News
Abstract
You can forward alerts or other messages from your Guardium collector or aggregator to a remote syslog receiver, such as a Security Information and Event Management (SIEM) system. With Guardium version 9.1 and above, you can encrypt that message traffic from your Guardium system to the remote syslog receiver.
Content
Repeat these steps on every collector or aggregator that is sending traffic to the encrypted host.
You must store the certificate that is used by the remote syslog receiver on each Guardium system.
- Have available the public certificate, in PEM format, from the certificate authority (CA) that you will use to sign your certificates (from Verisign, Thwate, Geotrust, GoDaddy, Comodo, in-house, etc).
- Log in to the CLI on the individual Guardium system from which you want to send the encrypted syslog.
- Copy the certificate, including the Begin and End lines, to your clipboard. It should look something like this:
-----BEGIN CERTIFICATE----- MIIDvzCCAqmgAwIBAgIEUhUS9zALBgkqhkiG9w0BAQUwaDELMAkGA1UEBhMCVVMx DDAKBgNVBAoTA0lCTTERMA8GA1UECxMIR3VhcmRpdW0xEjAQBgNVBAcTCUxpdHRs ZXRvbjELMAkGA1UECBMCTUExFzAVBgNVBAMTDkRhbmllbCBNYWNudXR0MB4XDTEz MDgyMTE5MjAyNVoXDTIzMDgxOTE5MjAyN1owaDELMAkGA1UEBhMCVVMxDDAKBgNV BAoTA0lCTTERMA8GA1UECxMIR3VhcmRpdW0xEjAQBgNVBAcTCUxpdHRsZXRvbjEL MAkGA1UECBMCTUExFzAVBgNVBAMTDkRhbmllbCBNYWNudXR0MIIBHzALBgkqhkiG 9w0BAQEDggEOADCCAQkCggEAsEjY78taC8zejIk65zzK7nd63E2lCLZJ9g3tG3NA wZfqAQx1AVhJAbYgkCewGSBUVp3fLK9Oih4OT9WQWinsc7z+szBx+BXO/JTmKB5P LxoTR26oC1ufDwQjNHgnCDGVfpgp3NP+pE/imonBBOzCbfmBPi6cdA7q/659KUnw CtPw6dN1RoFgXrpqOugDdJBZ2Dr5VXe7R30Sbzu3/5uwQDF3v/kzIBQ3vnj4Rr1i XYAmCHGXPRoXsrEhKCvfcKBwt7NU4AfDU973W7AZHugQv4bS//w/vKT5lqaWhkDd yQkLr6a/Nc8x3w0ZhoCRPJDKRcDOOR9TCNQx8g+Cm4kSawIDAQABo3gwdjAPBgNV HRMBAf8EBTADAQH/MB4GA1UdEQQXMBWBE2RtYWNudXR0QHVzLmlibS5jb20wEwYD VR0lBAwwCgYIKwYBBQUHAwgwDwYDVR0PAQH/BAUDAwcGADAdBgNVHQ4EFgQU/Qq8 GMgFwq3J+b9w4shQa/u/xKgwCwYJKoZIhvcNAQEFA4IBAQCWFetX/6MKT0eEQOgb 64flhk/xUqaZacUuuyCZFql1P891xX8XktVb9VwjQmj7LKbolRTzp9AAvVngsVVL PmIldFXK6KtNcNEdQfLCvT0YwZm2t9njB+zNJOlqwDQOvdSj8oPmuyu+7TAHGDXt /yHWQwHCQsp87GSJtJ69TCUabihLX+lri8mPyOEzyJUpQOlUTAlbQW8Ph7T6SjWa OiP5r1HwJGiKKz2+JgRoP2MYpiKm//gv0N4Py2+vczHIeOts0687xkfHbtQu4c2q DeOPIt5Ok6/RTVaYuVgVvZW59x3XFRjm0dMB45hs5peoRf/6+Ddn6JI5Ddh6LDi6 GswE -----END CERTIFICATE----- - Enter the following CLI command:
store remotelog add encrypted daemon.all IP_address:port_number tcp
where IP address and port_number are the address and port on which the remote system receives message traffic. This example uses daemon because Guardium sends its application events using daemon. Encryption works only in TCP mode, so you must specify the tcp parameter on the command. Without this parameter, syslog forwarding defaults to using UDP, and encryption does not work. - The following instructions are displayed:
Please paste your CA certificate, in PEM format. Include the BEGIN and END lines, and then press CTRL-D.
Paste the PEM-format certificate to the command line, then press CRTL-D. Guardium stores this input as /etc/pki/rsyslog/ca.pem You will be informed of the success or failure of the store operation. When successful, Guardium can send encrypted traffic to the remote system with the correct key. - Repeat the above procedure for each collector and aggregator that is sending syslog traffic to the encrypted host.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z000000Gp0QAAS","label":"SSL ENCRYPTION"}],"Platform":[{"code":"PF004","label":"Appliance"}],"Version":"10.0.0;and future releases"}]
Was this topic helpful?
Document Information
Modified date:
03 November 2021
UID
swg21661703