Encrypted Syslog

Unanswered Question
Jan 27th, 2010

Hello,


Where can I find info/documentation regarding the "enable secure syslog using SSL/TLS" capability of the ASA? Are there any syslog servers out there that support this? I've been researching this for a while now...it appears there's not much documentation regarding this feature (or at least regarding its setup).


I'm aware that you can build IPSEC tunnels to encrypt plaintext syslog, but  SSL/TLS encrypted syslog is a very attractive option.


Anyone doing this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Panos Kampanakis Sun, 01/31/2010 - 08:35

You cannot encrypt syslogs. You have 2 options though:

- Send them over a tunnel like you are saying

- send them with snmp traps and use the community string to encrypt snmp


I hope it helps.


PK

rondcisco Wed, 02/03/2010 - 07:58

If this is true, why does does the ASA have "Enable secure syslog using SSL/TLS" as an option?

rondcisco Wed, 02/03/2010 - 09:03

Not so much a doc as the ASDM interface I'm looking at right now... ASA version 8+ and ASDM 6.2. Configuration > Device Management > Logging > Syslog Server > Add > Choose TCP.... look for check box "Enable secure syslog using SSL/TLS"...

Panos Kampanakis Wed, 02/03/2010 - 10:52

I see.

That chcekbox is greyed out when there is no VPN configured. If there is VPN then it will just match the syslog traffic in the crypto ACL.


I hope it makes sense.


PK

rondcisco Wed, 02/03/2010 - 11:11

That appears to be incorrect. You need to choose TCP syslog for the "enable secure syslog using SSL/TLS" option to become available. I just disabled IPSEC on all interfaces and verified the tunnels are no longer avaiable, yet this option still exists. I'm fairly certain syslog with the SSL/TLS option and what IPSEC tunnels are present on the device are completely unrelated.

Panos Kampanakis Wed, 02/03/2010 - 11:33

It will not work.


I tested on my ASDM, without any VPN config it is grayed out.


Enable preview commands on ASDM and check that checkbox and see what command ASDM will push, that will tell you what that checkbox does and will clarify it for you.

Please do post a reply if I am mistaken.


Panos

rondcisco Wed, 02/03/2010 - 11:44

The command preview is: "logging host inside 1.2.3.4 6/1470 secure", and it will apply. Sitting on the syslog server, I get one message that appears to be the initial handshake for a TLS connection and then nothing. I just need the documentation on setting this up such as: where do you configure the TLS settings for syslog? It doesn't appear Cisco has ANY documentation regarding this from my two+ hours of searching...

Panos Kampanakis Wed, 02/03/2010 - 12:14

OK, it ends up that you are right, it has been addede in 8.0.2 and later.


Explained here http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/l2.html#wp1772754


The secure keyword specifies that the connection to the remote logging host should use SSL/TLS. This option is valid only if the protocol selected is TCP.

Note A secure logging connection can only be established with a SSL/TLS- capable syslog server. If a SSL/TLS connection cannot be established, all new connections will be denied. You may change this default behavior by entering the logging permit-hostdown command.


I believe it is clear now.


PK

rondcisco Wed, 02/03/2010 - 12:55

Do you know of any SSL/TLS capable log servers? Anyone know of any configuration examples for doing this?

rgerhards Thu, 02/04/2010 - 06:15

Hi,


I am Rainer Gerhards, author of rsyslog [1]. I guess Cisco has implemented RFC5424/5425. Rsyslog served as test bed during standard definition. It has a fairly decent implementation of TLS syslog, but I did not yet have any chance to do any interop testing. It may work out of the box, but (likely) it may also require some code changes.


If someone here has the necessary equipment, I would appreciate if you could give rsyslog a try. I will try my best to solve any issues as quickly as possible.


You can also contact me at [email protected] - I dont' know if I will receive automatic notifications of any replies here (I just registered for this posting ).


Thanks,

Rainer


[1] http://www.rsyslog.com

Actions

This Discussion