Configure a local service that receives and forwards syslog logs to Radiant Security.
Overview
The Radiant Security Syslog Collector is needed in these two cases: (1) to add TLS encryption when syslog providers do not support TLS, and (2) to add a custom field to each log so that Radiant Security knows the origin of the logs.
This guide will show you how to set up a syslog forwarder that receives logs, prepends a custom field to it, and forwards it to Radiant Security’s infrastructure via syslog TLS.
To do this, you’ll need to complete the following steps:
- Determine the message string value
- Considerations for Ubuntu installation
- Rsyslog configuration
- Considerations for Red Hat installation
- Rsyslog configuriation for Red Hat 8.6
Prerequisites
- User must be able to deploy an Rsyslog configuration within their organization’s infrastructure
- User must have the TLS certificate—and, if applicable, the connector token—in hand. These are given when you configure the log source in Radiant Security
- Rsyslog system must be able to reach
primary.syslog.radiantsecurity.ai
andsecondary.syslog.radiantsecurity.ai
on tcp port 6514
Determine the message string value
The Rsyslog configuration file includes a message string value which determines how each log will be modified before it gets forwarded.
In the case of some connectors, we want to modify each log by adding the connector token as a log prefix. In order to do so, please take note of the value for <MESSAGE_STRING>
as it will be used in the subsequent steps of this guide:
Note: If the table entry for your connector type includes the placeholder <YOUR_CONNECTOR_TOKEN>
then replace it with your actual connector token value.
Connector type | <MESSAGE_STRING> |
Aruba ClearPass | “rs_aruba_st|<YOUR_CONNECTOR_TOKEN> %rawmsg%" |
Barracuda | “rs_barracuda_egd|<YOUR_CONNECTOR_TOKEN> %rawmsg%" |
Check Point Firewall | "rs_checkpoint_st|<YOUR_CONNECTOR_TOKEN> %rawmsg%" |
Cisco FTD | "rs_cisco_firepower_st|<YOUR_CONNECTOR_TOKEN> %rawmsg%" |
Cisco Meraki | "rs_meraki_st|<YOUR_CONNECTOR_TOKEN> %rawmsg%" |
Forcepoint NGFW | "rs_fngfw_st|<YOUR_CONNECTOR_TOKEN> %rawmsg%" |
FortiGate/FortiAnalyzer | "%rawmsg%" |
SonicWall | "%rawmsg%" |
Trend Micro Apex Central | "rs_trendmicro_apex_central_st|<YOUR_CONNECTOR_TOKEN> %rawmsg%" |
Vectra NDR | "rs_vectra_ndr_st|<YOUR_CONNECTOR_TOKEN> %rawmsg%" |
Vectra Stream | "rs_vectra_stream_st|<YOUR_CONNECTOR_TOKEN> %rawmsg%" |
ZScaler NSS | "%rawmsg%" |
Considerations for Ubuntu installation
While the actual install of the Ubuntu operating system is beyond the scope of this article, here are some key points to consider:
- We recommend installing a lightweight Ubuntu Server not Desktop as you do not need to have a graphical user interface (GUI). Rsyslog will be installed by default.
- If installing in a virtual environment, we recommend allocating at least 4 CPU and 8GB of RAM.
- We recommend assigning a static IP address to the Rsyslog machine. This avoids the need to modify each upstream ‘sender’.
