SRX

Expand all | Collapse all

SRX Remote syslog tls

Jump to Best Answer
  • 1.  SRX Remote syslog tls

    Posted 10-15-2020 07:40

    Hello,

     

    Is it possible to send remote syslog messages with TLS encryption to a remote syslog server like rsyslog?

     

    Does anyone have any configuration examples for this, so far I have only been able to find example where the SRX is collecting the logs.


    #syslog
    #TLS
    #encrypted
    #remote
    #SRX


  • 2.  Re: SRX Remote syslog tls

    Posted 10-15-2020 08:00

    You can do TLS syslog if you change the SRX logging mode to stream logging instead of event mode. That way the syslog updates are sent directly from the flowd/PFE and not passing the routing-engine. This will not cover syslog from the RE itself (link up/down and similar)

     

    Example configuration. Change options as needed.

     

    Note: When you change to stream logging this will block you from saving syslog locally on the SRX300 series - on larger boxes  or vSRX you can still define a file destination instead of a external host.

    user@srx> show configuration services ssl initiation profile tls-syslog
    protocol-version tls12;
    actions {
        ignore-server-auth-failure;
        crl {
            disable;
        }
    }
    
    user@srx> show configuration security log
    mode stream;
    source-interface ge-0/0/0.0;
    transport {
        tcp-connections 1;
        protocol tls;
        tls-profile tls-syslog;
    }
    stream tls-syslog-stream {
        severity debug;
        format sd-syslog;
        category all;
        host {
            X.X.X.X;
            port 514;
        }
        rate-limit {
            300;
        }
    }
    

     

     



  • 3.  Re: SRX Remote syslog tls

    Posted 10-15-2020 09:02

    Hi Jonas,

     

    Thanks for the response. Just to clarify, because syslog updates will be sent from the forwarding plane, this will limit the type of syslog messages that are sent (i.e none that are controlled by the control plane)?

     

    In Summary to configure tls syslog I will lose certain messages being sent to the remote syslog server?

     



  • 4.  Re: SRX Remote syslog tls
    Best Answer

    Posted 10-16-2020 00:47

    You will not a such loose syslogs from the control-plane but they will be sent as ordinary non-encrypted messages seperately from the session with security oriented syslog.

     

    Yeah, not optimal and I don't know why Juniper hasn't added support for this on the control-plane long ago.



  • 5.  Re: SRX Remote syslog tls

    Posted 28 days ago

    Hi Jonas,

    From a certificate perspective, do i need to add:

    set security pki ca-profile tls-syslog ca-identity "Syslog TLS"
    set security pki ca-profile tls-syslog revocation-check disable
    set services ssl initiation profile tls-syslog trusted-ca tls-syslog

    and then something like

    request security pki ca-certificate tls-syslog load file /var/certs/syslog.cer

     

    Thanks.