Skip to content

Using TLS Tunnels

LogZilla Server Configuration

LogZilla Server SSL Key Creation

You will be prompted for a passphrase during this process, but it will only be used to create the keys. Once the keys are created, the passphrase will be removed. You will also be asked questions about the server's name, location, and contact information.

The server name must match the entry in your /etc/hostname file.

First, to generate a new key, issue the following command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt

You will be prompted for the following identification information:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bouncy Castles, Inc.
Organizational Unit Name (eg, section) []:Ministry of Water Slides
Common Name (e.g. server FQDN or YOUR name) []:server_IP_address
Email Address []:admin@your_domain.com

Once your keys are created, copy them to the syslog-ng directory:

cp tls.key tls.crt /etc/logzilla/syslog-ng

Note that the proper paths for the key and certificate files are:

Purpose Path
Key /etc/logzilla/syslog-ng/tls.key
Certificate /etc/logzilla/syslog-ng/tls.crt

Configure syslog-ng

The port that LogZilla uses for incoming TLS connections by default is 6514. This can be configured as follows (in this example, to 12345):

logzilla config SYSLOG_TLS_PORT 12345

Next, TLS support should be enabled:

logzilla config SYSLOG_TLS_ENABLED 1

This will cause the LogZilla syslog server to be restarted automatically. You can check whether TLS support is operational using the openssl command, as illustrated below. Replace the 11.22.33.44:12345 with your LogZilla server address and TLS port.

In the below example, first you see the identification information as you provided it above (C, ST, L, O, etc.). Next it should show the same certificate information as your certificate file (tls.crt). Last, it should show information about the TLS cipher and key specifications in use:

$ openssl s_client -connect 11.22.33.44:12345 < /dev/null 
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress = root@testserver.org
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress = root@testserver.org
verify return:1
---
Certificate chain
 0 s:C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress = root@testserver.org
   i:C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress = root@testserver.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEAzCCAuugAwIBAgIUFs9AP+DgpVNy6Dny+ngi9CZyeiUwDQYJKoZIhvcNAQEL
BQAwgZAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMRAwDgYDVQQH
DAdNeSBDaXR5MSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxEzAR
BgNVBAMMCnRlc3RzZXJ2ZXIxIjAgBgkqhkiG9w0BCQEWE3Jvb3RAdGVzdHNlcnZl
ci5vcmcwHhcNMjIwNTI2MDkyMzE4WhcNMjMwNTI2MDkyMzE4WjCBkDELMAkGA1UE
BhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxEDAOBgNVBAcMB015IENpdHkxITAf
BgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDETMBEGA1UEAwwKdGVzdHNl
cnZlcjEiMCAGCSqGSIb3DQEJARYTcm9vdEB0ZXN0c2VydmVyLm9yZzCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBANPj5C/vYsHEapKl8lEgYKNqvRUDI6gt
HSMzAfcRkWo6dh3hE93rD0cZG3AUYQpUbx1Lh94hfHaVvMmb1UPY5nSrkpQqQ7fF
sbFjF+IRjtyO+zgm7QAu0uI696aSme8vrY2hTFhzNYnYNIuD359xd0U5demytBdR
Fq/vIVTtHXJic6I0g8agge/dbtTL4KmJ4sjLedkYAQMEQ6yaSg+0cgfXYPNy6+K6
XKPxtIaNrd3PZy84VcA4P4ANUluFUTpZORcGFEYP4RWzor5X+Sc7rGbYmEtku30+
7YctsIt8aUrzz2DiXAuiPxJ6iOVqxWS59Pkh5E4Lg97WzEWNI0iiDp0CAwEAAaNT
MFEwHQYDVR0OBBYEFCuik5Z630HA9+g+vUEoy1HRd2SfMB8GA1UdIwQYMBaAFCui
k5Z630HA9+g+vUEoy1HRd2SfMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEL
BQADggEBALqiTR5XaGZJJqiN+im+q4LxWAVlAmIvPGrgjuAm8wOkkaQnXvDQq4e3
tYQpK4y/JgaXNH1Z8D2kmA7yOH6WRpnqL+emUd5FPFjNF5Znx2JFpSrFmiHg2IYp
Jq+zaBGGQKWblx5Zr3CI3lfMoawVcFl9n5CQbOPM4HFyhkLKVwO42g+UufuUvBFC
5oBecu5R8DzTjocTvKJWJeVK5KXUzwwxwXcZEyMrjnEy7dczVpu7iQJf03Rpu4JK
zF2ZprA3/T6WK2DKfxVpDikl6BoxpjnvS7ihDSQ5gom/4JC+qPh66yE0rsSzOtEo
lrp/XKooiOeplbb4OtCNP2hkvfmkwQo=
-----END CERTIFICATE-----
subject=C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress = root@testserver.org

issuer=C = US, ST = Some-State, L = My City, O = Internet Widgits Pty Ltd, CN = testserver, emailAddress = root@testserver.org

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1587 bytes and written 363 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self signed certificate)
---
DONE

However if you see something similar to the following:

$ openssl s_client -connect 192.168.10.12:1234 < /dev/null 
140683817334080:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
140683817334080:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111

there has been an error, in which case you should verify your steps from the start of this document and if necessary start over.

Add the key files to client systems

Connect to the syslog-sending system and issue:

mkdir -p /etc/syslog-ng/ssl

Download/upload the key and certificate files (by default in /etc/logzilla/syslog-ng/tls.key and /etc/logzilla/syslog-ng/tls.crt) that were created earlier on the LogZilla Server to the Client system and put the files in the /etc/syslog-ng/ssl directory on the Client. This can be accomplished using scp or similar.

Configure syslog-ng on the client

Replace LZ_SERVER below with the DNS Name or IP Address of your LogZilla Server. You may also need to replace s_src with your locally configured source name which is defined in the main /etc/syslog-ng/syslog-ng.conf file on your sending server.

Create a new file named /etc/syslog-ng/conf.d/tls_to_LogZilla.conf and add the following to it:

destination d_tls {
    syslog-ng(
        server("LZ_SERVER")
        port(6514)
        transport(tls)
        tls(ca-file("/etc/syslog-ng/ssl/tls.crt"))
    );
};

log {
  source(s_src);
  destination(d_tls);
};

Restart syslog-ng on the Client system by typing:

service syslog-ng restart`

Check your LogZilla server to verify that events are now being received from this Client.

If you encounter any issues, refer to the Debugging Event Reception section of this guide.

Advanced server configuration

If you need more than just a single source port with TLS transport, TLS can be added to any syslog source by directly editing the /etc/logzilla/syslog-ng/config.yaml file. Find the sources array element and for any source you can add transport: tls and then tls_key_file and tls_cert_file options. For example, to enable TLS transport for JSON input, add this:

  - name: json-tls
    enabled: True
    type: network
    transport: tls
    port: 6515
    tls_cert_file: "/etc/logzilla/syslog-ng/tls.crt"
    tls_key_file: "/etc/logzilla/syslog-ng/key.crt"
    flags:
      - no-parse
    program_override: _JSON
After any change to this configuration file, the LogZilla syslog module must be restarted by:

logzilla restart -c syslog