Skip to content

Using TLS Tunnels

LogZilla Server Configuration

LogZilla Server SSL Key Creation

You will be prompted for a passphrase during this process, but it will only be used to create the keys. Once the keys are created, the passphrase will be removed. You will also be asked questions about the server's name, location, and contact information.

The server name must match the entry in your /etc/hostname file.

First, to generate a new key, issue the following command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt

You will be prompted for the following identification information:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bouncy Castles, Inc.
Organizational Unit Name (eg, section) []:Ministry of Water Slides
Common Name (e.g. server FQDN or YOUR name) []:server_IP_address
Email Address []

Once your keys are created, copy them to the syslog-ng directory:

cp tls.key tls.crt /etc/logzilla/syslog-ng

Note that the proper paths for the key and certificate files are:

Purpose Path
Key /etc/logzilla/syslog-ng/tls.key
Certificate /etc/logzilla/syslog-ng/tls.crt

Configure syslog-ng

The port that LogZilla uses for incoming TLS connections by default is 6514. This can be configured as follows (in this example, to 12345):

logzilla config SYSLOG_TLS_PORT 12345

Next, TLS support should be enabled:

logzilla config SYSLOG_TLS_ENABLED 1

This will cause the LogZilla syslog server to be restarted automatically. You can check whether TLS support is operational using the openssl command, as illustrated below. Replace the with your LogZilla server address and TLS port.

In the below example, first you see the identification information as you provided it above (C, ST, L, O, etc.). Next it should show the same certificate information as your certificate file (tls.crt). Last, it should show information about the TLS cipher and key specifications in use:

$ openssl s_client -connect < /dev/null 
Can't use SSL_get_servername
depth=0 C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress =
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress =
verify return:1
Certificate chain
 0 s:C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress =
   i:C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress =
Server certificate
subject=C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress =

issuer=C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress =

No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
SSL handshake has read 1587 bytes and written 363 bytes
Verification error: self signed certificate
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)

However if you see something similar to the following:

$ openssl s_client -connect < /dev/null 
140683817334080:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
140683817334080:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:

there has been an error, in which case you should verify your steps from the start of this document and if necessary start over.

Add the key files to client systems

Connect to the syslog-sending system and issue:

mkdir -p /etc/syslog-ng/ssl

Download/upload the key and certificate files (by default in /etc/logzilla/syslog-ng/tls.key and /etc/logzilla/syslog-ng/tls.crt) that were created earlier on the LogZilla Server to the Client system and put the files in the /etc/syslog-ng/ssl directory on the Client. This can be accomplished using scp or similar.

Configure syslog-ng on the client

Replace LZ_SERVER below with the DNS Name or IP Address of your LogZilla Server. You may also need to replace s_src with your locally configured source name which is defined in the main /etc/syslog-ng/syslog-ng.conf file on your sending server.

Create a new file named /etc/syslog-ng/conf.d/tls_to_LogZilla.conf and add the following to it:

destination d_tls {

log {

Restart syslog-ng on the Client system by typing:

service syslog-ng restart`

Check your LogZilla server to verify that events are now being received from this Client.

If you encounter any issues, refer to the Debugging Event Reception section of this guide.

Advanced server configuration

If you need more than just a single source port with TLS transport, TLS can be added to any syslog source by directly editing the /etc/logzilla/syslog-ng/config.yaml file. Find the sources array element and for any source you can add transport: tls and then tls_key_file and tls_cert_file options. For example, to enable TLS transport for JSON input, add this:

  - name: json-tls
    enabled: True
    type: network
    transport: tls
    port: 6515
    tls_cert_file: "/etc/logzilla/syslog-ng/tls.crt"
    tls_key_file: "/etc/logzilla/syslog-ng/key.crt"
      - no-parse
    program_override: _JSON
After any change to this configuration file, the LogZilla syslog module must be restarted by:

logzilla restart -c syslog