EDR: How to Configure Rsyslog Over TLS

EDR: How to Configure Rsyslog Over TLS

Environment

  • EDR Server: All Supported Version

Objective

How to Configure Syslog to Use TLS

Resolution

  1. Install the rsyslog-gnutls package to support TLS over rsyslog
  2. Edit the /etc/rsyslog.d/cb-coreservices.conf file with the following information 
    if $programname startswith 'cb-notifications-' then -?DynaFile;CbSyslogStandardFormatWithPID
    $WorkDirectory <spool dir> # location of spoolfiles on the disk
    $ActionQueueFileName cbremote # unique name prefix for spool files
    $ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
    $ActionQueueSaveOnShutdown on # save messages to disk on shutdown
    $ActionQueueType LinkedList # run asynchronously
    $ActionResumeRetryCount -1 # infinite retries if host is down
    
    # TLS config
    $DefaultNetstreamDriverCAFile <pem certificate file of the remote destination CA chain>
    $ActionSendStreamDriver gtls
    $ActionSendStreamDriverMode 1
    $ActionSendStreamDriverAuthMode anon
    & @@IP Address:Port;CbSyslogStandardFormatWithPID
    & stop

Additional Notes

This is best effort support rsyslog is not product specific

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎10-06-2021
Views:
90
Contributors