SDWAN Cisco IOS XE TLS Syslog Configuration on syslog-ng Server

Available Languages

Download Options

PDF (297.2 KB)
View with Adobe Reader on a variety of devices
ePub (346.9 KB)
View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle) (209.6 KB)
View on Kindle device or Kindle app on multiple devices

Updated:December 19, 2024

Document ID:222665

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes a comprehensive guide to configuring a TLS Syslog server on SD-WAN Cisco IOS® XE devices.

Prerequisites

Before proceeding with the configuration of a TLS Syslog server on SD-WAN Cisco IOS XE devices, ensure that you meet the requirements:

Requirements

Cisco recommends that you have knowledge of these topics:

SD-WAN Controllers - Ensure your network includes properly configured SD-WAN controllers.
Cisco IOS XE SD-WAN Router - A compatible router running the Cisco IOS XE SD-WAN image.
Syslog Server - An Ubuntu-based Syslog server, such as syslog-ng, in order to collect and manage log data.

Components Used

The information in this document is based on these software and hardware versions:

vManage: Version 20.9.4
Cisco IOS XE SD-WAN: Version 17.9.4
Ubuntu: Version 22.04
syslog-ng: Version 3.27

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Configuration

1. Installation of syslog-ng on Ubuntu Machine

In order to set up syslog-ng on your Ubuntu server, pursue these steps to ensure proper installation and configuration.

Step 1. Configure Network Settings

After installing Ubuntu Server, configure a static IP address and DNS server in order to ensure the machine can access the internet. This is crucial for downloading packages and updates.

Step 2. Install syslog-ng

Open a terminal on your Ubuntu machine and run:

sudo apt-get install syslog-ng
sudo apt-get install syslog-ng openssl

2. Install Root Certificate Authority on Syslog Server for Server Authentication

Create Directories and Generate Keys

cd /etc/syslog-ng
mkdir cert.d key.d ca.d
cd cert.d
openssl genrsa -out ca.key 2048
openssl req -new -x509 -key ca.key -out PROXY-SIGNING-CA.ca -days 730

# Copy key to the key.d folder
cp ca.key ../key.d

Calculate Fingerprint

Run the command and copy the output:

openssl x509 -in PROXY-SIGNING-CA.ca -fingerprint -noout | awk -F "=" '{print $2}' | sed 's/://g' | tee fingerprint.txt
# Example output: 54F371C8EE2BFB06E2C2D0944245C288FBB07163

3. Configure syslog-ng Server Configuration File

Edit the syslog-ng configuration file:

sudo nano /etc/syslog-ng/syslog-ng.conf

Add the configuration:

source s_src {
    network(
        ip(0.0.0.0) port(6514)
        transport("tls")
        tls(
            key-file("/etc/syslog-ng/key.d/ca.key")
            cert-file("/etc/syslog-ng/cert.d/PROXY-SIGNING-CA.ca")
            peer-verify(optional-untrusted)
        )
    );
};

destination remote {
    file("/var/log/syslog");
};

log { source(s_src); destination(remote); };

4. Install Root Certificate Authority on Cisco IOS XE SD-WAN Device for Server Authentication

Configure from CLI

Enter configuration mode:

config-t

Configure the trustpoint:

crypto pki trustpoint PROXY-SIGNING-CA
  enrollment url bootflash:
  revocation-check none
  rsakeypair PROXY-SIGNING-CA 2048
  subject-name cn=proxy-signing-cert
  fqdn none
  fingerprint 54F371C8EE2BFB06E2C2D0944245C288FBB07163 >> The fingerprint configured was obtained from the fingerprint.txt file above
commit

Copy the PROXY-SIGNING-CA.ca file from your syslog server to the router bootflash using the same name.
Authenticate the trustpoint:

crypto pki authenticate PROXY-SIGNING-CA

example:
Router#crypto pki authenticate PROXY-SIGNING-CA
Reading file from bootflash:PROXY-SIGNING-CA.ca
Certificate has the  attributes:
Fingerprint MD5: 7A97B30B 2AE458FF D9E7D91F 66488DCF
Fingerprint SHA1: 21E0F09B B67B2E9D 706DBE69 856E5AA3 D39A268A
Trustpoint Fingerprint: 21E0F09B B67B2E9D 706DBE69 856E5AA3 D39A268A
Certificate validated - fingerprints matched.
Trustpoint CA certificate accepted.

