Reporting: Configure Reporting Engine to Send Sylog Messages over TCP/TLS for Alerts

Document created by RSA Information Design and Development on May 2, 2016
Version 1Show Document
  • View in full screen mode
 
  

This topic provides instructions on how to configure the Reporting Engine to send syslog messages over TCP with Transport Layer Security (TLS) when an alert is triggered.

Prerequisites

Make sure you have installed and configured a Syslog server that supports TCP/TLS in your environment. For example, WinSyslog.

Procedure

Perform the following steps to configure the Reporting Engine to send syslog alert over TCP with Transport Layer Security (TLS):

  1. Obtain the required certificates.
  2. (Optional) Convert the certificate format from PEM to JKS.
  3. Copy the key pairs generated for the Reporting Engine Server and Syslog Server.
  4. Configure the delivery of alert messages in Security Analytics.

Task 1: Obtain the required certificates

Perform the following to generate certificates for configuring Reporting Engine to send syslog messages over TCP with TLS:

  1. Generate a Certifying Authority (CA) certificate. For more information, see http://www.rsyslog.com/doc/tls_cert_ca.html.

Note: You can ignore this step if you already have a CA running in your environment.

  1. Generate the key pair (public key and private key) for the Reporting Engine Server. For more information, see http://www.rsyslog.com/doc/tls_cert_machine.html.
  2. Generate key pair for the Syslog Server. For more information, see http://www.rsyslog.com/doc/tls_cert_machine.html.

Note: You can ignore this step, if you have already configured security for the Syslog Server using the key and certificates generated by the same CA.

Task 2: (Optional) Convert the Certificate Format from PEM to JKS

If you have generated the certificates in (Privacy Enhanced Mail)PEM format, you need convert the certificate format to Java KeyStore (JKS) format. Perform the following on the machine where you have installed the Reporting Engine Server has been installed.
To convert PEM format certificates to JKS:

  1. Convert the existing PEM format certicates into a PKCS file. At the command prompt, type the following command and press ENTER:
    openssl pkcs12 -export -in <certificate.pem> -inkey <private_key.pem> -out <sample>.p12 -name re
    -CAfile ca.pem -caname root

    Where:
    • certificate.pem - is the certicate in PEM format.
    • private_key.pem - is the private key in PEM format.
    • sample - is the PKCS12 file created during the conversion.
    • ca.pem - is the CA certificate.
  2. Convert the existing PKCS12 file into a JKS format certificate to create the Keystore. At the command prompt, type the following command and press ENTER:
    keytool -importkeystore -destkeystore<re-keystore.jks> -srckeystore <sample>.p12 -srcstoretype PKCS12 -alias re
    Where:
    • re-keystore.jks - is the  certicate in JKS format.
    • sample - is the PKCS12 file created during the conversion.
    • ca.pem - is the CA certificate.
  3. Add the CA certificate (ca.pem) to the Truststore. At the command prompt, type the following command and press ENTER:
    keytool -importcert -alias myca -file <ca.pem> -keystore <re-truststore.jks>
    Where:
    • ca.pem - is the CA certificate.
    • re-truststore.jks - is the CA certificate in JKS format.

Note: Make sure that you note down the passwords that you provide for Keystore and Truststore during conversion. You need provide these passwords when you enable SECURE_TCP in Security Analytics.

Task 3: Copy the Generated Key Pairs

Manually copy the Key Pairs (Keystore and Truststore) from the location where you generated them to /home/rsasoc/rsa/soc>/reporting-engine/keystores/ location in the Reporting Engine Server.

Task 4: Configure the delivery of alert messages in Security Analytics

Configure Reporting Engine to send syslog messages over TCP with Transport Layer Security (TLS) when an alert is triggered by enabling SECURE_TCP in the Output Actions tab for the Reporting Engine service in the Reporting Engine Services Config View. For more information, see Reporting Engine Output Actions topic in the Host and Services Configuration Guide.

You are here: Working with Alerts in the Reporting Module > Configure Reporting Engine to Send Sylog Messages over TCP/TLS for Alerts

Attachments

    Outcomes