Hi Team I have a Syslog Ng server running on Solaris and receiving events from native Solaris syslog clients. How do I enable UDP traffic pass through via TLS and how to configure client certificate for native Solaris syslog agent. We don't have rsyslog.
Hi, see this tutorial https://www.balabit.com/documents/syslog-ng-ose-3.8-guides/en/syslog-ng-tuto... or the adminguide https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-o... Note that your syslog-ng packages must have ssl-support enabled. HTH, Robert On Sat, Nov 19, 2016 at 12:49 PM, Sathish Sundaravel < sathish.sundaravel@gmail.com> wrote:
Hi Team
I have a Syslog Ng server running on Solaris and receiving events from native Solaris syslog clients. How do I enable UDP traffic pass through via TLS and how to configure client certificate for native Solaris syslog agent. We don't have rsyslog.
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Thank you On Sun, 20 Nov 2016 at 1:12 AM, Fekete, Róbert <robert.fekete@balabit.com> wrote: Hi, see this tutorial https://www.balabit.com/documents/syslog-ng-ose-3.8-guides/en/syslog-ng-tuto... or the adminguide https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-o... Note that your syslog-ng packages must have ssl-support enabled. HTH, Robert On Sat, Nov 19, 2016 at 12:49 PM, Sathish Sundaravel < sathish.sundaravel@gmail.com> wrote: Hi Team I have a Syslog Ng server running on Solaris and receiving events from native Solaris syslog clients. How do I enable UDP traffic pass through via TLS and how to configure client certificate for native Solaris syslog agent. We don't have rsyslog. ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi Sathish, you want to pass UDP traffic through TLS? That doesn't work out of the box. TLS implies TCP. TLS encryption for UDP isn't possible. AFAIK Syslog NG does not support DTLS, but you'd need clients that support it as well anyway on the other end, and that's highly unlikely. You can set up a Syslog NG gateway near the UDP-only logging clients that forwards the messages sent over UDP via TCP/TLS, however. Whether that makes sense depends on your use case. Best regards, Peter.
Hi Peter Thanks for your prompt response. I have also come across that TLS works for TCP. I tried configuring with syslog () function but does not help either. Thanks for confirming it Regards Sathish On Mon, 21 Nov 2016 at 9:36 PM, Peter Eckel <lists@eckel-edv.de> wrote:
Hi Sathish,
you want to pass UDP traffic through TLS? That doesn't work out of the box. TLS implies TCP.
TLS encryption for UDP isn't possible. AFAIK Syslog NG does not support DTLS, but you'd need clients that support it as well anyway on the other end, and that's highly unlikely.
You can set up a Syslog NG gateway near the UDP-only logging clients that forwards the messages sent over UDP via TCP/TLS, however. Whether that makes sense depends on your use case.
Best regards,
Peter.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, "Sathish Sundaravel" <sathish.sundaravel@gmail.com> írta 2016-11-22 00:58-kor:
Thanks for your prompt response. I have also come across that TLS works for TCP. I tried configuring with syslog () function but does not help either.
Thanks for confirming it
I suggest to not consider that as a "confirmation". eg look at openvpn: That uses ssl/tls and by default it uses udp transport. Cheers, Gyu
Thats a completely different matter, OpenVPN has its own tcp-like substrate running on top of UDP, and not TLS running on UDP. On Nov 22, 2016 3:25 PM, "PÁSZTOR György" <pasztor@linux.gyakg.u-szeged.hu> wrote:
Hi,
"Sathish Sundaravel" <sathish.sundaravel@gmail.com> írta 2016-11-22 00:58-kor:
Thanks for your prompt response. I have also come across that TLS works for TCP. I tried configuring with syslog () function but does not help either.
Thanks for confirming it
I suggest to not consider that as a "confirmation". eg look at openvpn: That uses ssl/tls and by default it uses udp transport.
Cheers, Gyu ____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, "Scheidler, Balázs" <balazs.scheidler@balabit.com> írta 2016-11-22 17:38-kor:
Thats a completely different matter, OpenVPN has its own tcp-like substrate running on top of UDP, and not TLS running on UDP.
