Configuring syslog-ng options

There are several options of the syslog-ng server running on SSB that can be configured. These include:

■ For details on general syslog-ng settings — see Section 11.1, General syslog-ng settings (p. 173).

■ For details on timestamping-related options — see Section 11.2, Timestamping configuration on SSB (p. 175).

■ For details on certificate management for receiving and sending log messages in TLS-encrypted channels — see Procedure 11.4, Setting the certificates used in TLS-encrypted log transport (p. 177).

■ For details on managing domain name resolution for log messages — see Section 11.3, Using name resolution on SSB (p. 176).

11.1. General syslog-ng settings

To configure the general options of the syslog-ng server running on SSB, navigate to Log > Options. The following options are available (note that options related to name resolution are discussed in Section 11.3, Using name resolution on SSB (p. 176)):

General syslog-ng settings

Figure 11.1. Configuring syslog-ng options

■ Maximum logstore chunk time: Time limit in seconds: syslog-ng closes the chunk if no new messages arrive until the time limit expires. Logstore chunks are closed when the time limit expires. If the time limit set in the Idle time before destination is closed option expires, the entire file is closed. This option corresponds to thechunk_time()parameter of syslog-ng.

■ Messages fetched in a single poll: The maximum number of messages fetched from a source during a single poll loop. The destination queues might fill up before flow-control could stop reading if this parameter is too high. This option corresponds to thelog_fetch_limit()parameter of syslog-ng.

■ Initial window size: The size of the initial window used during flow control. This option corresponds to thelog_iw_size()parameter of syslog-ng.

■ Message size: Specifies the maximum length of incoming log messages in bytes. This option corresponds to thelog_msg_size()parameter of syslog-ng. The maximum value of this parameter is1000000(1 MB).

■ Wait time between polls: The time to wait in milliseconds before checking if new messages have arrived to a source. This option corresponds to thetime_sleep()parameter of syslog-ng.

■ Idle time before destination is closed: The time to wait in seconds before an idle destination file is closed. This option corresponds to thetime_reap()parameter of syslog-ng.

General syslog-ng settings

11.2. Timestamping configuration on SSB

To configure the timestamping options of SSB, navigate to Log > Options. The following options are available:

■ Timestamp server: Select the timestamping server to use for signing encrypted logspaces. To use the built-in timestamp server of SSB, select Local.

To use an external timestamping server, select Remote and enter the address of the server into the Server URL field. Note that currently only plain HTTP services are supported, password-protected and HTTPS services are not supported at.

Warning

SSB currently supports only timestamping servers that use the Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) described in RFC 3161.

■ Timestamp policy OID: If the Timestamping Server has timestamping policies configured, enter the OID of the policy to use into the Timestamping policy field. SSB will include this ID in the timestamping requests sent to the TSA.

■ Cipher: Select the cipher method used to encrypt the logstore. The following cipher methods are available: aes-128-cbc, aes-128-cfb, aes-128-cfb1, aes-128-cfb8, aes-128-ecb, aes-128-ofb ,aes-192-cbc,aes-192-cfb,aes-192-cfb1,aes-192-cfb8,aes-192-ecb, aes-192-ofb ,aes-256-cbc,aes-256-cfb,aes-256-cfb1,aes-256-cfb8,aes-256-ecb, aes-256-ofb , aes128 , aes192 , aes256, bf , bf-cbc , bf-cfb, bf-ecb , bf-ofb , blowfish, cast , cast-cbc , cast5-cbc , cast5-cfb, cast5-ecb, cast5-ofb , des, des-cbc,des-cfb ,des-cfb1 ,des-cfb8 ,des-ecb ,des-ede,des-ede-cbc,des-ede-cfb ,des-ede-ofb,des-ede3 ,des-ede3-cbc,des-ede3-cfb,des-ede3-ofb,des-ofb ,des3 ,desx ,desx-cbc,rc2,rc2-40-cbc ,rc2-64-cbc,rc2-cbc,rc2-cfb,rc2-ecb ,rc2-ofb, rc4, andrc4-40.

By default, SSB uses theaes-128-cbcmethod.

■ Digest: Select the digest method to use. The following digest methods are available:MD2,MD4,MD5, SHA-0 (SHA),SHA-1,RIPEMD-160,SHA-224,SHA-256,SHA-384, andSHA-512.

By default, SSB uses theSHA-1method.

Warning

The size of the digest hash must be equal to or larger than the key size of the cipher method. For example, to use theaes-256-cbccipher method, the digest method must be at leastSHA-256.

Timestamping configuration on SSB

Note

The timestamp requests are handled by a separate process in syslog-ng; message processing is not affected if the timestamping server is slow or cannot be accessed.

11.3. Using name resolution on SSB

SSB can resolve the hostnames of the clients and include them in the log messages. However, the performance of SSB can be severely degraded if the domain name server is unaccessible or slow. Therefore, SSB automatically caches the results of name resolution. If you experience performance problems under high load, it is not recommended to disable name resolution. If you must use name resolution, consider the following:

Figure 11.2. Configuring DNS options

■ If the IP addresses of the clients change only rarely, set the expiry of the DNS cache to a large value.

By default, SSB caches successful DNS lookups for an hour, and failed lookups for one minute.

These parameters can be adjusted under Log > Options > Options > DNS Cache expiry and Failed DNS cache expiry.

■ Resolve the hostnames locally. Resolving hostnames locally enables you to display hostnames in the log files for frequently used hosts, without having to rely on a DNS server. The known IP address – hostname pairs are stored locally in a file. In the log messages, syslog-ng will replace the IP

Using name resolution on SSB

addresses of known hosts with their hostnames. To configure local name resolution, select Log >

Options > Name resolving, and enter the IP Address - hostname pairs in (for example192.168.1.1 myhost.example.com) into the Persistent hostname list field. Then navigate to Log > Sources, and set the Use DNS option of your sources to Only from persistent configuration.

Figure 11.3. Configuring persistent name resolution

11.4. Procedure – Setting the certificates used in TLS-encrypted log transport

To set a custom certificate and a CA certificate for encrypting the transfer of log messages, complete the following steps.

Note

If you do not upload a certificate to encrypt the TLS-communication (that is, the TLS certificate and TLS private key options are not set), SSB uses the certificate and CA certificate set for the web interface (set under Basic Settings >

Management > SSL certificates) for this purpose as well.

Balabit recommends using 2048-bit RSA keys (or stronger).

Steps:

Step 1. In your PKI system, generate and sign a certificate for SSB, then navigate to Log > Options > TLS