Address. This can be left blank. Hit "enter" to continue.

    8. If prompted for a challenge password, hit "enter" to leave blank and continue.

    9. Hit enter again to confirm.
      A Certificate Signing Request is created in /tmp/tls-collector1.csr.

  4. Using WinScp or another SCP utility, download this CSR file to your desktop.

  5. Go to your preferred public CA, and upload this CSR when prompted to generate a new SSL certificate file.

    When you have your new Certificate ZIP file, it will normally contain 2-3 files.

  6. WinSCP zip file to /tmp of the Collector.

  7. Unzip the file if needed, by using the following command.

    unzip <filename>.zip

    The .crt file is your certificate, and is usually a concatenation of all chain certificates.

  8. Rename the cert files if needed using similar commands here.

    cd /tmp

    mv 11111111.crt tls-collector1.crt

  9. Copy the cert to the correct folder using the following command.

    cp tls-collector1.crt /etc/pki/tls/certs/tls-collector1.crt

  10. Set permissions using the following command.
    chmod 644 /etc/pki/tls/certs/tls-collector1.crt

    chmod 640 /etc/pki/tls/private/tls-collector1.key

    chown root:admin /etc/pki/tls/private/tls-collector1.key

  11. On the Collector, update the /opt/phoenix/config/phoenix_config.txt file to reference the new tls cert using the following command.
    vi /opt/phoenix/config/phoenix_config.txt

  12. Locate the following lines in your phoenix_config.txt file.
    listen_tls_port_list=6514

    tls_certificate_file=/etc/pki/tls/certs/localhost.crt

    tls_key_file=/etc/pki/tls/private/localhost.key

    and replace the cert and key file with the following:

    listen_tls_port_list=6514

    tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt

    tls_key_file=/etc/pki/tls/private/tls-collector1.key

  13. Save the file, and as root, restart phParser using the following command.

    killall -9 phParser

How to Generate a Self Signed SSL/TLS Certificate

Take the following steps:

  1. On the Collector, run the following commands as root.

    cd /tmp

    openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout /etc/pki/tls/private/tls-collector1.key -out /etc/pki/tls/certs/tls-collector1.crt

  2. Take the following actions when prompted.

    1. When Prompted for Country Name, enter your Country Abbreviation. For example, the United States is "US".

    2. Enter your State or Province. For example, California would be "CA".

    3. Enter your Locality. For example, a city would be "Sunnyvale".

    4. Enter your desired org name. For example, "Fortinet".

    5. Enter Unit Name, which is optional. For example, "IT".

    6. Enter Common Name. It must match the FQDN of collector. For example, "collector1.myorg.fortinet.com".

    7. Email Address. This can be left blank. Hit "enter" to continue.

    8. If prompted for a challenge password, hit "enter" to leave blank and continue.

    9. Hit enter again to confirm.

  3. Set the appropriate permissions for the private key and certificate generated, by running the following commands.

    chmod 640 /etc/pki/tls/private/tls-collector1.key

    chown root:admin /etc/pki/tls/private/tls-collector1.key

    chmod 644 /etc/pki/tls/certs/tls-collector1.crt

  4. On the collector, update the /opt/phoenix/config/phoenix_config.txt file to reference the new tls certificate by editing the file, running the following command.

    vi /opt/phoenix/config/phoenix_config.txt

  5. Find the following lines in the file.

    listen_tls_port_list=6514

    tls_certificate_file=/etc/pki/tls/certs/localhost.crt

    tls_key_file=/etc/pki/tls/private/localhost.key

    and replace the cert and key file with the following:

    listen_tls_port_list=6514

    tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt

    tls_key_file=/etc/pki/tls/private/tls-collector1.key

  6. Save the file, and as root, restart phParser using the following command.

    killall -9 phParser

  7. Make a copy of the certificate file to /tmp, and using WinSCP or another SCP utility, download the Collector Certificate file. For example, you may run the following command.

    cp /etc/pki/tls/certs/tls-collector1.crt /tmp

  8. Download /tmp/tls-collector1.crt to your desktop.

    Note: You only need the Certificate file and not the private key. The private key will never leave the collector.

Syslog over TLS

To receive syslog over TLS, a port must be enabled and certificates must be defined. The following configurations are already added to phoenix_config.txt in Super/Worker and Collector nodes.

FortiSIEM 5.x:

listen_tls_port_list=6514

tls_certificate_file=/etc/pki/tls/certs/tls_self_signed.crt

tls_key_file=/etc/pki/tls/private/tls_self_signed.key

FortiSIEM 6.x:

listen_tls_port_list=6514

tls_certificate_file=/etc/pki/tls/certs/localhost.crt

tls_key_file=/etc/pki/tls/private/localhost.key

Note: the syslog over TLS client must be configured to communicate properly with FortiSIEM.

Common Reasons to use Syslog over TLS

  • You are trying to send syslog across an unprotected medium such as the public internet.

  • A SaaS product on the Public internet supports sending Syslog over TLS.

Common Integrations that require Syslog over TLS

  • SentinelOne Portal Syslog Integration

  • Cortex XDR Syslog Integration

Prerequisites

  • If using Syslog over TLS over the public internet or with a public DNS, a public IP or port forwarding is required.

