TLS Syslog protocol configuration options

Configure a TLS Syslog protocol log source to receive encrypted syslog events from up to 50 network devices that support TLS Syslog event forwarding for each listener port.

The TLS Syslog protocol is a passive inbound protocol. The log source creates a listen port for incoming TLS Syslog events. By default, TLS Syslog log sources use the certificate and key that is generated by IBM® QRadar®. Up to 50 network appliances can forward events to the log source's listen port. If you create more log sources with unique listen ports, you can configure up to 1000 network appliances.

The following table describes the protocol-specific parameters for the TLS Syslog protocol:

Table 1. TLS Syslog protocol parameters
Parameter Description
Protocol Configuration TLS Syslog
Log Source Identifier An IP address or hostname to identify the log source.
TLS Listen Port The default TLS listen port is 6514.
Important: You can assign only one TLS Syslog log source to each TLS listen port.
Authentication Mode The mode your TLS connection uses to authenticate. If you select the TLS and Client Authentication option, you must configure the certificate parameters.
Client Certificate Authentication
Select one of the following options from the list:
  • CN Allowlist and Issuer Verification
  • Client Certificate on Disk
Use CN Allowlist Enable this parameter to use a CN allowlist.
CN Allowlist The allowlist of trusted client certificate common names. You can enter plain text or a regular expression (regex). To define multiple entries, enter each one on a separate line.
Use Issuer Verification Enable this parameter to use issuer verification.
Root/Intermediate Issuer's Certificate or Public key Enter the Root/Intermediate issuer's certificate or public key in PEM format.
  • Enter the certificate, beginning with:

    -----BEGIN CERTIFICATE-----

    and ending with:

    -----END CERTIFICATE-----

  • Enter the public key beginning with:

    -----BEGIN PUBLIC KEY-----

    and ending with:

    -----END PUBLIC KEY-----

Check Certificate Revocation Checks the certificate revocation status against the client certificate. This option requires network connectivity to the URL that is specified by the CRL Distribution Points field for the client certificate in the X509v3 extension.

Check Certificate Usage Checks the contents of the certificate X509v3 extensions in the Key Usage and Extended Key Usage extension fields. For incoming client certificate, the allow values of X509v3 Key Usage are digitalSignature and keyAgreement. The allow value for X509v3 Extended Key Usage is TLS Web Client Authentication.

This property is disabled by default.

Client Certificate Path

The absolute path to the client-certificate on disk. The certificate must be stored on the QRadar Console or Event Collector for this log source.

Important:

Ensure that the certificate file that you enter begins with:

-----BEGIN CERTIFICATE-----

and ends with:

-----END CERTIFICATE-----

Server Certificate Type The type of certificate to use for authentication for the server certificate and server key.
Select one of the following options from the Server Certificate Type list:
  • Generated Certificate
  • PEM Certificate and Private Key
  • PKCS12 Certificate Chain and Password
  • Choose from QRadar Certificate Store
Generated Certificate

This option is available when you configure the Certificate Type.

If you want to use the default certificate and key that is generated by QRadar for the server certificate and server key, select this option.

The generated certificate is named syslog-tls.cert in the /opt/qradar/conf/trusted_certificates/ directory on the target Event Collector that the log source is assigned to.

Single Certificate and Private Key

This option is available when you configure the Certificate Type.

If you want to use a single PEM certificate for the server certificate, select this option and then configure the following parameters:
  • Provided Server Certificate Path - The absolute path to the server certificate.
  • Provided Private Key Path - The absolute path to the private key.
    Important: The corresponding private key must be a DER-encoded PKCS8 key. The configuration fails with any other key format.
PKCS12 Certificate and Password

This option is available when you configure the Certificate Type.

If you want to use a PKCS12 file that contains the server certificate and server key, select this option and then configure the following parameters:
  • PKCS12 Certificate Path - Type the file path for the PKCS12 file that contains the server certificate and server key.
  • PKCS12 Password - Type the password to access the PKCS12 file.
  • Certificate Alias - If there is more than one entry in the PKCS12 file, an alias must be provided to specify which entry to use. If only one alias is in the PKCS12 file, leave this field blank.
Choose from QRadar Certificate Store

This option is available when you configure the Certificate Type.

You can use the Certificate Management app to upload a certificate from the QRadar Certificate Store.

Max Payload Length The maximum payload length (characters) that is displayed for TLS Syslog message.
Maximum Connections

The Maximum Connections parameter controls how many simultaneous connections the TLS Syslog protocol can accept for each Event Collector.

For each Event Collector, there is a limit of 1000 connections, including enabled and disabled log sources, in the TLS Syslog log source configuration.

Tip: Automatically discovered log sources share a listener with another log source. For example, if you use the same port on the same event collector, it counts only one time toward the limit.
TLS Protocols The TLS Protocol to be used by the log source.

Select the "TLS 1.2 or later" option.

Use As A Gateway Log Source

Sends collected events through the QRadar Traffic Analysis Engine to automatically detect the appropriate log source.

If you do not want to define a custom log source identifier for events, clear the checkbox.

When this option is not selected and Log Source Identifier Pattern is not configured, QRadar receives events as unknown generic log sources.

