Syslog via TLS Source

Overview

The Syslog via TLS Source is a feature of the Falcon LogScale Collector that enables secure collection of syslog messages over TLS-encrypted connections. This functionality allows you to receive syslog data from network devices, servers, applications, and other systems that support syslog over TLS (RFC 5425), providing encrypted transport and optional client authentication.

The Syslog via TLS Source listens on a specified network port for incoming TLS-encrypted syslog messages and automatically ingests them into LogScale. The collector supports various TLS versions, cipher suites, and client authentication methods to ensure secure communication.

How it works

The Syslog via TLS Source operates by opening a TLS-secured network socket and listening for incoming syslog messages. When messages are received over encrypted connections, the Collector forwards them to the configured LogScale sink.

TLS Security

The Collector provides:

  • Encrypted Transport: All Syslog messages are transmitted over TLS-encrypted connections

  • Client Authentication: Optional verification of client certificates using CA certificates or fingerprints

  • Configurable TLS Versions: Support for TLS 1.0, 1.1, 1.2, and 1.3

  • Cipher Suite Control: Ability to specify allowed cipher suites for enhanced security

Message formats

The Syslog via TLS Source automatically detects and parses common syslog formats:

  • RFC3164: Traditional BSD syslog format

  • RFC5424: Modern structured syslog format

  • RFC6587: TCP framing for syslog (octet counting and non-transparent framing)

Prerequisites

Before configuring the Syslog via TLS Source, ensure that you have:

  • TLS certificate and private key files in PEM format

  • Network connectivity between syslog senders and the collector

  • Appropriate firewall rules to allow inbound TLS Syslog traffic

  • Sufficient permissions to bind to the desired port

  • A configured sink (destination) for the collected events

Configuration

Prerequisites

First, define a sink that will receive the collected events:

yaml
sinks:
  logscale_sink:
    type: logscale
    url: "https://cloud.humio.com/"
    token: "${LOGSCALE_TOKEN}"

Example 1: Basic TLS Syslog

Collect Syslog messages over TLS with server certificate:

yaml
sources:
  syslog_tls_basic:
    type: syslog_tls
    certificateFile: cert.pem
    keyFile: privkey.pem
    port: 6514
    sink: logscale_sink

Example 2: TLS with Client Authentication (CA)

Collect Syslog with client certificate verification using a CA:

yaml
sources:
  syslog_tls_ca:
    type: syslog_tls
    certificateFile: cert.pem
    keyFile: privkey.pem
    port: 6514
    clientAuthentication:
      type: ca
      caFile: ca.pem
    sink: logscale_sink

Example 3: TLS with Client Authentication (Fingerprint)

Verify clients using certificate fingerprints:

yaml
sources:
syslog_tls_fingerprint:
  type: syslog_tls
  certificateFile: cert.pem
  keyFile: privkey.pem
  port: 6514
  clientAuthentication:
    type: fingerprint
    fingerprints:
      - "sha256:89:83:8E:56:61:EC:D4:BF:ED:DA:88:2B:A4:8A:27:25:EF:B5:39:F9:5E:59:2D:CA"
      - "sha1:bf:88:e7:9e:58:04:d6:85:e6:06:2e:e0:de:d1:3c:44:cd:33:b6:ba"
  sink: logscale_sink

Example 4: TLS with Custom Configuration

Configure TLS with specific versions and strict parsing:

yaml
sources:
  syslog_tls_custom:
    type: syslog_tls
    certificateFile: cert.pem
    keyFile: privkey.pem
    port: 6514
    bind: "0.0.0.0"
    maxEventSize: 1048576
    strict: true
    tls:
      minVersion: 1_2
      maxVersion: 1_3
    sink: logscale_sink

Example 5: Complete Configuration

yaml
sinks:
  logscale_sink:
    type: logscale
    url: "https://cloud.humio.com/"
    token: "${LOGSCALE_TOKEN}"

sources:
  syslog_tls:
    type: syslog_tls
    
    # Required: Server certificate and key
    certificateFile: cert.pem
    keyFile: privkey.pem
    
    # Network configuration
    port: 6514
    bind: "0.0.0.0"
    
    # Message handling
    maxEventSize: 1048576
    receiveBufferSize: 16777216
    strict: false
    
    # Client authentication
    clientAuthentication:
      type: ca
      caFile: ca.pem
    
    # TLS configuration
    tls:
      minVersion: 1_2
      maxVersion: 1_3
    
    # Parser and transforms
    parser: "syslog_rfc5424"
    transforms:
      - type: static_fields
        fields:
          source_type: "syslog_tls"
          environment: "${ENV}"
    
    sink: logscale_sink
Client Authentication

The Syslog via TLS Source supports three client authentication modes:

None (No Client Authentication)

Accept connections without verifying client certificates:

yaml
clientAuthentication:
  type: none

This is the default if the clientAuthentication section is omitted.