Enroll the trustpoint:

crypto pki enroll PROXY-SIGNING-CA

example:
vm32#crypto pki enroll PROXY-SIGNING-CA
Start certificate enrollment ..
The subject name in the certificate will include: cn=proxy-signing-cert
The fully-qualified domain name will not be included in the certificate
Certificate request sent to file system
The 'show crypto pki certificate verbose PROXY-SIGNING-CA' commandwill show the fingerprint.

Copy the PROXY-SIGNING-CA.req file from the router to the syslog server.

Sign the Certificate on the Syslog Server

openssl x509 -in PROXY-SIGNING-CA.req -req -CA PROXY-SIGNING-CA.ca -CAkey ca.key -out PROXY-SIGNING-CA.crt -CAcreateserial -extensions ca_extensions

Copy the generated file (PROXY-SIGNING-CA.crt) to the router bootflash. copy scp: bootflash:
Import the certificate:

crypto pki import PROXY-SIGNING-CA certificate
example:
Router# crypto pki import PROXY-SIGNING-CA certificate
% The fully-qualified domain name will not be included in the certificate
% Request to retrieve Certificate queued

Validate the Configuration

show crypto pki trustpoint PROXY-SIGNING-CA status

example:
Router#show crypto pki trustpoint PROXY-SIGNING-CA status
Trustpoint PROXY-SIGNING-CA:
Issuing CA certificate configured:
Subject Name:
o=Internet Widgits Pty Ltd,st=Some-State,c=AU
Fingerprint MD5: 7A97B30B 2AE458FF D9E7D91F 66488DCF
Fingerprint SHA1: 21E0F09B B67B2E9D 706DBE69 856E5AA3 D39A268A
Router General Purpose certificate configured:
Subject Name:
cn=proxy-signing-cert
Fingerprint MD5: 140A1EAB FE945D56 D1A53855 FF361F3F
Fingerprint SHA1: ECA67413 9C102869 69F582A4 73E2B98C 80EFD6D5
Last enrollment status: Granted
State:
Keys generated ............. Yes (General Purpose, non-exportable)
Issuing CA authenticated ....... Yes
Certificate request(s) ..... Yes

5. Configure TLS Syslog Server on Cisco IOS XE SD-WAN Router

Configure the syslog server using the commands:

logging trap syslog-format rfc5424
logging source-interface GigabitEthernet0/0/0
logging tls-profile tls-profile
logging host X.X.X.X transport tls profile tls-profile
tls-version TLSv1.2

6. Verifications

Check Logs on the Router

show logging

Showing last 10 lines
Log Buffer (512000 bytes):
Apr 9 05:59:48.025: %DMI-5-CONFIG_I: R0/0: dmiauthd: Configured from NETCONF/RESTCONF by admin, transaction-id 189410
Apr 9 05:59:48.709: %DMI-5-AUTH_PASSED: R0/0: dmiauthd: User 'vmanage-admin' authenticated successfully from 1.1.1.1:58393 for netconf over ssh. External groups:
Apr 9 05:59:50.015: %LINK-5-CHANGED: Interface GigabitEthernet0/0/1, changed state to administratively down
Apr 9 05:59:51.016: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to down
Apr 9 05:59:52.242: %SYS-5-CONFIG_P: Configured programmatically by process iosp_dmiauthd_conn_100001_vty_100001 from console as admin on vty4294966494

