Ingesting TLS Logs
You can configure the sensor to ingest the following logs encrypted via TLS:
- rsyslog
- syslog-ng
- SentinelOne logs
To configure TLS log ingestion:
- Configure Stellar Cyber to ingest the logs.
- Configure the log sender to send the logs to the sensor.
Configuring TLS Log Ingestion in Stellar Cyber
To configure TLS log ingestion in Stellar Cyber:
-
Click System | Collection | Sensor Overview. The Sensor List is displayed.
-
Click for the data sensor you want to ingest TLS logs. The Edit Sensor Parameters window is displayed.
-
Enable Syslog TLS Enabled.
-
Click CA Certificate to download the public certificate for the log sender in case the client needs it.
-
Click Submit.
-
Open the appropriate TCP ports on your firewall, either 5140 for rsyslog or syslog-ng, or 5175 for SentinelOne.
-
Install the self-signed public certificate from the Stellar Cyber sensor on the log sender.
Some log senders (for example, ESET) include an option to Validate CA root certificates of TLS connections when you upload a certificate. Because the self-signed certificate from Stellar Cyber is not a true public certificate, you must disable any options that validate CA root certificates in order for TLS log ingestion using the self-signed certificate to work.
Configuring rsyslog to Send Logs to the Sensor
To configure rsyslog to send logs to the sensor:
- Install rsyslog.
- Install rsyslog-gnutls.
-
Edit the
/etc/rsyslog.conf
file to add the following configurations (use your sensor IP address for the target):global(DefaultNetstreamDriverCAFile="/etc/pki/tls/private/cacert.pem")
action(type="omfwd" target="1.1.1.1" protocol="tcp" port="5140" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="anon")
- Restart the rsyslog service.
Use our example as a guideline, as you might be using a different software version.
The logs are now sent to the sensor and ingested.
Configuring syslog-ng to Send Logs to the Sensor
To configure syslog-ng to send logs to the sensor:- Install the syslog-ng client.
Edit the
/etc/syslog-ng/syslog-ng.conf
file to add the following configurations (use your sensor IP address for the network and syslog):destination demo_tls_destination { network("1.1.1.1" port(5140) transport("tls") tls( ca-dir("etc/syslog-ng/cacert.pem")) ); }; destination demo_tls_syslog_destination { syslog("1.1.1.1" port(5140) transport("tls") tls(ca-dir("/etc/syslog-ng/cacert.pem")) ); }; log { source(s_sys); destination(demo_tls_syslog_destination);}; log { source(s_sys); destination(demo_tls_destination);};
- Restart the syslog-ng service.
Use our example as a guideline, as you might be using a different software version.
The logs are now sent to the sensor and ingested.