I'm primarily familiar with Splunk and don't have much experience with networking and SSL, so I need some guidance on setting this up. We have a public cloud service (Huawei SecMaster) that's sending logs to our Linux server inside our organization's network via TCP on port 1514. I've set up rsyslog on the Linux server to listen on port 1514 and log everything locally. Now, I want to enable SSL for this log transmission. The Huawei console has an option to ENABLE SSL, which prompts for SSL_CERT, SSL_KEY, and SSL_KEY_PASSPHRASE. I have all the necessary files on our Splunk server (ca.pem, server private key, and server certificate). My question is where to place these files on both rsyslog and Huawei? Should they be on both or just one of them? Also, should we be using TLS or MTLS? If TLS is the way to go, what steps should I follow?
4 Answers
You'd typically need to install the certificates on both the Huawei device and the rsyslog server. If you're only doing TLS, that's the simplest form of encryption. MTLS is more complex because it requires client-side certificates as well. From what I've read, rsyslog can work with certificates stored independently of the OS's cert directories, so you should be fine using your CA file on the rsyslog to accept encrypted logs from Huawei.
Check out this tutorial for enabling TLS with rsyslog: https://www.rsyslog.com/doc/tutorials/tls.html. If your Huawei box is giving you issues with invalid SSL certificates, you'll need to configure it with the CA bundle that matches the certificate on rsyslog. That should help with any SSL handshake problems you might run into.
Having a private key indicates that the Huawei device is acting as the sender, not just the receiver. It's crucial to understand how certificates and keys work together. You might want to look at Huawei's documentation for configuring SSL log outputs: https://support.huawei.com/enterprise/en/doc/EDOC1100306159/625cb173/example-for-configuring-the-device-to-output-ssl-encrypted-logs-to-log-hosts.
What kind of SSL certificate do you have? Is it self-signed or issued by a publicly trusted CA? That's important because Huawei might reject a self-signed cert by default unless you explicitly configure it to trust the cert.
That’s interesting! I thought the private key was just for the receiver side.