Check Logs on the Syslog Server

tail -f /var/log/syslog

root@server1:/etc/syslog-ng# tail -f /var/log/syslog
Apr 9 15:51:14 10.66.91.94 188 <189>1 2024-04-09T05:51:51.037Z - - - - - BOM%DMI-5-AUTH_PASSED: R0/0: dmiauthd: User 'vmanage-admin' authenticated successfully from 1.1.1.1:38032 for netconf over ssh. External groups:
Apr 9 15:59:10 10.66.91.94 177 <189>1 2024-04-09T05:59:47.463Z - - - - - BOM%SYS-5-CONFIG_P: Configured programmatically by process iosp_dmiauthd_conn_100001_vty_100001 from console as admin on vty4294966494
Apr 9 15:59:10 10.66.91.94 177 <189>1 2024-04-09T05:59:47.463Z - - - - - BOM%SYS-5-CONFIG_P: Configured programmatically by process iosp_dmiauthd_conn_100001_vty_100001 from console as admin on vty4294966494
Apr 9 15:59:10 10.66.91.94 143 <189>1 2024-04-09T05:59:47.463Z - - - - - BOM%DMI-5-CONFIG_I: R0/0: dmiauthd: Configured from NETCONF/RESTCONF by admin, transaction-id 189410
Apr 9 15:59:11 10.66.91.94 188 <189>1 2024-04-09T05:59:48.711Z - - - - - BOM%DMI-5-AUTH_PASSED: R0/0: dmiauthd: User 'vmanage-admin' authenticated successfully from 1.1.1.1:58393 for netconf over ssh. External groups:
Apr 9 15:59:13 10.66.91.94 133 <189>1 2024-04-09T05:59:50.016Z - - - - - BOM%LINK-5-CHANGED: Interface GigabitEthernet0/0/1, changed state to administratively down
Apr 9 15:59:13 10.66.91.94 137 <189>1 2024-04-09T05:59:50.016Z - - - - - BOM%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to down
Apr 9 15:59:15 10.66.91.94 177 <189>1 2024-04-09T05:59:52.242Z - - - - - BOM%SYS-5-CONFIG_P: Configured programmatically by process iosp_dmiauthd_conn_100001_vty_100001 from console as admin on vty4294966494
Apr 9 15:59:15 10.66.91.94 177 <189>1 2024-04-09T05:59:52.242Z - - - - - BOM%SYS-5-CONFIG_P: Configured programmatically by process iosp_dmiauthd_conn_100001_vty_100001 from console as admin on vty4294966494
Apr 9 15:59:18 10.66.91.94 188 <189>1 2024-04-09T05:59:55.286Z - - - - - BOM%DMI-5-AUTH_PASSED: R0/0: dmiauthd: User 'vmanage-admin' authenticated successfully from 1.1.1.1:34575 for netconf over ssh. External groups:
Apr 9 15:59:21 10.66.91.94 113 <187>1 2024-04-09T05:59:58.882Z - - - - - BOM%LINK-3-UPDOWN: Interface GigabitEthernet0/0/1, changed state to up
Apr 9 15:59:21 10.66.91.94 135 <189>1 2024-04-09T05:59:59.882Z - - - - - BOM%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0/1, changed state to up
Apr 9 15:59:28 10.66.91.94 177 <189>1 2024-04-09T06:00:05.536Z - - - - - BOM%SYS-5-CONFIG_P: Configured programmatically by process iosp_dmiauthd_conn_100001_vty_100001 from console as admin on vty4294966494
Apr 9 15:59:43 10.66.91.94 188 <189>1 2024-04-09T06:00:20.537Z - - - - - BOM%DMI-5-AUTH_PASSED: R0/0: dmiauthd: User 'vmanage-admin' authenticated successfully from 1.1.1.1:43530 for netconf over ssh. External groups:

Packet capture screenshot and you can see encrypted communications happening:

Packet Capture Screenshot

ISR4331-branch-NEW_Branch#show logging

Trap logging: level informational, 6284 message lines logged
    Logging to 10.66.91.170  (tls port 6514, audit disabled,
          link up),
          131 message lines logged, 
          0 message lines rate-limited, 
          0 message lines dropped-by-MD, 
          xml disabled, sequence number disabled
          filtering disabled
          tls-profile: tls-proile
    Logging Source-Interface:       VRF Name:
    GigabitEthernet0/0/0            
TLS Profiles: 
    Profile Name: tls-proile
          Ciphersuites: Default
          Trustpoint: Default
          TLS version: TLSv1.2

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Revision History

Revision	Publish Date	Comments
1.0	18-Dec-2024	Initial Release

Contributed by Cisco Engineers

Md Aamir Sadique
Cisco TAC Technical Leader

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

This Document Applies to These Products

XE SD-WAN Routers