If you have a central syslog environment which supports TLS/SSL (Splunk, vRealize LogInsight, RSyslog) might be appropriate to encrypt your logging output to these destinations.
This post expects you to already have generated dedicate OpenSSL key and signed certificate for each of your clients. This section will configure on how to configure each client. Edit the configuration file defined for your syslog destination, in my example /etc/rsyslog.d/syslog-server.conf. This configuration if is RSyslog is > v8.x .
# --------------------------------------------------------
# rsyslog: centralzed loggings
# --------------------------------------------------------
# Managed by puppet.
#
$WorkDirectory /var/spool/rsyslog
$ActionQueueFileName fwdRule1
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1
# ===== TLS global defaults =====
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/ssl/certs/Cyberfront-CA.pem
# If client certificate is required, uncomment:
#$DefaultNetstreamDriverCertFile /etc/ssl/certs/client-cert.pem
#$DefaultNetstreamDriverKeyFile /etc/ssl/private/client-key.pem
# ===== Forward ALL messages to Log Insight via TLS =====
*.* action(
type="omfwd"
protocol="tcp"
target="loginsight.testlab.local"
port="1514"
StreamDriver="gtls"
StreamDriverMode="1"
StreamDriverAuthMode="x509/name"
StreamDriverPermittedPeers="loginsight.testlab.local"
)
Code language: PHP (php)