Configure TLS/SSL
Several NXLog Agent network modules support TLS/SSL encryption to prevent malicious actors from viewing or altering data in transit. See TLS/SSL log transfer for a more detailed look into TLS/SSL encryption. Below, we provide examples of forwarding logs with one-way and mutual authentication and receiving logs over a secure channel.
Send logs with one-way authentication
One-way authentication occurs when the remote host provides a certificate but does not require one from connecting clients. You’ll mostly use this type of authentication when sending logs to a hosted SIEM.
This configuration uses the om_http output module to send logs to a remote web server over HTTPS. The server supports one-way authentication, so the module only needs to verify the remote server’s certificate to establish a connection.
<Output siem>
Module om_http
URL https://api.example.com
HTTPSCADir /etc/ssl/certs (1)
</Output>
1 | The HTTPSCADir directive points to a folder containing a Certificate Authority (CA) certificate that can verify the remote server’s certificate. By default, the om_http module uses the OS root certificate store. |
Send logs with mutual authentication
Mutual authentication is required when the remote host provides a certificate and expects one back from connecting clients. This type of authentication is common when sending logs to a server within your company network or another NXLog Agent instance.
This configuration uses the om_ssl output module to send logs to a remote server over TCP with TLS/SSL The server requires mutual authentication, so the module must present a certificate during the TLS/SSL handshake.
<Output siem>
Module om_ssl
Host 192.168.1.100:516
CAFile /etc/ssl/certs/rootCA.pem (1)
CertFile %CERTDIR%/client.pem (2)
CertKeyFile %CERTDIR%/client.key (3)
KeyPass password (4)
</Output>
1 | The CAFile directive specifies the path of the Certificate Authority (CA) certificate. NXLog Agent will use this certificate to verify the remote server’s certificate. |
2 | The CertFile directive specifies the path of the local server’s certificate to send during the TLS/SSL handshake. |
3 | The CertKeyFile directive specifies the path of the server’s certificate private key. |
4 | If the private key is secured with a password, specify it in the KeyPass directive. |
Receive logs over a secure channel
NXLog Agent supports TLS/SSL when receiving logs over the network. This enables you to implement secure log transfer when receiving logs from remote clients or using NXLog Agent as a relay.
This configuration uses the im_ssl input module to receive logs over a secure TCP channel. The module supports both mutual and one-way authentication.
<Input tcp_ssl>
Module im_ssl
ListenAddr 0.0.0.0:1514
RequireCert TRUE (1)
CAFile /etc/ssl/certs/rootCA.pem (2)
CertFile %CERTDIR%/server.pem (3)
CertKeyFile %CERTDIR%/server.key (4)
KeyPass password (5)
</Input>
1 | The RequireCert directive specifies whether the remote client must present a certificate during TLS/SSL handshake. |
2 | If using mutual authentication, you must configure the CAFile or CADir directive to point to a CA certificate file or folder that can verify the remote server’s certificate. |
3 | The CertFile directive specifies the path of the local server’s certificate to send during the TLS/SSL handshake. |
4 | The CertKeyFile directive specifies the path of the server’s certificate private key. |
5 | If the private key is secured with a password, specify it in the KeyPass directive. |