Log Insight 3.0 agents support SSL for both the cfapi and syslog protocols. In this post, I will discuss how to configure the agents to properly communicate over SSL.
Background
By default, the Log Insight agents connect over plaintext (tcp/9000) via the cfapi. The agents also support the syslog protocol. With the 3.0 version of the agents both protocols are now supported over SSL. For the cfapi, tcp/9543 is used by default if SSL enabled and for syslog tcp/6543 is used.
Basic Configuration
To enable SSL support for either protocol just uncomment or add the following configuration under the [server] section:
ssl=yes
Assuming you have not explicitly (i.e. it is commented out) set the port option
;port=9000
then the agent will automatically switch to the default SSL port based on the defined protocol. If you did explicitly set the port option then you will need to change it to the proper port to support SSL. Assuming the SSL certificate on the upstream logging destination is trusted then that’s it! Remember, the agent automatically reconfigures so no need to restart the agent. To confirm things are working, you can check the upstream logging destination or check the Log Insight agent log file.
Example:
ssl=yes
Note this is equivalent to:
protocol=cfapi port=9543 ssl=yes
However, this will not work:
protocol=cfapi port=9000 ssl=yes
Advanced Configuration
By default, the Log Insight agent has some strict guidelines on what SSL certificates it accepts:
- On initial connection it will accept a self-signed certificate
- If a self-signed certificate has been accepted and a signed certificate is received it will accept the signed certificate
- If a self-signed certificate has been accepted and a new self-signed certificate is received it will reject the new certificate
- If a signed certificate has been accepted and a new signed certificate is received it will reject the new certificate
Basically, the means the agent will accept an initial self-signed certificate and a signed certificate if no certificate has been accepted or a self-signed certificate has been accepted, but will reject everything else.
This raises the question of how to get around these strict guidelines. The following options provide the functionality needed:
- ssl_ca_path: If you have your own CA then you can point to it for validation
- ssl_accept_any: Just accept all SSL certificates — this is clearly the least secure option
- ssl_accept_any_trusted: This would allow you to move from one trusted certificate to another seamlessly — this option is often recommended
- ssl_cn: To accept certificates that do not match the hostname setting of the agent but do match the Common Name specified here
Example:
ssl=yes ssl_ca_path=/etc/ca/certs/ca-bundle.crt ssl_accept_any_trusted=yes ssl_cn=LOGINSIGHT
Note this is equivalent to:
proto=cfapi port=9543 ssl=yes ssl_ca_path=/etc/ca/certs/ca-bundle.crt ssl_accept_any=no ssl_accept_any_trusted=yes ssl_cn=LOGINSIGHT
For more information see the official documentation.
Summary
In many environments, the need to send secure logging exists. The Log Insight 3.0 agents natively support secure logging for both cfapi and syslog. By default, the Log Insight agent certificate acceptance criteria is strict for security reasons. Advanced configuration options can be used as necessary to meet business requirements. Do you send secure logs today?
© 2015, Steve Flanders. All rights reserved.
This path points to a linux location (ssl_ca_path=/etc/ca/certs/ca-bundle.crt) but how is the path configured for a windows agent?
Hey Chris — Thanks for the comment! You can use a Windows path, for example: ssl_ca_path=C:\ca\certs\ca-bundle.crt