Log Insight 3.0 Agents: SSL Support

Log Insight 3.0 agents support SSL for both the cfapi and syslog protocols. In this post, I will discuss how to configure the agents to properly communicate over SSL.

li-agent

Background

By default, the Log Insight agents connect over plaintext (tcp/9000) via the cfapi. The agents also support the syslog protocol. With the 3.0 version of the agents both protocols are now supported over SSL. For the cfapi, tcp/9543 is used by default if SSL enabled and for syslog tcp/6543 is used.

Basic Configuration

To enable SSL support for either protocol just uncomment or add the following configuration under the [server] section:

Assuming you have not explicitly (i.e. it is commented out) set the port option

then the agent will automatically switch to the default SSL port based on the defined protocol. If you did explicitly set the port option then you will need to change it to the proper port to support SSL. Assuming the SSL certificate on the upstream logging destination is trusted then that’s it! Remember, the agent automatically reconfigures so no need to restart the agent. To confirm things are working, you can check the upstream logging destination or check the Log Insight agent log file.

Example:

Note this is equivalent to:

However, this will not work:

Advanced Configuration

By default, the Log Insight agent has some strict guidelines on what SSL certificates it accepts:

  • On initial connection it will accept a self-signed certificate
  • If a self-signed certificate has been accepted and a signed certificate is received it will accept the signed certificate
  • If a self-signed certificate has been accepted and a new self-signed certificate is received it will reject the new certificate
  • If a signed certificate has been accepted and a new signed certificate is received it will reject the new certificate

Basically, the means the agent will accept an initial self-signed certificate and a signed certificate if no certificate has been accepted or a self-signed certificate has been accepted, but will reject everything else.

This raises the question of how to get around these strict guidelines. The following options provide the functionality needed:

  • ssl_ca_path: If you have your own CA then you can point to it for validation
  • ssl_accept_any: Just accept all SSL certificates — this is clearly the least secure option
  • ssl_accept_any_trusted: This would allow you to move from one trusted certificate to another seamlessly — this option is often recommended
  • ssl_cn: To accept certificates that do not match the hostname setting of the agent but do match the Common Name specified here

Example:

Note this is equivalent to:

For more information see the official documentation.

Summary

In many environments, the need to send secure logging exists. The Log Insight 3.0 agents natively support secure logging for both cfapi and syslog. By default, the Log Insight agent certificate acceptance criteria is strict for security reasons. Advanced configuration options can be used as necessary to meet business requirements. Do you send secure logs today?

© 2015, Steve Flanders. All rights reserved.

2 thoughts on “Log Insight 3.0 Agents: SSL Support

  1. Chris says:

    This path points to a linux location (ssl_ca_path=/etc/ca/certs/ca-bundle.crt) but how is the path configured for a windows agent?

Leave a Reply