TLS/SSL log transfer
Logs often include private or sensitive information. While those logs might be protected in their source and destination environments, you may need to transfer them over a network vulnerable to unauthorized access. NXLog Agent supports secure log transfer with TLS/SSL to prevent data in transit from being viewed or modified by a malicious actor.
TLS/SSL uses certificate-based authentication that can be one-way or mutual. In one-way authentication, NXLog Agent requires the remote host to send a valid certificate during the TLS/SSL handshake (the process that initiates a communication session). In mutual authentication, NXLog Agent sends its certificate during the TLS/SSL handshake and expects one from the remote host. When using mutual authentication, the remote host must be able to validate the certificate it receives from NXLog Agent.
NXLog Agent verifies the remote host’s certificate with a Certificate Authority (CA) certificate. By default, it tries to validate the certificate with a matching CA certificate from the OS root certificate store. Alternatively, you can provide a CA certificate or define a custom path for NXLog Agent to locate the CA certificate.
NXLog Agent TLS/SSL configuration
NXLog Agent requires the following certificates to use TLS/SSL:
One-way authentication:
-
Certificate Authority (CA) certificate.
Mutual authentication:
-
Certificate Authority (CA) certificate.
-
NXLog Agent certificate.
-
The private key that was used to generate the NXLog Agent certificate.
We recommend using 2048-bit or larger keys for encryption.
Module directives
You need to configure one of the following directives to specify the Certificate Authority (CA) certificate.
Directive | Description |
---|---|
CADir |
The path to a directory containing Certificate Authority (CA) certificates. These certificates will be used to verify the remote host’s certificate. If the remote remote host uses a self-signed certificate, you can add the remote host’s certificate to this directory. |
CAFile |
The path of the Certificate Authority (CA) certificate used to verify the remote host’s certificate. If the remote remote host uses a self-signed certificate, you can specify the remote host’s certificate itself. For certificates signed by an intermediate CA, the certificate specified must contain the complete certificate chain (certificate bundle). |
CAPattern |
A regex pattern to locate a suitable Certificate Authority (CA) certificate from the Windows Certificate Store to verify the certificate presented by the remote host. The pattern must follow PCRE2 rules and match the following format: "SUBJECT=, CN=, DN=, SAN=" where DN is "CN=, O=, OU=, L=, ST=, C=" |
CAThumbprint |
The thumbprint of the Certificate Authority (CA) certificate used to verify the remote host’s certificate. You can retrieve a certificate’s thumbprint from Windows Certificate Manager (certmgr.msc). |
You need to configure one of the following directives to specify the NXLog Agent certificate.
Directive(s) | Description |
---|---|
CertFile and CertKeyFile |
CertFile is the path of the certificate file that will be presented to the remote client during TLS/SSL communication. CertKeyfile is the path of the private key file that was used to generate the above certificate. |
CertPattern |
A regex pattern to locate the certificate from the Windows Certificate Store to present to the remote host during TLS/SSL communication. The pattern must follow PCRE2 rules and match the following format: "SUBJECT=, CN=, DN=, SAN=" where DN is "CN=, O=, OU=, L=, ST=, C=" |
CertThumbprint |
The thumbprint of the certificate that will be presented to the remote client during TLS/SSL communication. You can retrieve a certificate’s thumbprint from Windows Certificate Manager (certmgr.msc). When using the thumbprint, the certificate’s private key must be exportable. If you’re using software crypto storage or a TPM module where the private key is non-exportable, you must enable the UseCNGCertificates directive. |
See the TLS/SSL configuration how-to for examples.
Some NXLog Agent modules, such as im_http, prefix the directive names with the protocol.
For example, HTTPSCAFile , HTTPSCertFile , and HTTPSCertKeyFile for the HTTPS protocol.
NXLog recommends always checking the respective module documentation for the supported directives.
|
Certification Authority (CA) certificates
A certificate authority (CA) issues and signs certificates and subsequently verifies the associated trust relationships. NXLog Agent requires CA certificates to validate the identity of the servers it connects to.
A CA bundle contains root and intermediate certificates to verify server or client certificates during secure network communication.
Once you have your CA bundle, place it in the default root certificate directory of your OS or configure the CAFile in NXLog Agent modules (such as im_ssl), to point NXLog Agent to the files in the bundle. This defines the path of the certificate authority (CA) certificate that NXLog Agent will use to check the certificate of incoming encrypted communication.
Linux-based operating systems come with a default CA bundle containing industry root certificates to facilitate secure communication. However, the CA certificate store location varies depending on the OS distribution and version. The table below lists some common locations:
OS | CA certificate store |
---|---|
Debian/Ubuntu |
|
RHEL/CentOS |
|
SLES |
|
AIX |
|
Solaris |
|
Windows operating systems store default root certificates in the Trusted Root Certification Authorities certificate store.
You can view the installed certificates from the Certificates MMC snap-in.
Open Start > Run and type certlm.msc
to view computer certificates or certmgr.msc
to view user certificates.
NXLog Agent uses the default OS root certificate store to verify remote host certificates.
However, you can configure NXLog Agent module instances to use a custom CA bundle.
See the curl
tool CA certificates extracted from Mozilla for a CA bundle you can use.
Download the certificate bundle by executing the following command on Linux:
$ wget https://curl.se/ca/cacert.pem
Or use the following PowerShell command on Windows:
> wget https://curl.se/ca/cacert.pem -OutFile cacert.pem
TLS/SSL-enabled modules
The following input modules support receiving logs with TLS/SSL encryption:
The following output modules support forwarding logs with TLS/SSL encryption:
In addition, the Remote Management (xm_admin) module, used to manage NXLog Agent instances from NXLog Platform, typically uses TLS/SSL.