syslog

The syslog destination forwards your security data in an RFC-3164 or RFC-5424 compliant syslog format, using the UDP, TCP, or TLS-encrypted TCP protocols.

Prerequisites

If you want to enable TLS encryption for this connector to encrypt the communication with the sources, you’ll need to set appropriate keys and certificates.

CAUTION:

Copy the keys and certificates to AxoRouter before starting to configure the connector. Otherwise, you won’t be able to make configuration changes that require reloading the AxoRouter service, including starting log tapping or flow tapping.

Note the following points:

  • Keys and certificates must be in PEM format.

  • If the file contains a certificate chain, the file must begin with the certificate of the host, followed by the CA certificate that signed the certificate of the host, and any other signing CAs in order.

  • You must manually copy these files to their place on the AxoRouter host, currently you can’t distribute them from Axoflow Console.

    The files must be readable by the axorouter service.

  • The recommended path for certificates is under /etc/axorouter/user-config/ (for example, /etc/axorouter/user-config/tls-key.pem). (If you need to use a different path, you have to append an option like -v /your/path:/your/path to the AXOROUTER_PODMAN_ARGS variable of /etc/axorouter/container.env.)

  • When referring to the key or certificate during when configuring the connector, use absolute paths (for example, /etc/axorouter/user-config/tls-key.pem).

Steps

  1. Create a new destination.

    1. Open the Axoflow Console.
    2. Select Topology.
    3. Select + > Destination.

  2. Configure the destination.

    1. Select Syslog.

    2. Select the template to use one of the standard syslog ports and transport protocols—for example, UDP port 514, which is commonly used for the RFC3164 syslog protocol.

      To configure a different port, or to specify the protocol elements manually, select Custom.

      Select syslog destination template

    3. Enter a name for the destination.

      Configure the syslog destination

    4. (Optional): Add custom labels to the destination.

    5. Select the protocol to use for receiving syslog data: TCP, UDP, or TLS.

      Syslog destination settings

    6. Select the syslog format to use: BSD (RFC3164) or Syslog (RFC5424).

    7. (Optional) If explicitly needed for your use case, you can configure *Framing manually when using the Syslog (RFC5424) format. Enable framing (On) if the payload contains the length of the message as specified in RFC6587 3.4.1. Disable (Off) for non-transparent-framing RFC6587 3.4.2.

    8. If you’ve selected Protocol > TLS, set the TLS-related options.

      When using TLS, set the paths for the certificates and keys used for the TLS-encrypted communication with the clients. For details, see Prerequisites.

      • Client certificate path: The certificate that AxoRouter shows to the destination server.
      • Client private key path: The private key of the client certificate.
      • CA certificate path: The CA certificate that AxoRouter uses to verify the certificate of the destination if Verify peer certificate is enabled.

    9. Set the Address and the Port of the destination. Usually:

      • 514 TCP and UDP for RFC3164 (BSD-syslog) formatted traffic.
      • 601 TCP for RFC5424 (IETF-syslog) formatted traffic.
      • 6514 TCP for TLS-encrypted syslog traffic.

    10. Select Create.

  3. Create a flow to connect the new destination to an AxoRouter instance.

    1. Select Flows.

    2. Select Create New Flow.

    3. Enter a name for the flow, for example, my-test-flow.

      Create a flow

    4. In the Router Selector field, enter an expression that matches the router(s) you want to apply the flow. To select a specific router, use a name selector, for example, name = my-axorouter-hostname.

    5. Select the Destination where you want to send your data. If you don’t have any destination configured, see Destinations.

      By default, you can select only external destinations. If you want to send data to another AxoRouter, enable the Show all destinations option, and select the connector of the AxoRouter where you want to send the data.

      AxoRouter as destination

    6. (Optional) To process the data transferred in the flow, select Add New Processing Step. For details, see Processing steps. For example:

      1. Add a Reduce step to automatically remove redundant and empty fields from your data.
      2. To select which messages are processed by the flow, add a Select Messages step, and enter a filter into the Query field. For example, to select only the messages received from Fortinet FortiGate firewalls, use the meta.vendor = fortinet + meta.product = fortigate query.
      3. Save the processing steps.

      Example processing steps

    7. Select Create.

    8. The new flow appears in the Flows list.

      The new flow

Protocol-specific destination options

If needed, select More options to set the following:

  • TCP Keepalive Time Interval: The interval (number of seconds) between subsequential keepalive probes, regardless of the traffic exchanged in the connection.
  • TCP Keepalive Probes: The number of unacknowledged probes to send before considering the connection dead.
  • TCP Keepalive Time: The interval (in seconds) between the last data packet sent and the first keepalive probe.