CA-Based Authentication

Verify client certificates against a Certificate Authority:

yaml
clientAuthentication:
  type: ca
  caFile: ca.pem

Fingerprint-Based Authentication

Verify clients using specific certificate fingerprints:

yaml
clientAuthentication:
  type: fingerprint
  fingerprints:
    - "sha256:89:83:8E:56:61:EC:D4:BF:ED:DA:88:2B:A4:8A:27:25:EF:B5:39:F9:5E:59:2D:CA"
    - "sha1:bf:88:e7:9e:58:04:d6:85:e6:06:2e:e0:de:d1:3c:44:cd:33:b6:ba"

Generating Certificate Fingerprints:

You can generate certificate fingerprints using OpenSSL:

shell
# SHA-256 fingerprint (recommended)
openssl x509 -sha256 -noout -fingerprint -in cert.pem

# SHA-1 fingerprint
openssl x509 -sha1 -noout -fingerprint -in cert.pem

Example output:

text
SHA256 
Fingerprint=89:83:8E:56:61:EC:D4:BF:ED:DA:88:2B:A4:8A:27:25:EF:B5:39:F9:5E:59:2D:CA

Use the fingerprint value with the algorithm prefix (e.g., sha256:) in your configuration.

Note

When using client authentication, unauthorized connections will be closed.

TLS Configuration

Before configuring the Syslog via TLS Source, ensure that you have:

TLS Versions

Configure minimum and maximum TLS versions:

yaml
tls:
  minVersion: 1_2  # Valid values: 1_0, 1_1, 1_2, 1_3
  maxVersion: 1_3  # Valid values: 1_0, 1_1, 1_2, 1_3

Default: Minimum TLS 1.2, Maximum TLS 1.3

Cipher Suites

Optionally specify allowed cipher suites:

yaml
tls:
  ciphers:
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

See the Supported Cipher Suites section for a complete list.

Event Structure

Each syslog message is transformed into a LogScale event. The structure depends on the Syslog format (RFC3164 or RFC5424).

Common Fields

All Syslog events typically include:

  • @rawstring: The complete Syslog message

  • @timestamp: Event timestamp

Generating Certificates

Self-Signed Certificate

You can generate a self-signed certificate using OpenSSL:

shell
openssl ecparam -name prime256v1 -genkey -out privkey.pem
openssl req -new -x509 -key privkey.pem -out cert.pem

Certificate Requirements

  • Certificate and key must be in PEM format

  • Private key should be unencrypted

Best Practices

Security

  • Use TLS 1.2 or higher (disable TLS 1.0 and 1.1)

  • Implement client authentication for production environments

  • Use strong cipher suites and disable weak ciphers

  • Regularly rotate certificates before expiration

  • Protect private key files with appropriate file permissions

Performance Optimization

  • Adjust maxEventSize based on expected message sizes

  • Configure receiveBufferSize appropriately (defaults to 16x maxEventSize)

  • Monitor Collector resource usage under load

  • Use disk queues to handle bursts and ensure data persistence

Certificate Management

  • Monitor certificate expiration dates

  • Maintain a certificate renewal process

  • Keep CA certificates up to date

  • Document fingerprints for fingerprint-based authentication

Message Handling

  • Enable strict mode for production to ensure message integrity

  • Set appropriate maxEventSize to prevent truncation

  • Monitor for parsing errors in Collector logs

Monitoring and Troubleshooting

Monitoring Collector Status

Monitor your Syslog via TLS Source using the following approaches:

  • Check Collector logs for TLS connection status and handshake errors

  • Monitor message ingestion rates and volumes

  • Track certificate expiration dates

  • Set up alerts for authentication failures or connection errors

  • Monitor TLS handshake failures

Common issues and Solutions

Issue Symptom Potential Causes and Solutions
TLS Handshake FailuresClients cannot establish TLS connections

