HPE Community
HPE Primera Storage
1819818 Members
3221 Online
109607 Solutions
New Discussion ī„‚

How to enable TLS for remote syslog with custom port?

 
SOLVED
Go to solution
apol
Frequent Advisor

ā€Ž07-17-2024 09:41 PM - last edited on ā€Ž07-25-2024 07:06 AM by

ā€Ž07-17-2024 09:41 PM - last edited on ā€Ž07-25-2024 07:06 AM by

How to enable TLS for remote syslog with custom port?

Hi, does anybody know how to switch from udp to tls for remote syslog when using a custom port? The guide only states 

With no port configured, the system uses one of the following default: 514 for UDP, 601 for TCP, 6514 for TLS.

I have to use another port, and our systems (primera and alletra) default to using udp. I already used the gui to generate a csr for syslog-gen-client and imported the signed cert with chain afterwards. Turned remote_syslog off and on again to reset the process, still udp.

Is there any way to tell the system to use tls instead?

Edit: typo

0 Kudos
Reply
6 REPLIES 6
veeyarvi
HPE Pro

ā€Ž07-24-2024 09:15 AM - last edited on ā€Ž09-16-2024 02:20 AM by

ā€Ž07-24-2024 09:15 AM - last edited on ā€Ž09-16-2024 02:20 AM by

Re: How to enable TLS for remote syslog with custom port?

Hi Apol,


Could you try from CLI?

cli% setsys RemoteSyslogHost  {{<hostname>|<IPaddr>}[:<port>]

Regards,

Veeyaarvi



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
apol
Frequent Advisor

ā€Ž07-24-2024 10:30 PM - last edited on ā€Ž09-16-2024 02:19 AM by

ā€Ž07-24-2024 10:30 PM - last edited on ā€Ž09-16-2024 02:19 AM by

Re: How to enable TLS for remote syslog with custom port?

The problem is not that I can't set remote syslog to this custom port, the problem is that it then defaults to using udp. I need to switch it to tls. I thought the presence of signed syslog_gen_client certificate tells the array to switch to tls, but it doesn't.

0 Kudos
Reply
veeyarvi
HPE Pro

ā€Ž07-25-2024 05:53 AM

ā€Ž07-25-2024 05:53 AM

Re: How to enable TLS for remote syslog with custom port?

Hi Apol,

I do not comment further without checking the logs to see why the settings changing back to defaults. Could you open a case with the HPE support?

Regards,

Veeyaarvi



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
apol
Frequent Advisor

ā€Ž07-25-2024 05:55 AM

ā€Ž07-25-2024 05:55 AM

Re: How to enable TLS for remote syslog with custom port?

I already opened a case, I'm currently waiting for feedback from L2.

0 Kudos
Reply
apol
Frequent Advisor

ā€Ž07-26-2024 04:11 AM - last edited on ā€Ž09-16-2024 02:19 AM by

ā€Ž07-26-2024 04:11 AM - last edited on ā€Ž09-16-2024 02:19 AM by

Solution

Re: How to enable TLS for remote syslog with custom port?

After a Teams session with L2, we managed to resolve the issue. In case anybody want's to do the same (switch gen syslog to secure tls connection) here's how it did work out for us:

  1. disable remote syslog service/functionality:
    setsys RemoteSyslog 0
  2. in ui oder cli, create a csr for service syslog-gen-client.
  3. Get it signed, and import it with its chain of trust (in my case: the rootca, an intca / intermediate and the signed cert. In this order!). When using cli, take care to import the rootca and intca with -ca switch, and the signed cert without that switch.
    importcert syslog-gen-client -ca stdin and importcert syslog-gen-client  stdin   respectively.
  4. For service syslog-gen-server, import the rootca and intca as well. Do NOT import a cert or create a csr or whatever.
    importcert syslog-gen-server -ca stdin
  5. re-enable remote syslog service/functionality
    setsys RemoteSyslog 1
  6. check connection with 
    showsys -d
    It should read TLS in field "general connection"

I did not try, but I guess it will work the same way for syslog_sec_client and syslog_sec_server if using a secure remote syslog server.

I'm not sure, but I could be that for syslog_gen_server, it's not necessarily the same chain of trust as for the syslog_gen_client you have to import, but the chain of trust for your syslog server's certificate. In my case it just turned out to be the same chain of trust for both.

0 Kudos
Reply
Sunitha_Mod
Moderator

ā€Ž07-29-2024 12:09 AM

ā€Ž07-29-2024 12:09 AM

Re: How to enable TLS for remote syslog with custom port?

Hello @apol,

That's Awesome! 

We are extremely glad to hear the issue has been resolved and we appreciate you for keeping us updated.



Thanks,
Sunitha G
I'm an HPE employee.
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.