Syslog is a standard used to send event log messages to devices within a network. The switch sends event messages to a logging server called syslog server. The syslog server stores the log messages and displays them for event reporting. Syslog messages are used for monitoring system activities and troubleshooting.
The secure syslog feature adds security and authenticated access to the plain text event log messages that are communicated between a remote syslog server and a syslog client. The secure syslog feature helps prevent unauthorized access to confidential data transmitted on an unsecured communication channel between a remote syslog server and client.
To implement the security, this feature employs port forwarding using the Transport Layer Security (TLS) to provide encrypted communication between a syslog server and client.
After starting the syslog server, to ensure authentication, you must set up a remote port forwarding connection to connect the switch with a remote TLS Server.
The syslog server is installed on a host that serves as a TLS Server. The switch plays the role of a TLS client for secure syslog. A TLS handshake is initiated between the syslog server and the switch. The syslog server transmits a certificate which has a subject common name and an optional subject alternative name (SAN). The subject common name is always present in the certificate but the SAN is optional. The server-cert-name must match the SAN name, if present in the certificate. If the SAN name is not present, the server-cert-name must match the subject common name. Otherwise, TLS negotiation fails and the connection to the server is closed. If the server-cert-name part is not configured, this check is not done.
After the TLS handshake is successful, the log messages sent from the switch to the syslog server are encrypted. The syslog server decrypts these messages using a private key. The server then stores the messages or forwards them to other servers.
This feature supports the Rsyslog, syslog-ng, and stunnel, which are Linux based open-source syslog servers for TLS tunneling. Ensure you use the correct version of these applications or the switch displays a no cipher match error and the TLS communication fails.
If connectivity fails between the switch and the syslog server, the syslog host remains enabled and the switch attempts to reconnect with the syslog server every two minutes. This automatic reconnection occurs only if the following conditions are true:
The syslog feature is globally enabled.
The specific syslog host is enabled.
The secure mode is TLS.
The TLS session between the switch and syslog server is not active.
Note
If the route to the syslog server is removed from the switch and the IP address is not reachable, the switch does not try to reconnect after two minutes if there are no syslog messages in the queue. A TCP connection can take up to two hours to timeout after a connectivity issue. You can use the logging write test command to send a test message to the server and force the syslog application to reconnect. You can also configure the TCP keepalive interval using either CLI (Configure TCP Keepalive and TCP Timestamp) or EDM (Configure TCP Keepalive and TCP Timestamp).
Log messages on the console indicate connection issues between the switch and syslog server or with the TLS session. You can also use trace to diagnose connection issues. Use trace level 28 for syslog or trace level 115 for TLS.