Implementing Secure Logging

This chapter describes the implementation of secure logging over Transport Layer Security (TLS). TLS, the successor of Secure Socket Layer (SSL), is an encryption protocol designed for data security over networks.

Table 1. Feature History Table

Release

Modification

Release 7.0.12

This feature was introduced.

System Logging over Transport Layer Security (TLS)

System Log (syslog) messages indicate the health of the device and provide valuable information about any problems encountered. By default, the syslog process sends messages to the console terminal.

Due to limited size of the logging buffer in a router, these syslog messages get overwritten in a short time. Moreover, the logging buffer doesn’t retain syslogs across router reboots. To avoid these issues, you can configure the router to send syslog messages to an external syslog server for storage.


Note


For more information on configuring system logging, see Implementing System Logging chapter in the System Monitoring Configuration Guide for Cisco 8000 Series Routers


Traditionally, routers transfer syslogs to an external syslog server using User Datagram Protocol (UDP), which is an insecure way of transferring logs. To guarantee secure transport of syslogs, the Cisco 8000 Series Router supports Secure Logging based on RFC 5425 (Transport Layer Security Transport Mapping for Syslog). With this feature, the router sends syslogs to a remote server, over a trusted channel which implements the secure Transport Layer Security (TLS) encryption protocol.

TLS ensures secure transport of syslogs by:

  • Authenticating the server and client

  • Encrypting the syslog data transferred

  • Verifying the integrity of data

The router is the TLS client and remote syslog server is the TLS server. TLS runs over Transmission Control Protocol (TCP). So, the client must complete the TCP handshake with the server before starting TLS handshake.

Sequence of TLS Handshake

Figure 1. TLS Handshake

To establish the TLS session, the following interactions take place between the router and the syslog server after TCP handshake is complete:

  1. The router sends Client Hello message to the server to begin TLS handshake.

  2. The server shares its TLS certificate, which contains its public key, with the router to establish a secure connection.

  3. The router confirms the server certificate with the Certification Authority and checks the validity of the TLS certificate. Then, the router sends a Change Cipher Spec message to the server to indicate that messages sent are encrypted using the negotiated key and algorithm.

  4. The server decrypts the message using its private key. And then, sends back a Change Cipher Spec message encrypted with the session key to complete the TLS handshake and establish the session.

For more information on configuring Certification Authority interoperability, refer Implementing Certification Authority Interoperability chapter in this guide.

Restrictions for Syslogs over TLS

The following restrictions apply for sending syslogs to a remote syslog server over TLS:

  • While configuring the settings for the syslog server on the router, specify only one server identifier, either the hostname or the ipv4/v6 address.

  • In the TLS certificate of the syslog server, if Subject Alternative Name (SAN) field matches the configured server hostname but Common Name (CN) field doesn’t match the configured server hostname, TLS session setup fails.

Configuring Syslogs over TLS

The following steps show how to configure syslog over TLS:

  1. Configure the trust-point for establishing the TLS channel as shown:

    Router#conf t
    Router(config)#crypto ca trustpoint tp
    Router(config-trustp)#subject-name CN=new
    Router(config-trustp)#enrollment terminal
    Router(config-trustp)#rsakeypair k1
    Router(config-trustp)#commit
    

    Note


    You can either use the command enrollment url SCEP-url or the command enrollment terminal for configuring trustpoint certification authority (CA) enrollment. For more information, see Implementing Certification Authority Interoperability chapter in this guide.


  2. Configure the settings to access the remote syslog server. You can use either the IPv4/v6 address of the server or the server hostname for this configuration. Based on the configured severity , the router sends syslogs to the server. Logging severity options include alerts, critical, debugging, emergencies, errors, informational, notifications and warnings . For more information about logging severity levels, see the topic Syslog Message Severity Levels in Implementing System Logging chapter in System Monitoring Configuration Guide for Cisco 8000 Series Routers.

    This example shows you how to configure syslog server settings with the IPv4 address.

    Router(config)#logging tls-server TEST
    Router(config-logging-tls-peer)#severity debugging
    Router(config-logging-tls-peer)#trustpoint tp
    Router(config-logging-tls-peer)#address ipv4 10.105.230.83
    Router(config-logging-tls-peer)#commit
    

    Alternately, you can configure the syslog server settings with server hostname instead of the IPv4/v6 address.

    Router(config)#logging tls-server TEST
    Router(config-logging-tls-peer)#severity debugging
    Router(config-logging-tls-peer)#trustpoint tp
    Router(config-logging-tls-peer)#tls-hostname xyz.cisco.com
    Router(config-logging-tls-peer)#commit
    
  3. Configure the domain to map the IP address of the remote syslog server and its hostname.

    Router(config)#domain ipv4 host xyz.cisco.com 10.105.230.83
    Router(config)#domain name cisco.com
    Router(config)#commit
    

Verification Steps

TCP port 6514 is the default port for syslog over TLS. Verify the TLS configuration by checking if port 6514 is associated with the IP address of the syslog server in the output of the command show lpts bindings brief .

Router#show lpts bindings brief 

@ - Indirect binding; Sc - Scope
 
 Location   Clnt Sc L3   L4     VRF-ID    Interface    Local-Address,Port Remote-Address,Port
 ---------- ---- -- ---- ------ --------- ------------ --------------------------------------
  0/RP0/CPU0 TCP LR IPV4 TCP    default   any          5.10.18.5,35926 10.105.230.83,6514

The output of show logging command displays the IP address of the TLS server and the number of messages sent to the remote syslog server.

Router#show logging

Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
    Console logging: level debugging, 185 messages logged
    Monitor logging: level debugging, 94 messages logged
    Trap logging: level informational, 0 messages logged
    Logging to TLS server 10.105.230.83, 66 message lines logged
    Buffer logging: level debugging, 183 messages logged
 
Log Buffer (2097152 bytes):
...................

 

The output of show crypto ca certificates command displays the Certification Authority (CA) certificate details.

Router#show crypto ca certificates

Trustpoint       : tp
==================================================
CA certificate 
  Serial Number  : B5:68:C8:96:A4:7C:1A:BA
  Subject:
      CN=cacert,OU=SPBU,O=CSCO,L=BGL,ST=KA,C=IN
  Issued By      :
      CN=cacert,OU=SPBU,O=CSCO,L=BGL,ST=KA,C=IN
  Validity Start : 05:39:51 UTC Tue Aug 13 2019
  Validity End   : 05:39:51 UTC Mon Aug 08 2039
 
  CRL Distribution Point
      http://10.105.236.78/crl_xxx/crl.der
  SHA1 Fingerprint:
      03BD57E04A2AA4648A84F515A46EF99CCF488387 
 

When the TLS channel between the router and syslog server comes up, the router displays the following syslog messages on the console:

RP/0/RP0/CPU0: syslogd[148]: %SECURITY-XR_SSL-6-CERT_VERIFY_INFO : SSL Certificate verification: Peer certificate verified successfully
RP/0/RP0/CPU0: syslogd[148]: %OS-SYSLOG-5-LOG_NOTICE : Secure Logging: Successfully established TLS session , server :10.105.230.83