Configuring Secure Forwarding

Configuring secure forwarding includes setting the mode for the particular syslog host and setting the TCP port through which the logs are sent to the syslog server.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Create the syslog host:

    syslog host <1–10>

    Use the no operator before this parameter, that is, no syslog host to delete a host instance.

  3. Configure an IP address for the syslog host:

    syslog host <1–10> address WORD<0–46>

  4. Enable the syslog host:

    syslog host <1–10> enable

  5. Enable syslog globally:

    syslog enable

  6. Set the mode for secure forwarding on the host:

    syslog host <1–10> secure-forwarding mode <none | tls [server-cert-name WORD<1-64>]>

  7. Set the TCP port:

    syslog host <1–10> secure-forwarding tcp-port <1025–49151>

  8. Display the secure forwarding configured values:

    show syslog host <1–10>

  9. Optional: Remove the server certificate name:

    no syslog host <1–10> secure-forwarding mode tls server-cert-name

  10. Optional: Set secure-forwarding mode to none for a particular host:

    default syslog host <1–10> secure-forwarding mode

What to do next

After configuring secure forwarding on the switch, set the syslog server to be able to see the log messages on the interactive syslog viewer.

  • For TLS secure syslog, on the rsyslog server, configure the server to use TLS method and install the root certificate on the server in the switch.

Variable Definitions

The following table defines parameters for the syslog host command.

Variable

Value

host <1–10>

Specifies the ID for the syslog host. The range is 1–10.

address WORD<0–46>

Configures a host location for the syslog host. WORD <0–46> is the IPv4 or IPv6 address of the UNIX system syslog host in the format A.B.C.D or x:x:x:x:x:x:x:x. You can log system log messages to external system log hosts with both IPv4 and IPv6 addresses with no difference in functionality or configuration using CLI.

enable

Enables the syslog host. Use the no operator before this parameter, no syslog host enable to disable syslog host. The default is disabled.

secure-forwarding

Adds protected syslog using remote port forwarding for host.

The following table defines parameters for the syslog host secure-forwarding command.

Variable

Value

host <1–10>

Creates and configures a host instance. Use the no operator before this parameter, no syslog host to delete a host instance.

mode <none | tls [server-cert-name WORD<1-64>]>

Specifies the mode of secure forwarding of syslog on the host. The default mode is none, that is, tls mode is disabled by default.

Note:

Certificate validation is done only if the server-cert-name is configured.

tcp-port <1025–49151>

Set tcp-port for secure forwarding of syslog for host. The default tcp-port is 1025.

To set the TCP port to default value, use command default syslog host <1–10> secure-forwarding tcp-port.

Important:

The tcp-port 6000 cannot be used, as it is used as an internal port for Internal Spanning Tree (IST).