-
Log in to the Linux machine where Splunk UF is installed.
-
Create a Certificate Authority (CA).
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt -subj "/C=US/ST=TX/L=AU/O=Utimaco/OU=Security/CN=ESKM-CA"
-
Create a server certificate for syslog-ng.
openssl genrsa -out syslog.key 4096
openssl req -new -key syslog.key -out syslog.csr -subj "/C=US/ST=TX/L=AU/O=Utimaco/OU=Security/CN=<SYSLOG_SERVER_IP>"
Replace <SYSLOG_SERVER_IP> with the IP address that ESKM uses to reach syslog-ng.
-
Sign the server certificate with the CA.
openssl x509 -req -in syslog.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out syslog.crt -days 3650 -sha256
-
Create a folder
certsin/etc/syslog-ngand copy the certificate and key files to it.
mkdir -p /etc/syslog-ng/certs
cp syslog.crt syslog.key ca.crt /etc/syslog-ng/certs/
chmod 600 /etc/syslog-ng/certs/*
6 . Update eskm.conf in etc/syslog-ng/conf.d directory with the following set of configurations.
# TLS options
source s_eskm_tls {
network(
ip("0.0.0.0")
port(6514)
transport("tls")
tls(
key-file("/etc/syslog-ng/certs/syslog.key")
cert-file("/etc/syslog-ng/certs/syslog.crt")
ca-file("/etc/syslog-ng/certs/ca.crt")
peer-verify(optional-untrusted)
)
);
};
destination d_eskm {
file("/var/log/eskm/eskm.log" create_dirs(yes) perm(0640));
};
log {
source(s_eskm_tls);
destination(d_eskm);
};
-
Create a client certificate and copy the certificate to the machine where the user accesses the ESKM application (WinSCP or any other means).
openssl pkcs12 -export -in server.crt -inkey server.key -certfile ca.crt -out eskm-syslog-client.p12
-
Restart syslog-ng and check for no errors.
systemctl restart syslog-ng
systemctl status syslog-ng