Syslog via TLS Source
yaml
sources:
  MySourceName:
    type: syslog_tls

#   Required: PEM certificate file.
    certificateFile: cert.pem

#   Required: PEM private key for the certificate.
    keyFile: privkey.pem

##   Optional: Max allowed event size (default = 2048 bytes) messages larger than this will be truncated
##  NOTE: Setting maxEventSize above the max allowed value will cause the FLC service to not start
#    maxEventSize: 1048576

##   Optional: Receive buffer size. Defaults to 16x maxEventSize dynamically.
##  NOTE: receiveBufferSize must be set higher than the maxEventSize value otherwise FLC service won't start
#    receiveBufferSize: 16777216

##   Optional: Enable strict event handling. Events that don't start with '<' or an octet counting header are discarded and the connection is closed.
#    strict: false

##   Optional: The port to listen on. Default 6514.
#    port: 6514

##   Optional: Address to bind to. Default "", which is all addresses.
#    bind: "127.0.0.1"

##   No client validation, default if section is omitted.
#    clientAuthentication:
#      type: none

##   Verify client via CA cert:
#    clientAuthentication:
#      type: ca
#      caFile: ca.pem

##   Verify client via cert fingerprint:
#    clientAuthentication:
#      type: fingerprint
#      fingerprints:
#        - sha-1:bf:88:e7:9e:58:04:d6:85:e6:06:2e:e0:de:d1:3c:44:cd:33:b6:ba
#        - sha-256:89:83:8E:56:61:EC:D4:BF:ED:DA:88:2B:A4:8A:27:25:EF:B5:39:F9:5E:59:2D:CA:38:AC:51:8D:C6:7C:D9:59

##   Optional: TLS options.
#  tls:
##     Optional: minimum TLS version to accept. Default 1_2. Valid values are 1_0, 1_1, 1_2, 1_3.
#      minVersion: 1_2

##     Optional: maximum TLS version to accept. Default 1_3. Valid values are 1_0, 1_1, 1_2, 1_3.
#      maxVersion: 1_3

  

sinks:
  logscale:
    type: logscale
    # Replace with your ingest token.
    token: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
    # Replace with the "Ingest URL" on the FLC download page. It must include the "https://" at the beginning.
    url: https://XXX.YYY.ZZZ
    # This sets the maximum allowed single event size to 1 MB; larger messages will be truncated
    #maxEventSize: 1048576

Table: Syslog TLS Source

ParameterTypeRequiredDefault ValueDescription
bindstringoptional[a]   Address to bind to. Defaults to all interfaces.
certificateFilestringrequired   PEM certificate file.
clientAuthenticationsourcesyslogtlsclientauthenticationoptional[a] type: none Specifies what kind of client authentication to use:
keyFilestringrequired   PEM private key for the certificate.
maxEventSizeintegeroptional[a]   Maximum allowed syslog event size; syslog events larger than this will be truncated. If maxEventSize is also defined at sinks level the lower of the two values will be applied. Set this to the max value to avoid truncation issues.
parserstringoptional[a]   Specify the parser within LogScale to use to parse the logs, if you install the parser through a package you must specify the type and name as displayed on the parsers page for example linux/system-logs:linux-filebeat. If a parser is assigned to the ingest token being used this parser will be ignored.
portintegeroptional[a] 6514 The port to listen on.
receiveBufferSizeintegeroptional[a] 64 times maxEventSize The receiveBufferSize is the size of the read buffer used to copy the received messages into the applications memory. This read buffer has to be able to contain at least one message (the largest). If it is too small, the message gets truncated. If the read buffer is large, it will be able to read several messages at once.
sinkstringrequired   Name of the configured sink that will be sent the collected events.
strictbooleanoptional[a] false Enable strict event handling. Events that don't start with $#60; or an octet counting header are discarded and the connection is closed.
tlsservertlsoptional[a] {} This object contains details on the PEM certificates. this section allows you to override the defaults. Only one of the following options should be specified:
transformstransformoptional[a]   The transforms parameter allows you to add fields or to filter data before it is ingested. See All sources: How to use Transforms for information on how to use transforms.
typesyslog_tlsrequired   The sources block configures the sources of data that the log collector will send to LogScale.
nonTransparentFramingTrailerstringoptional[a]   Sets the trailing character used in non-transparent-framing. (added in 1.10.2)
   Values
   multiple workers

[a] Optional parameters use their default value unless explicitly set.


Client Authentication

To configure client authentication, the following modes are available:

When using client authentication, unauthorized connections will be closed.

Table: Syslog TLS Authentication

ParameterTypeRequiredDefault ValueDescription
typesourcesyslogtlsclientauthenticationtypeoptional[a]   The sources block configures the sources of data that the log collector will send to Falcon LogScale.
   Values
   caVerify client via CA cert. See Syslog TLS Authentication None.
   fingerprintVerify client via cert fingerprint. See Syslog TLS Authentication Fingerprint.
   noneNo client authentication applied. See Syslog TLS Authentication None.

[a] Optional parameters use their default value unless explicitly set.


Table: Syslog TLS Authentication CA

ParameterTypeRequiredDefault ValueDescription
caFilestringrequired   PEM certificate file.
typecarequired   PEM private key for the certificate.

Table: Syslog TLS Authentication Fingerprint

ParameterTypeRequiredDefault ValueDescription
fingerprintsarray of stringsrequired   Verify client via cert fingerprint. See Syslog TLS Authentication Fingerprint
typefingerprintrequired   The sources block configures the sources of data that the log collector will send to Falcon LogScale.

Table: Syslog TLS Authentication None

ParameterTypeRequiredDefault ValueDescription
typenonerequired   The sources block configures the sources of data that the log collector will send to Falcon LogScale.

Table: Syslog TLS Server

ParameterTypeRequiredDefault ValueDescription
cipherstlsciphersuiteoptional[a]   List of cipher suites to accept. Defaults to all of the valid values. Valid values are listed in Ciphers
maxVersiontlsversionoptional[a] 1_3 Maximum TLS version to accept.
   Values
   1_0
   1_1
   1_2
   1_3
minVersiontlsversionoptional[a] 1_2 Minimum TLS version to accept.
   Values
   1_0
   1_1
   1_2
   1_3

[a] Optional parameters use their default value unless explicitly set.


Ciphers

The following is a list of all the possible ciphers

  • TLS_RSA_WITH_AES_128_CBC_SHA

  • TLS_RSA_WITH_AES_256_CBC_SHA

  • TLS_RSA_WITH_AES_128_GCM_SHA256

  • TLS_RSA_WITH_AES_256_GCM_SHA384

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

Generating a self signed certificate

You can generate an self signed certificate using the following OpenSSL commands:

shell
openssl ecparam -name prime256v1 -genkey -out privkey.pem
 openssl req -new -x509 -key privkey.pem -out cert.pem