Open in app

Sign in

Write

Sign in

TLS configuration on Syslog connections for SecOps Collection agent

Simone Bruzzechesse
Google Cloud - Community
Published in
5 min readAug 30, 2024

This article serves as a hands-on guide, walking you through the essential configurations required to enable TLS on the new SecOps Collection agent (aka BindPlane OTEL Agent) communication with the SecOps Forwarder. We’ll delve into the intricacies of setting up certificates, configuring the agent and the SecOps forwarder, and verifying the successful implementation of TLS-protected log forwarding. By the end, you’ll be equipped to fortify your log transmission pipeline against prying eyes and potential data breaches.

Configurations presented in this article refers to the following SecOps Log collection architecture available in the official documentation. In such a design one or more instances of the agent are running on Windows server, each one forwarding logs to a centralized SecOps Forwarder which is responsible for then sending data to the SecOps SIEM instance.

SecOps Windows event collection architecture

Overview

At its core, the SecOps collection agent communicates with the forwarder using the Syslog protocol. While Syslog is efficient for log transmission, its default configuration sends data in plain text, potentially exposing sensitive information during transit. To mitigate this risk, we can leverage TLS (Transport Layer Security) to encrypt Syslog traffic, guaranteeing both confidentiality and integrity.

In the following sections, we will provide you with step-by-step instructions on configuring both the SecOps Collection agent and the SecOps Forwarder to utilize TLS when exchanging data via the Syslog protocol. This enhanced security measure ensures that your valuable log data remains protected from unauthorized access and tampering.

Self-signed certificates generation (optional)

This demonstration setup utilizes self-signed certificates solely for illustrative purposes. Kindly disregard this section if your organization possesses certificates endorsed by a trustworthy certificate authority or follows a standardized procedure for acquiring Transport Layer Security (TLS) certificates.

Generate the Self-Signed CA certificate

# Generate the CA private key
openssl genrsa -out ca.key 2048
# Generate the CA certificate
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt

During the openssl req command, you will be prompted to enter information about your organization and department.

Generate the Server Certificate

# Generate the server private key
openssl genrsa -out server.key 2048
# Generate a certificate signing request (CSR)
openssl req -new -key server.key -out server.csr
# Sign the CSR with the CA to create the server certificate
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out server.crt -days 365 -sha256 -subj "/CN=FORWARDER_IP" \
-extfile <(printf "subjectAltName=IP:FORWARDER_IP")

Replace FORWARDER_IP with the actual hostname or IP address of your syslog server. This is crucial for clients to properly validate the Syslog server certificate.

SecOps Forwarder config

The following instructions pertain to the SecOps forwarder operating on a Linux system. An analogous configuration applies to the Windows forwarder, albeit with adjustments to the configuration and certificate paths.

Upload both the public and private certificates to the server running the forwarder. Subsequently, transfer these certificates to a newly created folder within the /opt/chronicle/config directory. (In the provided example this new folder is designated as tls) Update the SecOps forwarder configuration file with the following collector configuration:

collectors:
- syslog:
    common:
      enabled: true
      data_type: WINEVTLOG
      batch_n_seconds: 10
      batch_n_bytes: 1048576
    tcp_address: 0.0.0.0:10518
    tcp_buffer_size: 65536
    connection_timeout_sec: 60
    certificate: "/opt/chronicle/external/tls/server.crt"
    certificate_key: "/opt/chronicle/external/tls/server.key"

Please find more instructions on how to setup authentication to the SecOps SIEM instance in the official documentation page.

Replace both certificate and certificate_key with path to the server public key and private key respectively and then restart the forwarder with the following command.

docker run --detach --name cfps --restart=always --log-opt max-size=100m \
--log-opt max-file=10 --net=host \
-v /opt/chronicle/config:/opt/chronicle/external \
gcr.io/chronicle-container/cf_production_stable

Double check the forwarder logs with this command:

docker logs cfps

and check the following logs are available:

SecOps Forwarder listening for TCP connection using TLS logs

showing the forwarder is properly accepting incoming TCP syslog connection using TLS.

3.1.2 SecOps Collection agent config

To establish the appropriate configuration for the SecOps collection agent, it may be necessary to upload the self-signed certificate authority (CA) certificate file to the Windows server hosting the agent. This step is only required if the server certificate is signed with a custom CA that is not included in the Windows server’s trusted CAs.

Then configure the SecOps collection agent exporter configuration according to the following code snippet:

exporters:
    chronicleforwarder/forwarder:
        export_type: syslog
        raw_log_field: body
        syslog:
            endpoint: FORWARDER_IP:10518
            transport: tcp
            tls:
                insecure: false
                min_version: "1.3"
                ca_file: 'C:\tls\ca.crt' # OPTIONAL CA self signed cert

Remember to replace FORWARDER_IP with the IP address of the SecOps forwarder and, possibly, update port according to the collector configuration. Be also aware that the ca_file option is not required if the server side certificate is trusted by one of the CA installed on the windows machine. Otherwise please fill that with the path to the CA cert file on the local machine previously uploaded.

For more instructions on how to configure the SecOps collection agent TLS configuration please refer to the OpenTelemetry Agent documentation available at this link.

After implementing the TLS configuration, we used Wireshark to capture network traffic between the Collection Agent and the SecOps Forwarder. The screenshot below demonstrates that the data is now encrypted, ensuring confidentiality and integrity.

Wireshark showing encrypted data in traffic from Collection Agent to SecOps Forwarder

Summary

In this article, we explored the critical importance of TLS configuration for the new SecOps collection agent to protect sensitive security data during transmission. We walked through the step-by-step process of generating certificates, installing them on the SecOps Forwarder and force the Collection Agent to use TLS during data transmission over syslog.

By following these guidelines, organizations can enhance their security posture and protect their valuable security and events information while ingesting data to SecOps SIEM.

Google Secops
Tls
Google Cloud Platform
Opentelemetry
Chronicle

--

--

Simone Bruzzechesse
Google Cloud - Community

Written by Simone Bruzzechesse

10 Followers
Writer for

Strategic Cloud Engineer @ Google

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams