Skip to content

Commit

Permalink
Merge pull request #1863 from SEKOIA-IO/feat/StunnelDocumentation
Browse files Browse the repository at this point in the history 
Eset Protect: add instructions for ESET Protect Cloud
  • Loading branch information
@squioc
squioc authored Jul 2, 2024
2 parents a46a256 + 4aa44a7 commit 8c68444
Show file tree
Hide file tree
Showing 3 changed files with 219 additions and 1 deletion.
Binary file added docs/assets/instructions/eset_protect/cloud_syslog.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
196 changes: 196 additions & 0 deletions docs/xdr/features/collect/ingestion_methods/syslog/secured_forwarded.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,196 @@
# How to secure data collection to the syslog forwarder

## Overview

Events are forwarded to Sekoia.io through a secured transport layer (with TLS) to `intake.sekoia.io:50514`.

For security reason, you may require to secure the collect of events between our equipments/sources and the syslog forwarder.

## Generate the certificates

### Install OpenSSL

According to your operating system, install `openssl` to generate the certificates.

On Debian-like distributions:
```
$ sudo apt install openssl
```

On Redhat-like distributions:
```
$ sudo dnf install openssl
```

On Mac OS X (with homebrew):
```
$ sudo brew install openssl
```

### Generate the Certificate Autority (CA)

Create a directory that will contain your certificates.
Open a terminal and type:

```
$ mkdir mycertificates && cd mycertificates
```

#### Generate the private key

In the terminal, create the private key of the CA.

```
$ certtool --generate-privkey --outfile ca-key.pem --sec-param High
Generating a 3072 bit RSA private key…
```

#### Generate the CA certificate

In the terminal, generate the certificate of the CA. Type the name of the authority, define the expiration time and set this certificate as an authority certificate.

```
# Generate the CA certificate
$ certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca.pem
Generating a self signed certificate...
Please enter the details of the certificate's distinguished name. Just press enter to ignore a field.
Common name: logconcentrator.domain.tld
[...]
The certificate will expire in (days): 3650
Extensions.
Does the certificate belong to an authority? (y/N): y
[...]
Will the certificate be used to sign other certificates? (y/N): y
[...]
Is the above information ok? (y/N): y
Signing certificate…
# Change the permission, on the certificate, to read-only
$ chmod 600 ca.pem
```

Copy this certificate on your equipments/sources, in the registry/directory for Certificate Authority

### Generate the certificate

To secure the incoming events to the syslog forwarder, generate a server certificate.


#### Generate the private key

In the terminal, create the private key.

```
# Generate the server key
$ certtool --generate-privkey --outfile server.pem --sec-param High
Generating a 3072 bit RSA private key…
# Change the permission, on the key, to read-only
$ chmod 600 server.pem
```

#### Generate the Certificate Signing Request (CSR)

In the terminal, generate the CSR:

```
$ certtool --generate-request --load-privkey server.pem --outfile server.csr
Generating a PKCS #10 certificate request...
Common name: logserveur.test.local
[...]
Enter a dnsName of the subject of the certificate: logconcentrator.domain.tld
[...]
Is this a TLS web client certificate? (y/N): y
Is this a TLS web server certificate? (y/N): y
```

#### Generate the certificate for the syslog forwarder

In the terminal, generate the certificate of the syslog forwarder. Define the certificate as a server certificate and type the domain name of the syslog forwarder.

```
# Generate the server certificate
$ certtool --generate-certificate --load-request server.csr --outfile server.crt --load-ca-certificate ca.pem --load-ca-privkey ca-key.pem
Generating a signed certificate...
[...]
Activation/Expiration time.
The certificate will expire in (days): 365
Extensions.
Does the certificate belong to an authority? (y/N): n
Is this a TLS web client certificate? (y/N): n
Is this a TLS web server certificate? (y/N): y
Enter a dnsName of the subject of the certificate: logconcentrator.domain.tld
[...]
Is the above information ok? (y/N): y
Signing certificate…
# Change the permission, on the certificate, to read-only
$ chmod 600 server.crt
```

## Secure the collect of events with stunnel

### Install stunnel

According to your operating system, install `stunnel`.

On Debian-like distributions:
```
$ sudo apt install stunnel
```

On Redhat-like distributions:
```
$ sudo dnf install stunnel
```

### Move the certificates

```
# Create the directory for certificates
$ mkdir -p /etc/stunnel/certificates/
# Copy the certificates
$ cp ca.pem server.pem server.crt /etc/stunnel/certificates/
```

### Configure stunnel

Configure stunnel to accept secured connection and forward the events to the syslog forwarder:

```
# Create the configuration if not exist
$ sudo touch /etc/stunnel/default.conf
# Set the configuration
$ sudo vi /etc/stunnel/default.conf
; It is recommended to drop root privileges if stunnel is started by root
setuid = stunnel4
setgid = stunnel4
; PID file is created inside the chroot jail (if enabled)
pid = /var/run/stunnel4/stunnel.pid
output = /var/log/stunnel4/stunnel.log
[secured_source_tunnel]
client = no
accept = 6514
connect = <address of the syslog forwarder>:<port to forward to>
cert = /etc/stunnel/certificates/server.crt
key = /etc/stunnel/certificates/server.pem
CAfile = /etc/stunnel/certificates/ca.pem
```

### Start stunnel

In the terminal, start stunnel:

```
$ sudo stunnel /etc/stunnel/default.conf
```
24 changes: 23 additions & 1 deletion docs/xdr/features/collect/integrations/endpoint/eset_protect.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ Only events from the following log categories are being exported to Syslog serve

An internal syslog concentrator is required to collect and forward events to Sekoia.io.

### Enable syslog forwarding
### Enable syslog forwarding on ESET Protect On-Prem
To enable Syslog server in ESET Protect, follow the steps below:

1. In admin console go to `More` > `Settings`.
Expand All @@ -55,6 +55,28 @@ To enable Syslog server in ESET Protect, follow the steps below:

![Syslog configuration](/assets/instructions/eset_protect/enable_syslog_2.png)

### Enable syslog forwarding on ESET Protect Cloud

!!! warning
Important note - For ESET Protect Cloud, you will required a secured syslog forwarder. Please read our article [how to secure data collection to the syslog forwarder](../../ingestion_methods/syslog/secured_forwarded.md)


To enable Syslog server in ESET Protect, follow the steps below:

1. In admin console go to `More` > `Admin` > `Settings`.
2. Click `General` > `Syslog`
3. Check `Enable syslog sending`
4. Select `JSON` as the format of the payload
5. Select `Syslog` as the format of the envelope
6. Select `Information` as the minimal log level
7. Check all event types
8. Type the address of the log concentrator
9. Check `Validate CA Root certificates of TLS connections`
10. Copy the public certificate of the Certificate Authority in the textarea
11. Click `Apply settings`

![Advanced Settings](/assets/instructions/eset_protect/cloud_syslog.png)

### Create an intake

Go to the [intake page](https://app.sekoia.io/operations/intakes) and create a new intake from the format `ESET Protect`.
Expand Down

0 comments on commit 8c68444

Please sign in to comment.