Procedure
- Install NXLog and Sysmon using Poshim.
- Generate or purchase a certificate.
Note: A purchased certificate is not necessarily needed. - Add certificate details to the sensor’s Logger Module.
- Add certificate to NXLog.
- Modify nxlog.conf to use om_ssl and reference certificate.
- Restart the nxlog service.
Additional steps when using TLS syslog externally
If using syslog over TLS for communication across the internet use the steps above and continue on to the steps below. If TLS syslog is only to be used internally you can skip the steps below.
- Configure a DMZ.
- Build a sensor within the DMZ subnet.
- Block all inbound access to the DMZ sensor, only allow TCP/6514.
- For additional security configure all syslog “clients” with static IPs or leverage dynamic DNS and create firewall rules to only allow your known clients to access TCP/6514.
- Set up a DNS record for the sensor’s public IP or use a static IP.
Note: A DNS record will be needed if you’re using a purchased certificate - Using Poshim, setup your client’s NXLog and Sysmon utilities.
- Generate a self-signed certificate (or purchase a valid certificate).
- SSH into your sensor and run the following commands if you are using a self-signed certificate. Three files will be created: sensor.temp, sensor.key, and sensor.crt.
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout sensor.temp -out sensor.crt
openssl rsa -in sensor.temp -text > sensor.key
openssl rsa -in sensor.temp -text -traditional > sensor_rsa.key - Run the cat command for each file to see the files' contents:
cat sensor_rsa.key cat sensor.crt
- Copy and paste the contents into the sensor's Logger Module parameters window. (If you are using a purchased cert, paste the key and cert contents instead.)
- Open Notepad and paste the contents of sensor.crt and save it as
c:\program files\nxlog\cert\sensor.crt
. (If you purchased a certificate, copy that certificate to the same directory and name it sensor.crt.)
Note: If you are still using NXLog 2.11, save the certificate to the non-64bit program files path ofc:\program files (x86)\nxlog\cert\sensor.crt
. - Update your nxlog.conf file, replace all <Output> section’s modules using om_tcp with om_ssl.
- (Optional) Update the SIEM variable definition if needed, it is located near the top of the config and looks similar to the example shown below. This variable definition is used within the <Output> sections of the nxlog config:
define SIEM A.B.C.D
- Add the certificate CAFile property and value pair, update the port and restart the nxlog service.
Example <Output> section built by Poshim
<Output blu_out_internal> Module om_tcp Host %SIEM% Port %PORT% Exec to_syslog_bsd(); </Output>
Example <Output> section built by Poshim Modified for TLS Syslog
<Output blu_out_internal> Module om_ssl Host %SIEM% Port 6514 CAFile %CERTDIR%/sensor.crt AllowUntrusted False Exec to_syslog_bsd(); </Output>