Ingesting TLS Logs

If you have a log license for your sensor, you can configure the sensor to ingest the following logs encrypted via TLS:

  • rsyslog
  • syslog-ng
  • SentinelOne logs

To configure TLS log ingestion:

  1. Configure Stellar Cyber to ingest the logs.
  2. Configure the log sender to send the logs to the sensor.

Configuring TLS Log Ingestion in Stellar Cyber

To configure TLS log ingestion in Stellar Cyber:

  1. Click System | Collection | Sensor Overview. The Sensor List is displayed.

  2. Click for the data sensor you want to ingest TLS logs. The Edit Sensor Parameters window is displayed.

  3. Enable Syslog TLS Enabled.

  4. Click CA Certificate to download the public certificate for the log sender in case the client needs it.

  5. Click Submit.

  6. Open the appropriate TCP ports on your firewall, either 5140 for rsyslog or syslog-ng, or 5175 for SentinelOne.

  7. Configure one of the log senders.

Configuring rsyslog to Send Logs to the Sensor

To configure rsyslog to send logs to the sensor:

  1. Install rsyslog.
  2. Install rsyslog-gnutls.

  3. Edit the /etc/rsyslog.conf file to add the following configurations (use your sensor IP address for the target):

    global(DefaultNetstreamDriverCAFile="/etc/pki/tls/private/cacert.pem")

    action(type="omfwd" target="1.1.1.1" protocol="tcp" port="5140" StreamDriver="gtls" StreamDriverMode="1" StreamDriverAuthMode="anon")

  4. Restart the rsyslog service.

Use our example as a guideline, as you might be using a different software version.

The logs are now sent to the sensor and ingested.

Configuring syslog-ng to Send Logs to the Sensor

To configure syslog-ng to send logs to the sensor:
  1. Install the syslog-ng client.

  2. Edit the /etc/syslog-ng/syslog-ng.conf file to add the following configurations (use your sensor IP address for the network and syslog):

     destination demo_tls_destination {
    network("1.1.1.1" port(5140)
      transport("tls")
        tls( ca-dir("etc/syslog-ng/cacert.pem"))
      );
    };
  destination demo_tls_syslog_destination {
    syslog("1.1.1.1" port(5140)
      transport("tls")
        tls(ca-dir("/etc/syslog-ng/cacert.pem"))
      );
    };
log { source(s_sys); destination(demo_tls_syslog_destination);};
log { source(s_sys); destination(demo_tls_destination);};
  3.  
  4. Restart the syslog-ng service.

Use our example as a guideline, as you might be using a different software version.

The logs are now sent to the sensor and ingested.