Syslog Security

Edit online

Use the Syslog Security feature to encrypt communication between the library and the Syslog Server with Transport Layer Security (TLS).

Use the Settings > Notifications > Syslog Security page to enable TLS for the Syslog. Click on the Enable button and enter the information for the three required fields:

Note: Privacy-Enhanced Mail (PEM) is the only supported format.

CA certificate (Rsyslog):
This is the Certificate Authority for your Syslog Server, which is used to sign all certificates. If you already have a Syslog Server then this has already been created by the certificate authority.
Library server certificate:
This is the server certificate that is configured by the certificate authority for the library. This is the library's certificate. A new client (the tape library) that connects to the syslog server must have this certificate.
Library private key:
This is the private key that is also configured by the certificate authority for the new client, the tape library. This is the tape library's private key.

Proper configuration of the certificate paths and use of the “gtls” driver in “rsyslog.conf” file on the ‘notification receiver’ server are required for logging to work successfully as shown in the following example:

# make gtls driver the default
$DefaultNetstreamDriver gtls

# certificate files
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/tls-caibm-bundle.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/59_sys_certO.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/SERVERTron-key.pem

$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer *.gdl.mex.ibm.com
$InputTCPServerStreamDriverPermittedPeer 9.18.77.*
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerRun 6514 #

After the Syslog Security certificates and Key are set, go to the Syslog Server page and use the Actions menu to modify the Server Port to match the one set in the server.