TLS/SSL log transfer

Logs often include private or sensitive information. While those logs might be protected in their source and destination environments, you may need to transfer them over a network vulnerable to unauthorized access. NXLog Agent supports secure log transfer with TLS/SSL to prevent data in transit from being viewed or modified by a malicious actor.

TLS/SSL uses certificate-based authentication that can be one-way or mutual. In one-way authentication, NXLog Agent requires the remote host to send a valid certificate during the TLS/SSL handshake (the process that initiates a communication session). In mutual authentication, NXLog Agent sends its certificate during the TLS/SSL handshake and expects one from the remote host. When using mutual authentication, the remote host must be able to validate the certificate it receives from NXLog Agent.

NXLog Agent verifies the remote host’s certificate with a Certificate Authority (CA) certificate. By default, it tries to validate the certificate with a matching CA certificate from the OS root certificate store. Alternatively, you can provide a CA certificate or define a custom path for NXLog Agent to locate the CA certificate.

NXLog Agent TLS/SSL configuration

NXLog Agent requires the following certificates to use TLS/SSL:

One-way authentication:

Certificate Authority (CA) certificate.

Mutual authentication:

Certificate Authority (CA) certificate.
NXLog Agent certificate.
The private key that was used to generate the NXLog Agent certificate.
We recommend using 2048-bit or larger keys for encryption.

Module directives

You need to configure one of the following directives to specify the Certificate Authority (CA) certificate.

Directive	Description
CADir	The path to a directory containing Certificate Authority (CA) certificates. These certificates will be used to verify the remote host’s certificate. If the remote remote host uses a self-signed certificate, you can add the remote host’s certificate to this directory.
CAFile	The path of the Certificate Authority (CA) certificate used to verify the remote host’s certificate. If the remote remote host uses a self-signed certificate, you can specify the remote host’s certificate itself. For certificates signed by an intermediate CA, the certificate specified must contain the complete certificate chain (certificate bundle).
CAPattern (Windows only)	A regex pattern to locate a suitable Certificate Authority (CA) certificate from the Windows Certificate Store to verify the certificate presented by the remote host. The pattern must follow PCRE2 rules and match the following format: "SUBJECT=, CN=, DN=, SAN=" where DN is "CN=, O=, OU=, L=, ST=, C="
CAThumbprint (Windows only)	The thumbprint of the Certificate Authority (CA) certificate used to verify the remote host’s certificate. You can retrieve a certificate’s thumbprint from Windows Certificate Manager (certmgr.msc).

Directive

Description

CADir

The path to a directory containing Certificate Authority (CA) certificates. These certificates will be used to verify the remote host’s certificate.

If the remote remote host uses a self-signed certificate, you can add the remote host’s certificate to this directory.

CAFile

The path of the Certificate Authority (CA) certificate used to verify the remote host’s certificate.

If the remote remote host uses a self-signed certificate, you can specify the remote host’s certificate itself.

For certificates signed by an intermediate CA, the certificate specified must contain the complete certificate chain (certificate bundle).

CAPattern
(Windows only)

A regex pattern to locate a suitable Certificate Authority (CA) certificate from the Windows Certificate Store to verify the certificate presented by the remote host. The pattern must follow PCRE2 rules and match the following format:

"SUBJECT=, CN=, DN=, SAN=" where DN is "CN=, O=, OU=, L=, ST=, C="

CAThumbprint
(Windows only)

The thumbprint of the Certificate Authority (CA) certificate used to verify the remote host’s certificate. You can retrieve a certificate’s thumbprint from Windows Certificate Manager (certmgr.msc).

You need to configure one of the following directives to specify the NXLog Agent certificate.