Use Predictive Parsing If you enable this parameter, an algorithm extracts log source identifier patterns from events without running the regex for every event, which increases the parsing speed.
Tip: In rare circumstances, the algorithm can make incorrect predictions. Enable predictive parsing only for log source types that you expect to receive high event rates and require faster parsing.
Log Source Identifier Pattern

Use the Use As A Gateway Log Source option to define a custom log source identifier for events that are being processed and for log sources to be automatically discovered when applicable. If you don't configure the Log Source Identifier Pattern, QRadar receives events as unknown generic log sources.

Use key-value pairs to define the custom Log Source Identifier. The key is the Identifier Format String, which is the resulting source or origin value. The value is the associated regex pattern that is used to evaluate the current payload. This value also supports capture groups that can be used to further customize the key.

Define multiple key-value pairs by typing each pattern on a new line. Multiple patterns are evaluated in the order that they are listed. When a match is found, a custom Log Source Identifier is displayed.

The following examples show multiple key-value pair functions.
Patterns
VPC=\sREJECT\sFAILURE
$1=\s(REJECT)\sOK
VPC-$1-$2=\s(ACCEPT)\s(OK)
Events
{LogStreamName: LogStreamTest,Timestamp: 0,Message: ACCEPT OK,IngestionTime: 0,EventId: 0}
Resulting custom log source identifier
VPC-ACCEPT-OK
Enable Multiline Aggregate multiple messages into single events based on a Start/End Matching or an ID-Linked regular expression.
Aggregation Method

This parameter is available when Enable Multiline is turned on.

  • ID-Linked - Processes event logs that contain a common value at the beginning of each line.
  • Start/End Matching - Aggregates events based on a start or end regular expression (regex).
Event Start Pattern

This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to Start/End Matching.

The regular expression (regex) is required to identify the start of a TCP multiline event payload. Syslog headers typically begin with a date or timestamp. The protocol can create a single-line event that is based on solely on an event start pattern, such as a timestamp. When only a start pattern is available, the protocol captures all the information between each start value to create a valid event.

Event End Pattern

This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to Start/End Matching.

This regular expression (regex) is required to identify the end of a TCP multiline event payload. If the syslog event ends with the same value, you can use a regular expression to determine the end of an event. The protocol can capture events that are based on solely on an event end pattern. When only an end pattern is available, the protocol captures all the information between each end value to create a valid event.

Message ID Pattern

This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to ID-Linked.

This regular expression (regex) required to filter the event payload messages. The TCP multiline event messages must contain a common identifying value that repeats on each line of the event message.

Time Limit

This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to ID-Linked.

The number of seconds to wait for more matching payloads before the event is pushed into the event pipeline. The default is 10 seconds.

Retain Entire Lines during Event Aggregation

This parameter is available when Enable Multiline is turned on and the Aggregation Method is set to ID-Linked.

If you set the Aggregation Method parameter to ID-Linked, you can enable Retain Entire Lines during Event Aggregation to discard or keep the part of the events that precedes Message ID Pattern. You can enable this function only when concatenating events with the same ID pattern together.

Flatten Multiline Events Into Single Line

This parameter is available when Enable Multiline is turned on.

Shows an event in one single line or multiple lines.

Event Formatter

This parameter is available when Enable Multiline is turned on.

Use the Windows Multiline option for multiline events that are formatted specifically for Windows.

After the log source is saved, a syslog-tls certificate is created for the log source. The certificate must be copied to any device on your network that is configured to forward encrypted syslog. Other network devices that have a syslog-tls certificate file and the TLS listen port number can be automatically discovered as a TLS Syslog log source.

TLS Syslog use cases

The following use cases represent possible configurations that you can create:
Client Certificate on Disk
You can supply a client-certificate that enables the protocol to engage in client-authentication. If you select this option and provide the certificate, incoming connections are validated against the client-certificate.
CN Allowlist and Issuer Verification

If you selected this option, you must copy the issuer certificate (with the .crt, .cert, or .der file extensions) to the following directory:

/opt/qradar/conf/trusted_certificates

This directory is on the Target Event Collector that the log source is assigned to.

Any incoming client certificate is verified by the following methods to check whether the certificate was signed by the trusted issuer and other checks. You can choose one or both methods for client certificate authentication:

CN Allowlist

Provide an allowlist of trusted client certificate common names. You can enter plain text or a regular expression. Define multiple entries by entering each on a new line.

Issuer Verification

Provide a trusted client certificate's root or intermediate issuer certificate, or a public key in PEM format.

Check Certificate Revocation

Checks certificate revocation status against the client certificate. This option needs network connectivity to the URL that is specified by the CRL Distribution Points field in the client certificate for the X509v3 extension.


Check Certificate Usage

Checks the contents of the certificate X509v3 extensions in the Key Usage and Extended Key Usage extension fields. For incoming client certificate, the allow values of X509v3 Key Usage are digitalSignature and keyAgreement. The allow value for X509v3 Extended Key Usage is TLS Web Client Authentication.

User-provided Server Certificates
You can configure your own server certificate and corresponding private key. The configured TLS Syslog provider uses the certificate and key. Incoming connections are presented with the user-supplied certificate, rather than the automatically generated TLS Syslog certificate.
Default authentication
To use the default authentication method, use the default values for the Authentication Mode and Certificate Type parameters. After the log source is saved, a syslog-tls certificate is created for log source device. The certificate must be copied to any device on your network that forwards encrypted syslog data.