TLS Syslog protocol configuration options
Configure a TLS Syslog protocol log source to receive encrypted syslog events from network devices that support TLS Syslog event forwarding for each listener port.
The TLS Syslog protocol is a passive inbound protocol. The log source creates a listen port for incoming TLS Syslog events. By default, TLS Syslog log sources use the certificate and key that is generated by IBM® QRadar®. If you create more log sources with unique listen ports, you can configure up to 1000 network appliances.
The following table describes the protocol-specific parameters for the TLS Syslog protocol:
Parameter | Description |
---|---|
Protocol Configuration | TLS Syslog |
Log Source Identifier | An IP address or hostname to identify the log source. |
TLS Listen Port | The default TLS listen port is 6514. Important: You can assign only
one TLS Syslog log source to each TLS listen port.
|
Authentication Mode | The mode your TLS connection uses to authenticate. If you select the TLS and Client Authentication option, you must configure the certificate parameters. |
Client Certificate Authentication |
Select one of the following options from the list:
|
Use CN Allowlist | Enable this parameter to use a CN allowlist. |
CN Allowlist | The allowlist of trusted client certificate common names. You can enter plain text or a regular expression (regex). To define multiple entries, enter each one on a separate line. |
Use Issuer Verification | Enable this parameter to use issuer verification. |
Root/Intermediate Issuer's Certificate or Public key | Enter the Root/Intermediate issuer's certificate or public key in PEM format.
|
Check Certificate Revocation | Checks the certificate revocation status against the client certificate. This option requires network connectivity to the URL that is specified by the CRL Distribution Points field for the client certificate in the X509v3 extension. |
Check Certificate Usage | Checks the contents of the certificate X509v3 extensions in the Key
Usage and Extended Key Usage extension fields. For incoming
client certificate, the allow values of X509v3 Key Usage are digitalSignature
and keyAgreement. The allow value for X509v3 Extended Key Usage is
TLS Web Client Authentication. This property is disabled by default. |
Client Certificate Path |
The absolute path to the client-certificate on disk. The certificate must be stored on the QRadar Console or Event Collector for this log source. Important:
Ensure that the certificate file that you enter begins with: -----BEGIN CERTIFICATE----- and ends with: -----END CERTIFICATE----- |
Server Certificate Type | The type of certificate to use for authentication for the server certificate
and server key. Select one of the following options from the Server Certificate
Type list:
|
Generated Certificate |
This option is available when you configure the Certificate Type. If you want to use the default certificate and key that is generated by QRadar for the server certificate and server key, select this option. The generated certificate is named syslog-tls.cert in the /opt/qradar/conf/trusted_certificates/ directory on the target Event Collector that the log source is assigned to. |
Single Certificate and Private Key |
This option is available when you configure the Certificate Type. If you want to use a single PEM certificate for the server certificate, select this option and
then configure the following parameters:
|
PKCS12 Certificate and Password |
This option is available when you configure the Certificate Type. If you want to use a PKCS12 file that contains the server certificate and server key, select
this option and then configure the following parameters:
|
Choose from QRadar Certificate Store |
This option is available when you configure the Certificate Type. You can use the Certificate Management app to upload a certificate from the QRadar Certificate Store. |
Max Payload Length | The maximum payload length (characters) that is displayed for TLS Syslog message. |
Maximum Connections |
The Maximum Connections parameter controls how many simultaneous connections the TLS Syslog protocol can accept for each Event Collector. For each Event Collector, there is a limit of 1000 connections, including enabled and disabled log sources, in the TLS Syslog log source configuration for each Event Collector. The default for each device connection is 50 but not the limit for each port. Tip: Automatically discovered log sources share a listener with another log source. For
example, if you use the same port on the same event collector, it counts only one time toward the
limit.
|
TLS Protocols | The TLS Protocol to be used by the log source. Select the "TLS 1.2 or later" option. |
Use As A Gateway Log Source |
Sends collected events through the QRadar Traffic Analysis Engine to automatically detect the appropriate log source. If you do not want to define a custom log source identifier for events, clear the checkbox. When this option is not selected and Log Source Identifier Pattern is not configured, QRadar receives events as unknown generic log sources. |
Use Predictive Parsing | If you enable this parameter, an algorithm extracts log source identifier patterns from
events without running the regex for every event, which increases the parsing speed. Tip: In rare circumstances, the algorithm can make incorrect predictions. Enable predictive
parsing only for log source types that you expect to receive high event rates and require faster
parsing.
