rsyslogd to a commercial cloud SIEM with encryption

rsyslog can be used to log locally and send the logs to a remote server.  Doing that while encrypting the traffic is a bit more challenging.

Kristian Reese has a wonderful guide here: https://kristianreese.com/2019/07/11/How-to-configure-rsyslog-7-4-9-with-TLS/

It gave me the basics, but my situation was going to a cloud commercial SIEM, and I couldn't generate the CA and the keys.

Turns out all you really need is the CA.pem for encryption to go.  I created /etc/rsyslog.d/tls.conf with these entries:

$DefaultNetstreamDriverCAFile /path/to/rsyslog pem files/<CA file name>.pem

$DefaultNetstreamDriver gtls

$ActionSendStreamDriverMode 1

$ActionSendStreamDriverAuthMode anon

*.* @@<destination name or ip>:<dest port> # send (all) messages - Adjust the logs to forward here

I restarted rsyslog (systemctl restart rsyslog), monitored my local log files to make sure they were still going there.  Then I went off and captured tcpdump traffic to make sure they were going to my destination as well, and were encrypted.

UPDATE: Jan 2025

I needed to start sending the apache logs to the siem, and they aren't logged through syslog, so I added the file processing in my rsyslog configuration.  Excellent instructions here.

I decided to use local7 as the facility.  In /etc/rsyslog.d, I created 02-apache.conf, with:

module(load="imfile" PollingInterval="10" statefile.directory="/var/spool/rsyslog")
input(type="imfile"
File="/var/log/apache2/access.log"
Tag="http_access"
Severity="info"
Facility="local7")
local7.* @(SIEM IP):(SIEM Port)

I also needed to update the 50-default.conf to include local7.none on the default syslog line, so the entries didn't get added to /var/log/syslog:

*.*;auth,authpriv.none;local7.none -/var/log/syslog

Verified the new config file with: rsyslogd -N1 -f /etc/rsyslog.d/02-apache.conf

Restarted rsyslog, checked the SIEM, all seems well.