+- SOC-CMM forum (https://www.soc-cmm.com/forum)
+-- Forum: SOC-CMM (https://www.soc-cmm.com/forum/forumdisplay.php?fid=1)
+--- Forum: SOC-CMM community forum (https://www.soc-cmm.com/forum/forumdisplay.php?fid=2)
+--- Thread: Secure Event Transfer - Syslog (/showthread.php?tid=15)
Secure Event Transfer - Syslog - darren.bnm - 04-12-2019
Hi Rob,
[Technology - SIEM Tooling - 1.6.25 Secure Event Transfer - Support for secure event transfer and the actual implementation of secure transfer (e.g. regular syslog is not secure)]
My environment using UDP/514 (not even TCP
) when sending syslog from a firewall to SIEM.For best practise, do you recommend rsyslog TLS or TLS/6514 or syslog-ng with encryption enabled?
Thanks!
RE: Secure Event Transfer - Syslog - robvanos - 04-16-2019
Hi Darren,
Both rsyslog and syslog-ng support encrypted syslog, so they're both viable options. You can choose a different port to send encrypted syslog to differentiatie from plain-text. That has some advantages (it's clear which sources are encrypted) and might even be a neccessity (it depends on the receiving end, but usually log receivers won't be able to handle encrypted and non-encrypted syslog over the same server port). A disadvantage is that you may need to roll out additional firewall rules to enable conectivity over the new port.
I recommend just playing around with multiple options and see what best fits your companies needs in terms of connectivity, scalability, existing standards and manageability.
Regards,
Rob.