Where can I find info/documentation regarding the "enable secure syslog using SSL/TLS" capability of the ASA? Are there any syslog servers out there that support this? I've been researching this for a while now...it appears there's not much documentation regarding this feature (or at least regarding its setup).
I'm aware that you can build IPSEC tunnels to encrypt plaintext syslog, but SSL/TLS encrypted syslog is a very attractive option.
Anyone doing this?
You cannot encrypt syslogs. You have 2 options though:
- Send them over a tunnel like you are saying
- send them with snmp traps and use the community string to encrypt snmp
I hope it helps.
Not so much a doc as the ASDM interface I'm looking at right now... ASA version 8+ and ASDM 6.2. Configuration > Device Management > Logging > Syslog Server > Add > Choose TCP.... look for check box "Enable secure syslog using SSL/TLS"...
That chcekbox is greyed out when there is no VPN configured. If there is VPN then it will just match the syslog traffic in the crypto ACL.
I hope it makes sense.
That appears to be incorrect. You need to choose TCP syslog for the "enable secure syslog using SSL/TLS" option to become available. I just disabled IPSEC on all interfaces and verified the tunnels are no longer avaiable, yet this option still exists. I'm fairly certain syslog with the SSL/TLS option and what IPSEC tunnels are present on the device are completely unrelated.
It will not work.
I tested on my ASDM, without any VPN config it is grayed out.
Enable preview commands on ASDM and check that checkbox and see what command ASDM will push, that will tell you what that checkbox does and will clarify it for you.
Please do post a reply if I am mistaken.
The command preview is: "logging host inside 22.214.171.124 6/1470 secure", and it will apply. Sitting on the syslog server, I get one message that appears to be the initial handshake for a TLS connection and then nothing. I just need the documentation on setting this up such as: where do you configure the TLS settings for syslog? It doesn't appear Cisco has ANY documentation regarding this from my two+ hours of searching...
OK, it ends up that you are right, it has been addede in 8.0.2 and later.
Note A secure logging connection can only be established with a SSL/TLS- capable syslog server. If a SSL/TLS connection cannot be established, all new connections will be denied. You may change this default behavior by entering the logging permit-hostdown command.
I believe it is clear now.
I am Rainer Gerhards, author of rsyslog . I guess Cisco has implemented RFC5424/5425. Rsyslog served as test bed during standard definition. It has a fairly decent implementation of TLS syslog, but I did not yet have any chance to do any interop testing. It may work out of the box, but (likely) it may also require some code changes.
If someone here has the necessary equipment, I would appreciate if you could give rsyslog a try. I will try my best to solve any issues as quickly as possible.
You can also contact me at firstname.lastname@example.org - I dont' know if I will receive automatic notifications of any replies here (I just registered for this posting ).
Well I have the same problem. The syslog server I use is logstash. Problem is that I use SSL to send the logs from other hosts over the INET. I would need to upload my cert to ASA and tell ASA to use it when logs are sent to logstash.
Unfortunately there is not such option or I cannot see it. ASA 5520 9.1(5)
Anybody found solution?