| Description |
This article describes how to configure FortiGate to send encrypted Syslog messages to the Syslog server (rsyslog - Ubuntu Server 20.04). |
| Scope |
FortiGate |
| Solution |
To send encrypted packets to the Syslog server, FortiGate will verify the Syslog server certificate with the imported Certificate Authority (CA) certificate during the TLS handshake.
In this case, FortiGate uses a self-signed certificate using the XCA application:
The following steps describe the procedure to create the CA certificate and the server certificate: 1) Create a CA certificate and export it as a (ca-syslog.pem) file. 2) Create a Server certificate signed by the CA ca-syslog.pem and export it as a PEM + Key file, syslog-cert.pem: concatenate the certificate and the unencrypted private key in one PEM file. 3) Create two files: syslog-servercert.pem and syslog-serverkey.key. 4) Open the syslog-cert.pem with notepad and copy the content of the certificate (including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----), then copy and paste it into the syslog-servercert.pem file (created in step 3). 5) Open the syslog-cert.pem with notepad and copy the content of the certificate (including -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----), then copy and paste it into the syslog-serverkey.key file (created in step 3). 6) Move the three files (ca-syslog.pem, syslog-servercert.pem, and syslog-serverkey.key) to the syslog server. Place the files in the /home/syslog_cert/ directory.
When the rsyslog service is installed and running on an Ubuntu Server (20.04), configure the /etc/rsyslog.conf file as follows:
Make the gtls driver the default and define the certificate files:
global( DefaultNetstreamDriver="gtls" DefaultNetstreamDriverCAFile="/home/syslog_cert/ca-syslog.pem" DefaultNetstreamDriverCertFile="/home/syslog_cert/syslog-servercert.pem" DefaultNetstreamDriverKeyFile="/home/syslog_cert/syslog-serverkey.key" )
Load the TCP listener:
module(load="imtcp" StreamDriver.Name="gtls" StreamDriver.Mode="1" StreamDriver.Authmode="anon")
Provide TCP syslog reception:
input(type="imtcp" port="6514")
Restart the rsyslog process and check the status of the service by running the following commands:
# sudo systemctl restart rsyslog sudo systemctl status rsyslog
Import the CA certificate to the FortiGate as a Remote CA certificate (Under System -> Certificates -> Create/Import -> CA Certificate -> File, upload the 'ca-syslog.pem" file).
Configure the Syslog setting on FortiGate and change the server IP address/name accordingly:
# config log syslogd setting set status enable set server "10.191.85.3" set mode reliable set port 6514 set enc-algorithm high end
A sniffer/packet capture can be made to check the additional information between FortiGate and Syslog server communication:
If the CA is not matching on FortiGate or it is not installed on the FortiGate store, the following error will appear: 'Fatal Error, Description: Unknown CA'.
|
