Intro
You have to dig a little to find out about this somewhat obscure topic. You want to send syslog output, e.g., from the named daemon, to a syslog server with beefed up security, such that it requires the use of TLS so traffic is encrypted. This is how I did that.
The details
This is what worked for me:
... # DrJ fixes - log local0 to DrJ's dmz syslog server - DrJ 5/6/20 # use local0 for named's query log, but also log locally # see https://www.linuxquestions.org/questions/linux-server-73/bind-queries-log-to-remote-syslog-server-4175 669371/ # @@ means use TCP $DefaultNetstreamDriver gtls $DefaultNetstreamDriverCAFile /etc/ssl/certs/GlobalSign_Root_CA_-_R3.pem $ActionSendStreamDriver gtls $ActionSendStreamDriverMode 1 $ActionSendStreamDriverAuthMode anon local0.* @@(o)14.17.85.10:6514 #local0.* /var/lib/named/query.log local1.* -/var/log/localmessages #local0.*;local1.* -/var/log/localmessages local2.*;local3.* -/var/log/localmessages local4.*;local5.* -/var/log/localmessages local6.*;local7.* -/var/log/localmessages |
The above is the important part of my /etc/rsyslog.conf file. The SIEM server is running at IP address 14.17.85.10 on TCP port 6514. It is using a certificate issued by Globalsign. An openssl call confirms this (see references).
Other gothcas
I am running on a SLES 15 server. Although it had rsyslog installed, it did not support tls initially. I was getting a dlopen error. So I figured out I needed to install this module:
rsyslog-module-gtls
References and related
How to find the server’s certificate using openssl. Very briefly, use the openssl s_client submenu.
The rsyslog site itself probably has the complete documentation. Though I haven’t looked at it thoroughly, it seems very complete.
Want to know what syslog is? Howtoneywork has this very good writeup: https://www.howtonetwork.com/technical/security-technical/syslog-server/