How to Send NetScaler Audit Log Messages to syslog Server over SSL

How to Send NetScaler Audit Log Messages to syslog Server over SSL

book

Article ID: CTX223071

calendar_today

Updated On:

Description

This article provides the configuration steps for sending audit log messages securely from NetScaler appliance to the syslog server using the SSL feature of NetScaler.

Instructions

Send Audit Logs by Authenticating the syslog Server

The following are the configuration steps at NetScaler for sending auditlogs securely over SSL connection by authenticating the syslog server:

  1. Copy the CA certificate (certificate of the Certificate Authority that issued the certificate to syslog server) to the NetScaler Appliance (under /nsconfig/ssl folder).

    • Issue the following command on the certificate:
      openssl x509 -noout -hash -in <ca_certificate>
      The result is a hash (for example 6d2962a8), a series of alphanumeric characters based on the Distinguished Name of the certificate. 

    • Issue the following command to create a symbolic link to the certificate that uses the hash returned by the previous command and the .0 suffix:
      ln -s <ca_certificate> 6d2962a8.0

  2. Add ssl certkey by giving the CA certificate path:
    add ssl certkey server_cacert -cert <path_to_ca_cert>

  3. Add service of type SSL_TCP with the IP of syslog server and port on which the syslog server listens for SSL packets:
    add service syslog_service <syslog_server_ip> SSL_TCP <syslog_server_port>

  4. Bind the certkey to the service by giving the option -CA:
    bind ssl service syslog_service -certkeyName server_cacert -CA

  5. Enable the server authentication in the service:
    set ssl service syslog_service -serverAuth ENABLED

  6. Add LB vserver of type TCP with some IP and port 514. Add SNIP in the lb vserver IP’s subnet:
    add lb vserver lb_vserver TCP <lb_vserver_ip> 514

  7. Bind the service to LB vserver.
    bind lb vserver lb_vserver syslog_service

  8. Add syslogaction with the IP address as LB VIP, port as 514 and transport as TCP.
    add syslogaction sys_act <lb_vserver_ip> -loglevel all -transport TCP -serverPort 514

  9. Add syslogpolicy and bind this policy to system global.
    add syslogpolicy sys_pol true sys_act
    bind syslogglobal -policyname sys_pol -priority 1

Send Audit Logs by Mutual Authentication

The following are the configuration steps at NetScaler for sending auditlogs securely over SSL connection through mutual authentication:
  1. Copy the CA certificate (certificate of the Certificate Authority that issued the certificate to syslog server) to the NetScaler Appliance (under /nsconfig/ssl folder).

    • Issue the following command on the certificate:
      openssl x509 -noout -hash -in <ca_certificate>
      The result is a hash (for example 6d2962a8), a series of alphanumeric characters based on the Distinguished Name of the certificate.

    • Issue the following command to create a symbolic link to the certificate that uses the hash returned by the previous command and the .0 suffix:
      ln -s <ca_certificate> 6d2962a8.0

  2. Add ssl certkey by giving the CA certificate path:
    add ssl certkey server_cacert -cert <path_to_ca_cert>

  3. Add ssl certkey by giving the client certificate (NetScaler’s certificate) with the key:
    add ssl certkey client_cacert -cert <path_to_client_cert> -key <path_to_client_key>

  4. Add service of type SSL_TCP with the IP of syslog server and port on which the syslog server listens for SSL packets:
    add service syslog_service <syslog_server_ip> SSL_TCP <syslog_server_port>

  5. Bind the certkey(server) to the service by giving the option -CA:
    bind ssl service syslog_service -certkeyName server_cacert -CA

  6. Bind the certkey(client) to the service:
    bind ssl service syslog_service -certkeyName client_cacert

  7. Enable the server authentication in the service:
    set ssl service syslog_service

  8. Add LB vserver of type TCP with some IP and port 514. Add SNIP in the lb vserver IP’s subnet:
    add lb vserver lb_vserver TCP <lb_vserver_ip> 514

  9. Bind the service to LB vserver:
    bind lb vserver lb_vserver syslog_service

  10. Add syslogaction with the IP address as LB VIP, port as 514 and transport as TCP:
    add syslogaction sys_act <lb_vserver_ip> -loglevel all -transport TCP -serverPort 514

  11. Add syslogpolicy and bind this policy to system global:
    add syslogpolicy sys_pol true sys_act
    bind syslogglobal -policyname sys_pol -priority 1

With this configuration, SYSLOGTCP connection gets established from NetScaler’s IP(NSIP) to load balancing vserver’s IP (LB VIP) and SSL_TCP connection gets established from Subnet IP(SNIP) of NetScaler to the backend syslog server. The auditlog messages are then sent to syslog server over this SSL_TCP connection.

Issue/Introduction

This article provides the configuration steps for sending audit log messages securely from NetScaler appliance to the syslog server using the SSL feature of NetScaler.
Powered by Wolken Software