Directive(s)	Description
CertFile and CertKeyFile	CertFile is the path of the certificate file that will be presented to the remote client during TLS/SSL communication. CertKeyfile is the path of the private key file that was used to generate the above certificate.
CertPattern (Windows only)	A regex pattern to locate the certificate from the Windows Certificate Store to present to the remote host during TLS/SSL communication. The pattern must follow PCRE2 rules and match the following format: "SUBJECT=, CN=, DN=, SAN=" where DN is "CN=, O=, OU=, L=, ST=, C="
CertThumbprint (Windows only)	The thumbprint of the certificate that will be presented to the remote client during TLS/SSL communication. You can retrieve a certificate’s thumbprint from Windows Certificate Manager (certmgr.msc). When using the thumbprint, the certificate’s private key must be exportable. If you’re using software crypto storage or a TPM module where the private key is non-exportable, you must enable the UseCNGCertificates directive.

Directive(s)

Description

CertFile and CertKeyFile

CertFile is the path of the certificate file that will be presented to the remote client during TLS/SSL communication.

CertKeyfile is the path of the private key file that was used to generate the above certificate.

CertPattern
(Windows only)

A regex pattern to locate the certificate from the Windows Certificate Store to present to the remote host during TLS/SSL communication. The pattern must follow PCRE2 rules and match the following format:

"SUBJECT=, CN=, DN=, SAN=" where DN is "CN=, O=, OU=, L=, ST=, C="

CertThumbprint
(Windows only)

The thumbprint of the certificate that will be presented to the remote client during TLS/SSL communication. You can retrieve a certificate’s thumbprint from Windows Certificate Manager (certmgr.msc).

When using the thumbprint, the certificate’s private key must be exportable. If you’re using software crypto storage or a TPM module where the private key is non-exportable, you must enable the UseCNGCertificates directive.

See the TLS/SSL configuration how-to for examples.

Some NXLog Agent modules, such as im_http, prefix the directive names with the protocol. For example, HTTPSCAFile, HTTPSCertFile, and HTTPSCertKeyFile for the HTTPS protocol. NXLog recommends always checking the respective module documentation for the supported directives.

Certification Authority (CA) certificates

A certificate authority (CA) issues and signs certificates and subsequently verifies the associated trust relationships. NXLog Agent requires CA certificates to validate the identity of the servers it connects to.

A CA bundle contains root and intermediate certificates to verify server or client certificates during secure network communication.

Once you have your CA bundle, place it in the default root certificate directory of your OS or configure the CAFile in NXLog Agent modules (such as im_ssl), to point NXLog Agent to the files in the bundle. This defines the path of the certificate authority (CA) certificate that NXLog Agent will use to check the certificate of incoming encrypted communication.

Linux-based operating systems come with a default CA bundle containing industry root certificates to facilitate secure communication. However, the CA certificate store location varies depending on the OS distribution and version. The table below lists some common locations:

OS CA certificate store

OS	CA certificate store
Debian/Ubuntu	`/etc/ssl/certs`
RHEL/CentOS	`/etc/pki/ca-trust`
SLES	`/usr/share/pki/trust/anchors`
AIX	`/var/ssl/certs`
Solaris	`/etc/openssl/certs`

Debian/Ubuntu

/etc/ssl/certs

RHEL/CentOS

/etc/pki/ca-trust

SLES

/usr/share/pki/trust/anchors

AIX

/var/ssl/certs

Solaris

/etc/openssl/certs

Windows operating systems store default root certificates in the Trusted Root Certification Authorities certificate store. You can view the installed certificates from the Certificates MMC snap-in. Open Start > Run and type certlm.msc to view computer certificates or certmgr.msc to view user certificates.

NXLog Agent uses the default OS root certificate store to verify remote host certificates. However, you can configure NXLog Agent module instances to use a custom CA bundle. See the curl tool CA certificates extracted from Mozilla for a CA bundle you can use.

Download the certificate bundle by executing the following command on Linux:

$ wget https://curl.se/ca/cacert.pem

Or use the following PowerShell command on Windows:

> wget https://curl.se/ca/cacert.pem -OutFile cacert.pem

TLS/SSL-enabled modules

The following input modules support receiving logs with TLS/SSL encryption:

The following output modules support forwarding logs with TLS/SSL encryption:

In addition, the Remote Management (xm_admin) module, used to manage NXLog Agent instances from NXLog Platform, typically uses TLS/SSL.