Secure Event Transfer - Syslog

[darren.bnm]

Hi Rob,

[Technology - SIEM Tooling - 1.6.25 Secure Event Transfer - Support for secure event transfer and the actual implementation of secure transfer (e.g. regular syslog is not secure)]

My environment using UDP/514 (not even TCP   ) when sending syslog from a firewall to SIEM.

For best practise, do you recommend rsyslog TLS or TLS/6514 or syslog-ng with encryption enabled?


Thanks!

[robvanos]

Hi Darren,

Both rsyslog and syslog-ng support encrypted syslog, so they're both viable options. You can choose a different port to send encrypted syslog to differentiatie from plain-text. That has some advantages (it's clear which sources are encrypted) and might even be a neccessity (it depends on the receiving end, but usually log receivers won't be able to handle encrypted and non-encrypted syslog over the same server port). A disadvantage is that you may need to roll out additional firewall rules to enable conectivity over the new port.

I recommend just playing around with multiple options and see what best fits your companies needs in terms of connectivity, scalability, existing standards and manageability.

Regards,
Rob.