Configure TLS/SSL

Several NXLog Agent network modules support TLS/SSL encryption to prevent malicious actors from viewing or altering data in transit. See TLS/SSL log transfer for a more detailed look into TLS/SSL encryption. Below, we provide examples of forwarding logs with one-way and mutual authentication and receiving logs over a secure channel.

Send logs with one-way authentication

One-way authentication occurs when the remote host provides a certificate but does not require one from connecting clients. You’ll mostly use this type of authentication when sending logs to a hosted SIEM.

Example 1. Forwarding logs over HTTPS with one-way authentication

This configuration uses the om_http output module to send logs to a remote web server over HTTPS. The server supports one-way authentication, so the module only needs to verify the remote server’s certificate to establish a connection.

nxlog.conf

<Output siem>
    Module        om_http
    URL           https://api.example.com
    HTTPSCADir    /etc/ssl/certs (1)
</Output>

1	The HTTPSCADir directive points to a folder containing a Certificate Authority (CA) certificate that can verify the remote server’s certificate. By default, the om_http module uses the OS root certificate store.

Send logs with mutual authentication

Mutual authentication is required when the remote host provides a certificate and expects one back from connecting clients. This type of authentication is common when sending logs to a server within your company network or another NXLog Agent instance.

Example 2. Forwarding logs over TCP with mutual authentication

This configuration uses the om_ssl output module to send logs to a remote server over TCP with TLS/SSL The server requires mutual authentication, so the module must present a certificate during the TLS/SSL handshake.

nxlog.conf

<Output siem>
    Module         om_ssl
    Host           192.168.1.100:516
    CAFile         /etc/ssl/certs/rootCA.pem (1)
    CertFile       %CERTDIR%/client.pem (2)
    CertKeyFile    %CERTDIR%/client.key (3)
    KeyPass        password (4)
</Output>

1	The CAFile directive specifies the path of the Certificate Authority (CA) certificate. NXLog Agent will use this certificate to verify the remote server’s certificate.
2	The CertFile directive specifies the path of the local server’s certificate to send during the TLS/SSL handshake.
3	The CertKeyFile directive specifies the path of the server’s certificate private key.
4	If the private key is secured with a password, specify it in the KeyPass directive.

Receive logs over a secure channel

NXLog Agent supports TLS/SSL when receiving logs over the network. This enables you to implement secure log transfer when receiving logs from remote clients or using NXLog Agent as a relay.

Example 3. Receiving logs over TCP with TLS/SSL

This configuration uses the im_ssl input module to receive logs over a secure TCP channel. The module supports both mutual and one-way authentication.

nxlog.conf

<Input tcp_ssl>
    Module         im_ssl
    ListenAddr     0.0.0.0:1514
    RequireCert    TRUE (1)
    CAFile         /etc/ssl/certs/rootCA.pem (2)
    CertFile       %CERTDIR%/server.pem (3)
    CertKeyFile    %CERTDIR%/server.key (4)
    KeyPass        password (5)
</Input>

1	The RequireCert directive specifies whether the remote client must present a certificate during TLS/SSL handshake.
2	If using mutual authentication, you must configure the CAFile or CADir directive to point to a CA certificate file or folder that can verify the remote server’s certificate.
3	The CertFile directive specifies the path of the local server’s certificate to send during the TLS/SSL handshake.
4	The CertKeyFile directive specifies the path of the server’s certificate private key.
5	If the private key is secured with a password, specify it in the KeyPass directive.