We have updated our Terms of Service, Code of Conduct, and Addendum.

How to Protect Syslog data !!!!

Hassan Thiam
Hassan Thiam Posts: 8
edited November 18 in General Discussions

Hi

I'm in the process of setting up Cribl to send data from a syslog source ( AWS hosted Cisco FTDs) to Amazon S3 .

Although the firewall rules are locked down to source and destination , I'm concerned about transmitting unprotected data over the Internet .

Can you please advise on the best way to protect the traffic ?

Thanks

Tagged:

Comments

  • Jon Rust
    Jon Rust Posts: 458 mod

    S3 delivery is TLS encrypted.

  • Hassan Thiam
    Hassan Thiam Posts: 8

    Thank you. How about the syslog traffic from the source to Cribl ?

  • Jon Rust
    Jon Rust Posts: 458 mod

    The Cribl syslog source has TLS available.

    • It's on by default in Cloud, on port 6514. (Port 9514 in Cloud is open text syslog. Don't do that!)
    • Alternatively, place a Worker in the same VPC as your hosted FTDs and deliver to that group, then relay to S3 from there.

  • Hassan Thiam
    Hassan Thiam Posts: 8

    Thank you for the clarification and suggestions. I will give it a try .

  • Hassan Thiam
    Hassan Thiam Posts: 8

    Good Morning,

    You mentioned that Cribl source has TLS that is on by default . I should however configure certificates though ? If that s the case , what certificate/s is being referred to ?

    Sorry I have started using Cribl 2 weeks ago so still getting into grips with the tool

    Thanks

  • Jon Rust
    Jon Rust Posts: 458 mod

    Cribl CLOUD has TLS -enabled syslog on port 6514 set-up by default. It has certs based on your Cloud instance's name.

    If you are setting up Cribl on-prem/self-managed, you'll need to provide certs before you can enable TLS.

  • Hassan Thiam
    Hassan Thiam Posts: 8

    Got it . Just to clarify , in my scenario I have AWS hosted Cisco Firewalls that need to send their syslog traffic to my Cribl cloud instance . Do I need to import some certs on Cribl Cloud to ensure communication over TLS ( 6514) ?

  • Jon Rust
    Jon Rust Posts: 458 mod

    No. The 6514 port is ready for TLS comms out of the box.

  • Hassan Thiam
    Hassan Thiam Posts: 8

    Thank you . Appreciate all your assistance.

  • Hassan Thiam
    Hassan Thiam Posts: 8

    Hi ,

    I have managed to setup the destination on Cribl which works fine . Cribl generated data is able to successfully populate the S3 bucket I have created in AWS . However I'm struggling to get the syslog data from the source devices ( Cisco firewalls ) to Cribl .

    This is the syslog configuration I have used , using TLS as I would not want to send unencrypted data over the internet.

    On the Cisco Firewalls :

    Syslog IP Address : Cribl ( 52.204.198.31)

    Protocol : TCP

    Port : 6514 ( Although the default port for CIsco Firewalls is 1470 )

    Enabled secure syslog

    I have allowed traffic from source ( Cisco firewall device) to destination ( Cribl Cloud ) on port 6514 via the outbound firewall

    On Cribl

    Using the default " in_syslog_tls" as source

    Not sure what I'm missing here ?

    Thanks in advance for any input