  • Check TLS version compatibility between client and server

  • Review cipher suite compatibility

  • Ensure certificate is not expired

  • Check for hostname/IP mismatch in certificate

Client Authentication FailuresAuthorized clients are rejected

  • Verify CA certificate is correct and up to date

  • Check client certificate is signed by the configured CA

  • Verify fingerprints match client certificates exactly

  • Ensure client certificates are not expired

  • Review client certificate chain completeness

Certificate ErrorsCollector fails to start or accept connections

  • Verify certificate and key files exist and are readable

  • Check PEM format is correct

  • Ensure private key matches the certificate

  • Verify file permissions allow collector to read files

  • Check for certificate chain issues

No Messages ReceivedCollector runs but no syslog messages appear

  • Verify firewall rules allow traffic on port 6514 (configurable)

  • Check that syslog senders are configured for TLS

  • Confirm clients trust the server certificate

  • Review collector logs for connection attempts

  • Test connectivity using openssl s_client

Messages TruncatedSyslog messages appear incomplete

  • Increase maxEventSize parameter

  • Adjust receiveBufferSize accordingly

  • Monitor collector logs for truncation warnings

  • Check sender configuration for message size limits

High Resource UsageCollector consumes excessive CPU/memory

  • TLS encryption adds computational overhead

  • Reduce maxEventSize if set too high

  • Monitor TLS handshake frequency

  • Check for connection pooling on clients

  • Review cipher suite performance characteristics

Connection DropsFrequent TLS connection resets

  • Enable strict: false for more lenient parsing

  • Check network stability

  • Review TLS session timeout settings

  • Monitor for certificate validation issues

  • Check client-side TLS configuration

Port Binding FailuresCollector fails to start

  • Another service is using port 6514

  • Check for multiple collector instances

  • Verify sufficient permissions to bind to port

  • Use netstat or ss to identify port usage

Testing TLS Syslog

Test TLS syslog connectivity using OpenSSL:

shell
# Test TLS connection
openssl s_client -connect <collector-ip>:6514

# Test with client certificate
openssl s_client -connect <collector-ip>:6514 \
  -cert client-cert.pem -key client-key.pem

# Send a test message
echo "<134>Test TLS syslog message" | \
  openssl s_client -connect <collector-ip>:6514 -quiet

Verifying Certificate Fingerprints

Generate certificate fingerprints for fingerprint-based authentication:

shell
# SHA-256 fingerprint
openssl x509 -in client-cert.pem -noout -fingerprint -sha256

# SHA-1 fingerprint
openssl x509 -in client-cert.pem -noout -fingerprint -sha1

Supported Cipher Suites

The following cipher suites are supported:

  • TLS_RSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_256_CBC_SHA

  • TLS_RSA_WITH_AES_128_GCM_SHA256

  • TLS_RSA_WITH_AES_256_GCM_SHA384

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

Configuration Parameters

Table: Syslog TLS Source

ParameterTypeRequiredDefault ValueDescription
bindstringoptional[a] "" Address to bind to. Default "" binds to all addresses.
certificateFilestringrequired   Path to PEM certificate file for the TLS server.
clientAuthenticationsourcesyslogtlsclientauthenticationoptional[a] type: none Configure client authentication method. See Client Authentication.
keyFilestringrequired   Path to PEM private key file for the certificate.
maxEventSizeintegeroptional[a]   Maximum allowed event size in bytes. Messages larger than this will be truncated. Note: Setting maxEventSize above the maximum allowed value will cause the collector service to not start.
parserstringoptional[a]   Specify the parser name in LogScale to use for parsing the logs. If you installed LogScale through a package manager, you can specify the type of logs to be displayed on the search page, for example linux/systemd-logs:linux/systemd-logs. If a parser is assigned to the ingest token being used, that parser will be ignored.
portintegeroptional[a] 6514 The port to listen on for incoming TLS syslog connections.
receiveBufferSizeintegeroptional[a] 16x maxEventSize Receive buffer size in bytes. Defaults to 16 times maxEventSize dynamically. Note: receiveBufferSize must be set higher than the maxEventSize value otherwise the collector service won't start.
sinkstringrequired   Name of the configured sink that will receive the collected events.
strictbooleanoptional[a] false Enable strict event handling. Events that don't start with $#60; or an octet counting header are discarded and the connection is closed.
tlsservertlsoptional[a] {} TLS configuration options including minimum/maximum versions and cipher suites.
transformstransformoptional[a]   Specify transformations for this source. See All Sources: How to Use Transforms for information on how to use transforms.
typesyslog_tlsrequired   The source type must be set to syslog_tls.

[a] Optional parameters use their default value unless explicitly set.