Network Logs
      Back to home
      1. Radiant Help Center
      2. Getting Started
      3. Network Logs

      Deploy a Radiant Security Syslog Collector

      Configure a local service that receives and forwards syslog logs to Radiant Security.

      Overview

      The Radiant Security Syslog Collector is needed in two cases: (1) to add TLS encryption when syslog providers do not support TLS, and (2) to add a custom field to each log so that Radiant Security knows the origin of the logs.

      This guide will show you how to set up a syslog forwarder that receives logs, prepends a custom field to it, and forwards it to Radiant Security’s infrastructure via syslog TLS.

      To do this, you’ll need to complete the following steps:

      Prerequisites

      • User must be able to deploy an Rsyslog configuration within their organization’s infrastructure
      • User must have the TLS certificate—and, if applicable, the connector token—in hand. These are given when you configure the log source in Radiant Security
      • Rsyslog system must be able to reach primary.syslog.radiantsecurity.ai and secondary.syslog.radiantsecurity.ai on tcp port 6514

      Determine the message string value

      The Rsyslog configuration file includes a message string value which determines how each log will be modified for forwarding.

      In the case of some connectors, we want to modify each log by adding the connector token as a log prefix. In order to do so, please take note of the value for <MESSAGE_STRING> as it will be used in the subsequent steps of this guide:

      Note: If the table entry for your connector type includes the placeholder <YOUR_CONNECTOR_TOKEN>, replace it with your actual connector token value. 

      Connector type <MESSAGE_STRING>
      Aruba ClearPass “rs_aruba_st|<YOUR_CONNECTOR_TOKEN> %rawmsg%"
      Barracuda “rs_barracuda_egd|<YOUR_CONNECTOR_TOKEN> %rawmsg%"
      Cisco FTD "rs_cisco_firepower_st|<YOUR_CONNECTOR_TOKEN> %rawmsg%"
      Cisco Meraki "rs_meraki_st|<YOUR_CONNECTOR_TOKEN> %rawmsg%"
      Forcepoint NGFW "rs_fngfw_st|<YOUR_CONNECTOR_TOKEN> %rawmsg%"
      SonicWall "%rawmsg%"
      Trend Micro Apex Central "rs_trendmicro_apex_central_st|<YOUR_CONNECTOR_TOKEN> %rawmsg%"

      Considerations for Ubuntu installation

      While the actual install of the Ubuntu operating system is beyond the scope of this article, here are some key points to consider:

      • We recommend installing a lightweight Ubuntu Server not Desktop as you do not need to have a graphical user interface (GUI). Rsyslog will be installed by default.
      • If installing in a virtual environment, we recommend allocating at least 4 CPU and 8GB of RAM.
      • We recommend assigning a static IP address to the Rsyslog machine. This avoids the need to modify each upstream ‘sender’.

      Rsyslog configuration

      Note: In the code snippet below, replace the <MESSAGE_STRING> on the template parameter with the string that corresponds to your connector type from the Determine the message string value section, e.g. for Cisco FTD, the template string should be string="rs_cisco_firepower_st|fds645fds8d4sdff2 %rawmsg%"

      1. To install Rsyslog and a package necessary for TLS, run the command: sudo apt install rsyslog rsyslog-openssl.
      2. Create a new /etc/rsyslog.d/49-radiant.conf file.
      3. Copy and paste the following script into the new file: 
        # disable listening to system logs, we only want to consider logs from UDP
        module(load="imuxsock" sysSock.Use="off")

        # forward event, prefixing with your Radiant Security token if applicable
        template(name="RadiantFormat" type="string" string=<MESSAGE_STRING>)

        ruleset(name="forwardToRadiantSecurity") {
            action(type="omfwd"
                protocol="tcp"
                target="primary.syslog.radiantsecurity.ai"
                port="6514"
                template="RadiantFormat"
                StreamDriver="ossl"
                StreamDriverMode="1"
                StreamDriverAuthMode="x509/name"
                StreamDriverPermittedPeers="*.syslog.radiantsecurity.ai"
                StreamDriver.CAFile="/etc/rsyslog.d/keys/ca.d/radiant_security_syslog_ca.pem"
                )
        }

        # UDP listener
        module(
            load="imudp"
        )
        # Start up UDP listener at port 6514
        input(
            type="imudp"
            port="6514"
            ruleset="forwardToRadiantSecurity"
        )
      4. Log in to Radiant Security.
      5. From the navigation menu, click Settings > Data Connectors and under your desired connector type, click View Details.
      6. Download the certificate file from Radiant Security:Untitled-1
      7. Place the file in the /etc/rsyslog.d/keys/ca.d/ folder. This file should be named radiant_security_syslog_ca.pem. If it is named something else, either rename it or modify the StreamDriver.CAFile line in the rsyslog config file.
      8. Restart rsysog with the command: sudo systemctl restart rsyslog.

      Rsyslog configuriation for Red Hat 8.6

      Note: In the code snippet, replace the <MESSAGE_STRING> with the message string value calculated in the first step of this guide.

      1. Install Rsyslog by running: yum install rsyslog.
      2. Install rsyslog-openssl by running: yum install rsyslog-openssl.
      3. Get the radiant_security_syslog_ca.pem file and place it into /etc/rsyslog.d/keys/ca.d/radiant_security_syslog_ca.pem.
      4. Copy and paste the following script into your /etc/rsyslog.conf: 
        global(
          DefaultNetstreamDriverCAFile="/etc/rsyslog.d/keys/ca.d/radiant_security_syslog_ca.pem"
        )

        template(name="RadiantFormat-FTD" type="string" string=<MESSAGE_STRING>)

        ruleset(name="forwardToRadiantSecurity"){
            # Setup action for messages
            action(
                type="omfwd"
                target="primary.syslog.radiantsecurity.ai" port="6514" protocol="tcp"
                template="RadiantFormat-FTD"
                StreamDriver="ossl"
                StreamDriverMode="1"
                StreamDriverAuthMode="x509/name"
                StreamDriverPermittedPeers="*.syslog.radiantsecurity.ai"
            )
            action(
                type="omfwd"
                target="secondary.syslog.radiantsecurity.ai" port="6514" protocol="tcp"
                template="RadiantFormat-FTD"
                StreamDriver="ossl"
                StreamDriverMode="1"
                StreamDriverAuthMode="x509/name"
                StreamDriverPermittedPeers="*.syslog.radiantsecurity.ai"
                action.execOnlyWhenPreviousIsSuspended="on"
            )
            action(
                type="omfile" file="/var/log/localbuffer"
                action.execOnlyWhenPreviousIsSuspended="on"
            )
        }

        # UDP listener
        module(
            load="imudp"
        )
        # Start up UDP listener at port 6514
        input(
            type="imudp"
            port="6514"
            ruleset="forwardToRadiantSecurity"
        )

         

        We value your opinion. Did you find this article helpful? Share your thoughts by clicking here or reach to our Product and Customer Success teams at support@radiantsecurity.ai 

         

        Last updated: 2024-08-23