System Logging over Transport Layer Security (TLS)
System Log (syslog) messages indicate the health of the device and provide valuable information about any problems encountered. By default, the syslog process sends messages to the console terminal.
Due to limited size of the logging buffer in a router, these syslog messages get overwritten in a short time. Moreover, the logging buffer doesn’t retain syslogs across router reboots. To avoid these issues, you can configure the router to send syslog messages to an external syslog server for storage.
Note |
For more information on configuring system logging, see Implementing System Logging chapter in the System Monitoring Configuration Guide for Cisco 8000 Series Routers |
Traditionally, routers transfer syslogs to an external syslog server using User Datagram Protocol (UDP), which is an insecure way of transferring logs. To guarantee secure transport of syslogs, the Cisco 8000 Series Router supports Secure Logging based on RFC 5425 (Transport Layer Security Transport Mapping for Syslog). With this feature, the router sends syslogs to a remote server, over a trusted channel which implements the secure Transport Layer Security (TLS) encryption protocol.
TLS ensures secure transport of syslogs by:
-
Authenticating the server and client
-
Encrypting the syslog data transferred
-
Verifying the integrity of data
The is the TLS client and remote syslog server is the TLS server. TLS runs over Transmission Control Protocol (TCP). So, the client must complete the TCP handshake with the server before starting TLS handshake.
Sequence of TLS Handshake
To establish the TLS session, the following interactions take place between the router and the syslog server after TCP handshake is complete:
-
The router sends Client Hello message to the server to begin TLS handshake.
-
The server shares its TLS certificate, which contains its public key and a unique session key, with the router to establish a secure connection. Each TLS certificate consists of a key pair made of a public key and private key.
-
The router confirms the server certificate with the Certification Authority and checks the validity of the TLS certificate. Then, the router sends a Change Cipher Spec message to the server to indicate that messages sent are encrypted using the negotiated key and algorithm.
-
The server decrypts the message using its private key. And then, sends back a Change Cipher Spec message encrypted with the session key to complete the TLS handshake and establish the session.
For more information on configuring Certification Authority interoperability, refer Implementing Certification Authority Interoperability chapter in this guide.