TLS/SSL log transfer

Logs often include private or sensitive information. While those logs might be protected in their source and destination environments, you may need to transfer them over a network vulnerable to unauthorized access. NXLog Agent supports secure log transfer with TLS/SSL to prevent data in transit from being viewed or modified by a malicious actor.

TLS/SSL uses certificate-based authentication that can be one-way or mutual. In one-way authentication, NXLog Agent requires the remote host to send a valid certificate during the TLS/SSL handshake (the process that initiates a communication session). In mutual authentication, NXLog Agent sends its certificate during the TLS/SSL handshake and expects one from the remote host. When using mutual authentication, the remote host must be able to validate the certificate it receives from NXLog Agent.

NXLog Agent verifies the remote host’s certificate with a Certificate Authority (CA) certificate. By default, it tries to validate the certificate with a matching CA certificate from the OS root certificate store. Alternatively, you can provide a CA certificate or define a custom path for NXLog Agent to locate the CA certificate.

NXLog Agent TLS/SSL configuration

NXLog Agent requires the following certificates to use TLS/SSL:

One-way authentication:

Certificate Authority (CA) certificate.

Mutual authentication:

Certificate Authority (CA) certificate.
NXLog Agent certificate.
The private key that was used to generate the NXLog Agent certificate.

We recommend using 2048-bit or larger keys for encryption.

Module directives

You need to configure the following module directives to set up a TLS/SSL connection:

CAFile: Certificate authority (CA) certificate used to verify the certificate presented by the remote client. A remote client’s self-signed certificate (which is not signed by a CA) can be trusted by specifying the remote client certificate itself. For certificates signed by an intermediate CA, the certificate specified must contain the complete certificate chain (certificate bundle).
CertFile: Certificate file that will be presented to the remote client during SSL communication.
CertKeyFile: Private key file that was used to generate the certificate that will be presented to the remote client during the SSL handshake mentioned in the CertFile directive.

Some NXLog Agent modules, such as im_http, prefix the directive names with strings such as the protocol name. For example, HTTPSCAFile, HTTPSCertFile, and HTTPSCertKeyFile for the HTTPS protocol. NXLog recommends always checking the respective module documentation for the supported directives.

See the TLS/SSL configuration how-to for additional information and examples.

Certification Authority (CA) certificates

A certificate authority (CA) issues and signs certificates and subsequently verifies the associated trust relationships. NXLog Agent requires CA certificates to validate the identity of the servers it connects to.

A CA bundle contains root and intermediate certificates to verify server or client certificates during secure network communication.

Once you have your CA bundle, place it in the default root certificate directory of your OS or configure the CAFile in NXLog Agent modules (such as im_ssl), to point NXLog Agent to the files in the bundle. This defines the path of the certificate authority (CA) certificate that NXLog Agent will use to check the certificate of incoming encrypted communication.

Linux-based operating systems come with a default CA bundle containing industry root certificates to facilitate secure communication. However, the CA certificate store location varies depending on the OS distribution and version. The table below lists some common locations:

OS CA certificate store

OS	CA certificate store
Debian/Ubuntu	`/etc/ssl/certs`
RHEL/CentOS	`/etc/pki/ca-trust`
SLES	`/usr/share/pki/trust/anchors`
AIX	`/var/ssl/certs`
Solaris	`/etc/openssl/certs`

Debian/Ubuntu

/etc/ssl/certs

RHEL/CentOS

/etc/pki/ca-trust

SLES

/usr/share/pki/trust/anchors

AIX

/var/ssl/certs

Solaris

/etc/openssl/certs

Windows operating systems store default root certificates in the Trusted Root Certification Authorities certificate store. You can view the installed certificates from the Certificates MMC snap-in. Open Start > Run and type certlm.msc to view computer certificates or certmgr.msc to view user certificates.

NXLog Agent uses the default OS root certificate store to verify remote host certificates. However, you can configure NXLog Agent module instances to use a custom CA bundle. See the curl tool CA certificates extracted from Mozilla for a CA bundle you can use.

Download the certificate bundle by executing the following command on Linux:

$ wget https://curl.se/ca/cacert.pem

Or use the following PowerShell command on Windows:

> wget https://curl.se/ca/cacert.pem -OutFile cacert.pem

TLS/SSL-enabled modules

The following input modules support receiving logs with TLS/SSL encryption:

The following output modules support forwarding logs with TLS/SSL encryption:

In addition, the Remote Management (xm_admin) module, used to manage NXLog Agent instances from NXLog Platform, typically uses TLS/SSL.