Rsyslog configuration
Note: In the code snippet below, replace the <MESSAGE_STRING>
on the template parameter with the string that corresponds to your connector type from the Determine the message string value section. For example, for Cisco FTD, the template string should be string="rs_cisco_firepower_st|fds645fds8d4sdff2 %rawmsg%"
- To install Rsyslog and a package necessary for TLS, run the command:
sudo apt install rsyslog rsyslog-openssl
. - Create a new
/etc/rsyslog.d/49-radiant.conf
file. - Copy and paste the following script into the new file:
# disable listening to system logs, we only want to consider logs from UDP
module(load="imuxsock" sysSock.Use="off")
# forward event, prefixing with your Radiant Security token if applicable
template(name="RadiantFormat" type="string" string=<MESSAGE_STRING>)
ruleset(name="forwardToRadiantSecurity") {
action(type="omfwd"
protocol="tcp"
target="primary.syslog.radiantsecurity.ai"
port="6514"
template="RadiantFormat"
StreamDriver="ossl"
StreamDriverMode="1"
StreamDriverAuthMode="x509/name"
StreamDriverPermittedPeers="*.syslog.radiantsecurity.ai"
StreamDriver.CAFile="/etc/rsyslog.d/keys/ca.d/radiant_security_syslog_ca.pem"
)
}
# UDP listener
module(
load="imudp"
)
# Start up UDP listener at port 514
input(
type="imudp"
port="514"
ruleset="forwardToRadiantSecurity"
)
# TCP listener
module(
load="imtcp"
)
Start up TCP listener at port 514
input(
type="imtcp"
port="514"
ruleset="forwardToRadiantSecurity"
) - Log in to Radiant Security.
- From the navigation menu, click Settings > Data Connectors and under your desired connector type, click View Details.
- Download the certificate file from Radiant Security:
- Place the file in the
/etc/rsyslog.d/keys/ca.d/
folder. This file should be namedradiant_security_syslog_ca.pem
. If it is named something else, either rename it or modify the StreamDriver.CAFile line in the rsyslog config file. - Restart rsysog with the command:
sudo systemctl restart rsyslog
.
Considerations for Red Hat installation
While the actual install of the RedHat operating system is beyond the scope of this article, here are some key points to consider:
- We recommend installing a lightweight Red Hat Server as you do not need to have a graphical user interface (GUI).
- If installing in a virtual environment, we recommend allocating at least 4 CPU and 8GB of RAM.
- We recommend assigning a static IP address to the Rsyslog machine. This avoids the need to modify each upstream ‘sender’.
Rsyslog configuration for Red Hat 8.6
Note: In the code snippet, replace the <MESSAGE_STRING>
with the message string value calculated in the first step of this guide.
- Install Rsyslog by running:
yum install rsyslog
. - Install rsyslog-openssl by running:
yum install rsyslog-openssl
. - Get the
radiant_security_syslog_ca.pem
file and place it into/etc/rsyslog.d/keys/ca.d/radiant_security_syslog_ca.pem
. - Copy and paste the following script into your
/etc/rsyslog.conf
:global(
DefaultNetstreamDriverCAFile="/etc/rsyslog.d/keys/ca.d/radiant_security_syslog_ca.pem"
)
template(name="RadiantFormat-FTD" type="string" string=<MESSAGE_STRING>)
ruleset(name="forwardToRadiantSecurity"){
# Setup action for messages
action(
type="omfwd"
target="primary.syslog.radiantsecurity.ai" port="6514" protocol="tcp"
template="RadiantFormat-FTD"
StreamDriver="ossl"
StreamDriverMode="1"
StreamDriverAuthMode="x509/name"
StreamDriverPermittedPeers="*.syslog.radiantsecurity.ai"
)
action(
type="omfwd"
target="secondary.syslog.radiantsecurity.ai" port="6514" protocol="tcp"
template="RadiantFormat-FTD"
StreamDriver="ossl"
StreamDriverMode="1"
StreamDriverAuthMode="x509/name"
StreamDriverPermittedPeers="*.syslog.radiantsecurity.ai"
action.execOnlyWhenPreviousIsSuspended="on"
)
action(
type="omfile" file="/var/log/localbuffer"
action.execOnlyWhenPreviousIsSuspended="on"
)
}
# UDP listener.
module(
load="imudp"
)
# Start up UDP listener at port 514
input(
type="imudp"
port="514"
ruleset="forwardToRadiantSecurity"
)
# TCP listener
module(
load="imtcp"
)
Start up TCP listener at port 514
input(
type="imtcp"
port="514"
ruleset="forwardToRadiantSecurity"
) - Restart rsyslog with the command:
sudo systemctl restart rsyslog
.
We value your opinion. Did you find this article helpful? Share your thoughts by clicking here or reach to our Product and Customer Success teams at support@radiantsecurity.aiLast updated: 2025-01-14