|
Log Source Identifier Pattern |
Use the Use As A Gateway Log Source option to define a custom log source identifier for events that are being processed and for log sources to be automatically discovered when applicable. If you don't configure the Log Source Identifier Pattern, QRadar receives events as unknown generic log sources. Use key-value pairs to define the custom Log Source Identifier. The key is the Identifier Format String, which is the resulting source or origin value. The value is the associated regex pattern that is used to evaluate the current payload. This value also supports capture groups that can be used to further customize the key. Define multiple key-value pairs by typing each pattern on a new line. Multiple patterns are evaluated in the order that they are listed. When a match is found, a custom Log Source Identifier is displayed. The following examples show multiple key-value pair functions.
|
Enable Multiline | Aggregate multiple messages into single events based on a Start/End Matching or an ID-Linked regular expression. |
Aggregation Method |
This parameter is available when Enable Multiline is turned on.
|
Event Start Pattern |
This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to Start/End Matching. The regular expression (regex) is required to identify the start of a TCP multiline event payload. Syslog headers typically begin with a date or timestamp. The protocol can create a single-line event that is based on solely on an event start pattern, such as a timestamp. When only a start pattern is available, the protocol captures all the information between each start value to create a valid event. |
Event End Pattern |
This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to Start/End Matching. This regular expression (regex) is required to identify the end of a TCP multiline event payload. If the syslog event ends with the same value, you can use a regular expression to determine the end of an event. The protocol can capture events that are based on solely on an event end pattern. When only an end pattern is available, the protocol captures all the information between each end value to create a valid event. |
Message ID Pattern |
This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to ID-Linked. This regular expression (regex) required to filter the event payload messages. The TCP multiline event messages must contain a common identifying value that repeats on each line of the event message. |
Time Limit |
This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to ID-Linked. The number of seconds to wait for more matching payloads before the event is pushed into the event pipeline. The default is 10 seconds. |
Retain Entire Lines during Event Aggregation |
This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to ID-Linked. If you set the Aggregation Method parameter to ID-Linked, you can enable Retain Entire Lines during Event Aggregation to discard or keep the part of the events that precedes Message ID Pattern. You can enable this function only when concatenating events with the same ID pattern together. |
Flatten Multiline Events Into Single Line |
This parameter is available when Enable Multiline is turned on. Shows an event in one single line or multiple lines. |
Event Formatter |
This parameter is available when Enable Multiline is turned on. Use the Windows Multiline option for multiline events that are formatted specifically for Windows. |
After the log source is saved, a syslog-tls certificate is created for the log source. The certificate must be copied to any device on your network that is configured to forward encrypted syslog. Other network devices that have a syslog-tls certificate file and the TLS listen port number can be automatically discovered as a TLS Syslog log source.
TLS Syslog use cases
- Client Certificate on Disk
- You can supply a client-certificate that enables the protocol to engage in client-authentication. If you select this option and provide the certificate, incoming connections are validated against the client-certificate.
- CN Allowlist and Issuer Verification
If you selected this option, you must copy the issuer certificate (with the .crt, .cert, or .der file extensions) to the following directory:
/opt/qradar/conf/trusted_certificatesThis directory is on the Target Event Collector that the log source is assigned to.
Any incoming client certificate is verified by the following methods to check whether the certificate was signed by the trusted issuer and other checks. You can choose one or both methods for client certificate authentication:
- User-provided Server Certificates
- You can configure your own server certificate and corresponding private key. The configured TLS Syslog provider uses the certificate and key. Incoming connections are presented with the user-supplied certificate, rather than the automatically generated TLS Syslog certificate.
- Default authentication
- To use the default authentication method, use the default values for the Authentication Mode and Certificate Type parameters. After the log source is saved, a syslog-tls certificate is created for log source device. The certificate must be copied to any device on your network that forwards encrypted syslog data.