Skip to content

Commit

Permalink
feat(Syslog): add documentation to secure the data collection to the …
Browse files Browse the repository at this point in the history 
…syslog forwarder
  • Loading branch information
@squioc
squioc committed Jul 2, 2024
1 parent 2572ede commit 6bfed02
Showing 1 changed file with 196 additions and 0 deletions.
196 changes: 196 additions & 0 deletions docs/xdr/features/collect/ingestion_methods/syslog/secured_forwarded.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,196 @@
# How to secure data collection to the syslog forwarder

## Overview

Events are forwarded to Sekoia.io through a secured transport layer (with TLS) to `intake.sekoia.io:50514`.

For security reason, you may require to secure the collect of events between our equipments/sources and the syslog forwarder.

## Generate the certificates

### Install OpenSSL

According to your operating system, install `openssl` to generate the certificates.

On Debian-like distributions:
```
$ sudo apt install openssl
```

On Redhat-like distributions:
```
$ sudo dnf install openssl
```

On Mac OS X (with homebrew):
```
$ sudo brew install openssl
```

### Generate the Certificate Autority (CA)

Create a directory that will contain your certificates.
Open a terminal and type:

```
$ mkdir mycertificates && cd mycertificates
```

#### Generate the private key

In the terminal, create the private key of the CA.

```
$ certtool --generate-privkey --outfile ca-key.pem --sec-param High
Generating a 3072 bit RSA private key…
```

#### Generate the CA certificate

In the terminal, generate the certificate of the CA. Type the name of the authority, define the expiration time and set this certificate as an authority certificate.

```
# Generate the CA certificate
$ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Common name: logconcentrator.domain.tld
[...]
The certificate will expire in (days): 3650
Extensions.
Does the certificate belong to an authority? (y/N): y
[...]
Will the certificate be used to sign other certificates? (y/N): y
[...]
Is the above information ok? (y/N): y
Signing certificate…
# Change the permission, on the certificate, to read-only
$ chmod 600 ca.pem
```

Copy this certificate on your equipments/sources, in the registry/directory for Certificate Authority

### Generate the certificate

To secure the incoming events to the syslog forwarder, generate a server certificate.


#### Generate the private key

In the terminal, create the private key.

```
# Generate the server key
$ certtool --generate-privkey --outfile server.pem --sec-param High
Generating a 3072 bit RSA private key…
# Change the permission, on the key, to read-only
$ chmod 600 server.pem
```

#### Generate the Certificate Signing Request (CSR)

In the terminal, generate the CSR:

```
$ certtool --generate-request --load-privkey server.pem --outfile server.csr
Generating a PKCS #10 certificate request...
Common name: logserveur.test.local
[...]
Enter a dnsName of the subject of the certificate: logconcentrator.domain.tld
[...]
Is this a TLS web client certificate? (y/N): y
Is this a TLS web server certificate? (y/N): y
```

#### Generate the certificate for the syslog forwarder

In the terminal, generate the certificate of the syslog forwarder. Define the certificate as a server certificate and type the domain name of the syslog forwarder.

```
# Generate the server certificate
$ certtool --generate-certificate --load-request server.csr --outfile server.crt --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
Generating a signed certificate...
[...]
Activation/Expiration time.
The certificate will expire in (days): 365
Extensions.
Does the certificate belong to an authority? (y/N): n
Is this a TLS web client certificate? (y/N): n
Is this a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: logconcentrator.domain.tld
[...]
Is the above information ok? (y/N): y
Signing certificate…
# Change the permission, on the certificate, to read-only
$ chmod 600 server.crt
```

## Secure the collect of events with stunnel

### Install stunnel

According to your operating system, install `stunnel`.

On Debian-like distributions:
```
$ sudo apt install stunnel
```

On Redhat-like distributions:
```
$ sudo dnf install stunnel
```

### Move the certificates

```
# Create the directory for certificates
$ mkdir -p /etc/stunnel/certificates/
# Copy the certificates
$ cp ca.pem server.pem server.crt /etc/stunnel/certificates/
```

### Configure stunnel

Configure stunnel to accept secured connection and forward the events to the syslog forwarder:

```
# Create the configuration if not exist
$ sudo touch /etc/stunnel/default.conf
# Set the configuration
$ sudo vi /etc/stunnel/default.conf
; It is recommended to drop root privileges if stunnel is started by root
setuid = stunnel4
setgid = stunnel4
; PID file is created inside the chroot jail (if enabled)
pid = /var/run/stunnel4/stunnel.pid
output = /var/log/stunnel4/stunnel.log
[secured_source_tunnel]
client = no
accept = 6514
connect = <address of the syslog forwarder>:<port to forward to>
cert = /etc/stunnel/certificates/server.crt
key = /etc/stunnel/certificates/server.pem
CAfile = /etc/stunnel/certificates/ca.pem
```

### Start stunnel

In the terminal, start stunnel:

```
$ sudo stunnel /etc/stunnel/default.conf
```

0 comments on commit 6bfed02

Please sign in to comment.