  • Add a whitelist to restrict all traffic only from the senders source IPs if possible. Certain SaaS products may publish an IP whitelist, while for others, it may not be possible.

How to Generate a Public SSL/TLS Certificate

Take the following steps:

  1. Generate a SSL/TLS certificate using a public certificate. A public certificate can be signed by a public certificate authority (CA) such as DigiCert, or GoDaddy.

  2. Run the following command on your collector to generate a CSR (Certificate Signing Request)

    cd /tmp

    openssl req -new -newkey rsa:4096 -nodes -keyout /etc/pki/tls/private/tls-collector1.key -out tls-collector1.csr

  3. Take the following actions when prompted.

    1. When Prompted for Country Name, enter your Country Abbreviation. For example, the United States is "US".

    2. Enter your State or Province. For example, California would be "CA".

    3. Enter your Locality. For example, a city would be "Sunnyvale".

    4. Enter your desired org name. For example, "Fortinet".

    5. Enter Unit Name, which is optional. For example, "IT".

    6. Enter Common Name. It must match the FQDN of collector. For example, "collector1.myorg.fortinet.com".

    7. Email Address. This can be left blank. Hit "enter" to continue.

    8. If prompted for a challenge password, hit "enter" to leave blank and continue.

    9. Hit enter again to confirm.
      A Certificate Signing Request is created in /tmp/tls-collector1.csr.

  4. Using WinScp or another SCP utility, download this CSR file to your desktop.

  5. Go to your preferred public CA, and upload this CSR when prompted to generate a new SSL certificate file.

    When you have your new Certificate ZIP file, it will normally contain 2-3 files.

  6. WinSCP zip file to /tmp of the Collector.

  7. Unzip the file if needed, by using the following command.

    unzip <filename>.zip

    The .crt file is your certificate, and is usually a concatenation of all chain certificates.

  8. Rename the cert files if needed using similar commands here.

    cd /tmp

    mv 11111111.crt tls-collector1.crt

  9. Copy the cert to the correct folder using the following command.

    cp tls-collector1.crt /etc/pki/tls/certs/tls-collector1.crt

  10. Set permissions using the following command.
    chmod 644 /etc/pki/tls/certs/tls-collector1.crt

    chmod 640 /etc/pki/tls/private/tls-collector1.key

    chown root:admin /etc/pki/tls/private/tls-collector1.key

  11. On the Collector, update the /opt/phoenix/config/phoenix_config.txt file to reference the new tls cert using the following command.
    vi /opt/phoenix/config/phoenix_config.txt

  12. Locate the following lines in your phoenix_config.txt file.
    listen_tls_port_list=6514

    tls_certificate_file=/etc/pki/tls/certs/localhost.crt

    tls_key_file=/etc/pki/tls/private/localhost.key

    and replace the cert and key file with the following:

    listen_tls_port_list=6514

    tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt

    tls_key_file=/etc/pki/tls/private/tls-collector1.key

  13. Save the file, and as root, restart phParser using the following command.

    killall -9 phParser

How to Generate a Self Signed SSL/TLS Certificate

Take the following steps:

  1. On the Collector, run the following commands as root.

    cd /tmp

    openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -keyout /etc/pki/tls/private/tls-collector1.key -out /etc/pki/tls/certs/tls-collector1.crt

  2. Take the following actions when prompted.

    1. When Prompted for Country Name, enter your Country Abbreviation. For example, the United States is "US".

    2. Enter your State or Province. For example, California would be "CA".

    3. Enter your Locality. For example, a city would be "Sunnyvale".

    4. Enter your desired org name. For example, "Fortinet".

    5. Enter Unit Name, which is optional. For example, "IT".

    6. Enter Common Name. It must match the FQDN of collector. For example, "collector1.myorg.fortinet.com".

    7. Email Address. This can be left blank. Hit "enter" to continue.

    8. If prompted for a challenge password, hit "enter" to leave blank and continue.

    9. Hit enter again to confirm.

  3. Set the appropriate permissions for the private key and certificate generated, by running the following commands.

    chmod 640 /etc/pki/tls/private/tls-collector1.key

    chown root:admin /etc/pki/tls/private/tls-collector1.key

    chmod 644 /etc/pki/tls/certs/tls-collector1.crt

  4. On the collector, update the /opt/phoenix/config/phoenix_config.txt file to reference the new tls certificate by editing the file, running the following command.

    vi /opt/phoenix/config/phoenix_config.txt

  5. Find the following lines in the file.

    listen_tls_port_list=6514

    tls_certificate_file=/etc/pki/tls/certs/localhost.crt

    tls_key_file=/etc/pki/tls/private/localhost.key

    and replace the cert and key file with the following:

    listen_tls_port_list=6514

    tls_certificate_file=/etc/pki/tls/certs/tls-collector1.crt

    tls_key_file=/etc/pki/tls/private/tls-collector1.key

  6. Save the file, and as root, restart phParser using the following command.

    killall -9 phParser

  7. Make a copy of the certificate file to /tmp, and using WinSCP or another SCP utility, download the Collector Certificate file. For example, you may run the following command.

    cp /etc/pki/tls/certs/tls-collector1.crt /tmp

  8. Download /tmp/tls-collector1.crt to your desktop.

    Note: You only need the Certificate file and not the private key. The private key will never leave the collector.