Ah. So, that is openvpn specific? I didn't dig into the code. I thought openssl has it's own layer to establish a "connection" even over udp. So the conclusion is that, syslog-ng can not run tls over udp? Cheers, Gyu
Your conclusion is correct. It cannot. On Nov 22, 2016 5:23 PM, "PÁSZTOR György" <pasztor@linux.gyakg.u-szeged.hu> wrote:
Hi,
"Scheidler, Balázs" <balazs.scheidler@balabit.com> írta 2016-11-22 17:38-kor:
Thats a completely different matter, OpenVPN has its own tcp-like substrate running on top of UDP, and not TLS running on UDP.
Ah. So, that is openvpn specific?
I didn't dig into the code. I thought openssl has it's own layer to establish a "connection" even over udp.
So the conclusion is that, syslog-ng can not run tls over udp?
Cheers, Gyu ____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Hi, Sorry, to “reopen” an old thread, but theoretically syslog-ng would be able to use tls with udp connections. This is called DTLS and defined in rfc4347. And openssl also support it. (But that is right, that syslog-ng currently does no support it.) From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Scheidler, Balázs Sent: Tuesday, November 22, 2016 8:22 PM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Enable TLS encryption Your conclusion is correct. It cannot. On Nov 22, 2016 5:23 PM, "PÁSZTOR György" <pasztor@linux.gyakg.u-szeged.hu<mailto:pasztor@linux.gyakg.u-szeged.hu>> wrote: Hi, "Scheidler, Balázs" <balazs.scheidler@balabit.com<mailto:balazs.scheidler@balabit.com>> írta 2016-11-22 17:38-kor:
Thats a completely different matter, OpenVPN has its own tcp-like substrate running on top of UDP, and not TLS running on UDP.
Ah. So, that is openvpn specific? I didn't dig into the code. I thought openssl has it's own layer to establish a "connection" even over udp. So the conclusion is that, syslog-ng can not run tls over udp? Cheers, Gyu ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq ________________________________ NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If you have received this communication in error, please destroy all electronic and paper copies and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers If you cannot access these links, please notify us by reply message and we will send the contents to you. By communicating with Morgan Stanley you consent to the foregoing and to the voice recording of conversations with personnel of Morgan Stanley.
I know about dtls, there's even an rfc on syslog over dtls, but never actually used it, nor have I seen it in the wild. On Jan 5, 2017 11:06 AM, "Szalai, Attila" <Attila.Szalai@morganstanley.com> wrote:
Hi, Sorry, to “reopen” an old thread, but theoretically syslog-ng would be able to use tls with udp connections.
This is called DTLS and defined in rfc4347. And openssl also support it. (But that is right, that syslog-ng currently does no support it.)
*From:* syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] *On Behalf Of *Scheidler, Balázs *Sent:* Tuesday, November 22, 2016 8:22 PM *To:* Syslog-ng users' and developers' mailing list *Subject:* Re: [syslog-ng] Enable TLS encryption
Your conclusion is correct. It cannot.
On Nov 22, 2016 5:23 PM, "PÁSZTOR György" <pasztor@linux.gyakg.u-szeged.hu> wrote:
Hi,
"Scheidler, Balázs" <balazs.scheidler@balabit.com> írta 2016-11-22 17:38-kor:
Thats a completely different matter, OpenVPN has its own tcp-like substrate running on top of UDP, and not TLS running on UDP.
Ah. So, that is openvpn specific?
I didn't dig into the code. I thought openssl has it's own layer to establish a "connection" even over udp.
So the conclusion is that, syslog-ng can not run tls over udp?
Cheers, Gyu ____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
------------------------------
NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If you have received this communication in error, please destroy all electronic and paper copies and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers If you cannot access these links, please notify us by reply message and we will send the contents to you. By communicating with Morgan Stanley you consent to the foregoing and to the voice recording of conversations with personnel of Morgan Stanley.
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (6)
-
Fekete, Róbert
-
Peter Eckel
-
PÁSZTOR György
-
Sathish Sundaravel
-
Scheidler, Balázs
-
Szalai, Attila