Log Insight 3.0 Agents: SSL Support

Log Insight 3.0 agents support SSL for both the cfapi and syslog protocols. In this post, I will discuss how to configure the agents to properly communicate over SSL.
li-agent

Background

By default, the Log Insight agents connect over plaintext (tcp/9000) via the cfapi. The agents also support the syslog protocol. With the 3.0 version of the agents both protocols are now supported over SSL. For the cfapi, tcp/9543 is used by default if SSL enabled and for syslog tcp/6543 is used.

Basic Configuration

To enable SSL support for either protocol just uncomment or add the following configuration under the [server] section:

ssl=yes

Assuming you have not explicitly (i.e. it is commented out) set the port option

;port=9000

then the agent will automatically switch to the default SSL port based on the defined protocol. If you did explicitly set the port option then you will need to change it to the proper port to support SSL. Assuming the SSL certificate on the upstream logging destination is trusted then that’s it! Remember, the agent automatically reconfigures so no need to restart the agent. To confirm things are working, you can check the upstream logging destination or check the Log Insight agent log file.
Example:

ssl=yes

Note this is equivalent to:

protocol=cfapi
port=9543
ssl=yes

However, this will not work:

protocol=cfapi
port=9000
ssl=yes

Advanced Configuration

By default, the Log Insight agent has some strict guidelines on what SSL certificates it accepts:

  • On initial connection it will accept a self-signed certificate
  • If a self-signed certificate has been accepted and a signed certificate is received it will accept the signed certificate
  • If a self-signed certificate has been accepted and a new self-signed certificate is received it will reject the new certificate
  • If a signed certificate has been accepted and a new signed certificate is received it will reject the new certificate

Basically, the means the agent will accept an initial self-signed certificate and a signed certificate if no certificate has been accepted or a self-signed certificate has been accepted, but will reject everything else.
This raises the question of how to get around these strict guidelines. The following options provide the functionality needed:

  • ssl_ca_path: If you have your own CA then you can point to it for validation
  • ssl_accept_any: Just accept all SSL certificates — this is clearly the least secure option
  • ssl_accept_any_trusted: This would allow you to move from one trusted certificate to another seamlessly — this option is often recommended
  • ssl_cn: To accept certificates that do not match the hostname setting of the agent but do match the Common Name specified here

Example:

ssl=yes
ssl_ca_path=/etc/ca/certs/ca-bundle.crt
ssl_accept_any_trusted=yes
ssl_cn=LOGINSIGHT

Note this is equivalent to:

proto=cfapi
port=9543
ssl=yes
ssl_ca_path=/etc/ca/certs/ca-bundle.crt
ssl_accept_any=no
ssl_accept_any_trusted=yes
ssl_cn=LOGINSIGHT

For more information see the official documentation.

Summary

In many environments, the need to send secure logging exists. The Log Insight 3.0 agents natively support secure logging for both cfapi and syslog. By default, the Log Insight agent certificate acceptance criteria is strict for security reasons. Advanced configuration options can be used as necessary to meet business requirements. Do you send secure logs today?

© 2015, Steve Flanders. All rights reserved.

2 comments on “Log Insight 3.0 Agents: SSL Support

Chris says:

This path points to a linux location (ssl_ca_path=/etc/ca/certs/ca-bundle.crt) but how is the path configured for a windows agent?

Hey Chris — Thanks for the comment! You can use a Windows path, for example: ssl_ca_path=C:\ca\certs\ca-bundle.crt

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top