# Configuring TLS on the AxoSyslog server ## Purpose: Complete the following steps on the AxoSyslog server: ## Steps: 1. Create an X.509 certificate for the AxoSyslog server. Note The `subject_alt_name` parameter (or the `Common Name` parameter if the `subject_alt_name` parameter is empty) of the server’s certificate must contain the hostname or the IP address (as resolved from the syslog-ng clients and relays) of the server (for example, `syslog-ng.example.com`). Alternatively, the `Common Name` or the `subject_alt_name` parameter can contain a generic hostname, for example, `*.example.com`. Note that if the `Common Name` of the certificate contains a generic hostname, do not specify a specific hostname or an IP address in the `subject_alt_name` parameter. 2. Copy the certificate (for example, `syslog-ng.cert`) of the AxoSyslog server to the AxoSyslog server host, for example, into the `/opt/syslog-ng/etc/syslog-ng/cert.d` directory. The certificate must be a valid X.509 certificate in PEM format. 3. Copy the private key (for example, `syslog-ng.key`) matching the certificate of the AxoSyslog server to the AxoSyslog server host, for example, into the `/opt/syslog-ng/etc/syslog-ng/key.d` directory. The key must be in PEM format. If you want to use a password-protected key, see [Password-protected keys](../../../docs/axosyslog-core/chapter-encrypted-transport-tls/tls-password-protected-keys/index.md). 4. Add a source statement to the `syslog-ng.conf` configuration file that uses the `tls( key-file(key_file_fullpathname) cert-file(cert_file_fullpathname) )` option and specify the key and certificate files. The source must use the source driver (`network()` or `syslog()`) matching the destination driver used by the AxoSyslog client. ## Example: A source statement using TLS The following source receives log messages encrypted using TLS, arriving to the `1999/TCP` port of any interface of the AxoSyslog server. ``` source demo_tls_source { network(ip(0.0.0.0) port(1999) transport("tls") tls( key-file("/opt/syslog-ng/etc/syslog-ng/key.d/syslog-ng.key") cert-file("/opt/syslog-ng/etc/syslog-ng/cert.d/syslog-ng.cert") ) ); }; ``` A similar source for receiving messages using the IETF-syslog protocol: ``` source demo_tls_syslog_source { syslog(ip(0.0.0.0) port(1999) transport("tls") tls( key-file("/opt/syslog-ng/etc/syslog-ng/key.d/syslog-ng.key") cert-file("/opt/syslog-ng/etc/syslog-ng/cert.d/syslog-ng.cert") ) ); }; ``` 5. Disable mutual authentication for the source by setting the following TLS option in the source statement: `tls( peer-verify(optional-untrusted);` If you want to authenticate the clients, you have to configure mutual authentication. For details, see [Mutual authentication using TLS](../../../docs/axosyslog-core/chapter-encrypted-transport-tls/tls-mutualauth/index.md). For the details of the available `tls()` options, see [TLS options](../../../docs/axosyslog-core/chapter-encrypted-transport-tls/tlsoptions/index.md). ## Example: Disabling mutual authentication The following source receives log messages encrypted using TLS, arriving to the `1999/TCP` port of any interface of the AxoSyslog server. The identity of the AxoSyslog client is not verified. ``` source demo_tls_source { network( ip(0.0.0.0) port(1999) transport("tls") tls( key-file("/opt/syslog-ng/etc/syslog-ng/key.d/syslog-ng.key") cert-file("/opt/syslog-ng/etc/syslog-ng/cert.d/syslog-ng.cert") peer-verify(optional-untrusted) ) ); }; ``` A similar source for receiving messages using the IETF-syslog protocol: ``` source demo_tls_syslog_source { syslog( ip(0.0.0.0) port(1999) transport("tls") tls( key-file("/opt/syslog-ng/etc/syslog-ng/key.d/syslog-ng.key") cert-file("/opt/syslog-ng/etc/syslog-ng/cert.d/syslog-ng.cert") peer-verify(optional-untrusted) ) ); }; ``` Warning Do not forget to update the certificate and key files when they expire. Last modified July 2, 2023: [Change highlight mode of code examples (2f8a9593)]()