Reporting: Configure Reporting Engine to Send Sylog Messages over TCP/TLS for Alerts

Document created by RSA Information Design and Development on Jun 26, 2017
Version 1Show Document
  • View in full screen mode
  

This topic provides instructions on how to configure the Reporting Engine to send syslog messages over TCP with Transport Layer Security (TLS) when an alert is triggered.

Prerequisites

Make sure you have installed and configured a Syslog server that supports TCP/TLS in your environment. For example, WinSyslog.

Procedure

Perform the following steps to configure the Reporting Engine to send syslog alert over TCP with Transport Layer Security (TLS):

  1. Obtain the required certificates.
  2. Append the CA certificate to the ca.pem file on the NetWitness server.
  3. Configure the Syslog Server to accept messages from client machines.
  4. Configure the delivery of alert messages in NetWitness UI.

Task 1: Obtain the required certificates

Perform the following to generate certificates for configuring Reporting Engine to send syslog messages over TCP with TLS:

  1. Generate a Certificate Authority (CA) certificate. For more information, see http://www.rsyslog.com/doc/tls_cert_ca.html.

Note: You can ignore this step, if you already have a CA running in your environment.

  1. Generate key pair for the Syslog Server. For more information, see http://www.rsyslog.com/doc/tls_cert_machine.html.

Note: You can ignore this step, if you have already configured security for the Syslog Server using the key and certificates generated by the same CA.

Task 2: Append the CA certificate to the ca.pem file on the SA Server

Perform the following to append an existing CA certificate to ca.pem file:

  1. Manually append the contents of the CA certificate that you generated and append it to /var/lib/puppet/ssl/certs/ca.pem file.
  2. Run the following command on the SA Server, to have the certificate populate to the Truststore:
    puppet agent -t

Task 3: Configure the Syslog Server to accept messages from client machines

Perform the following to configure Syslog server to accept messages from client machines with the same CA certificate:

  1. Copy the three files to your secure TCP server target location:
  • ca_cert.pem
  • server_cert.pem
  • server_key.pem
    Where:
    ca_cert.pem - is the CA certificate
    server_cert.pem - is the server certificate
    server_key.pem - is the server key

For more information, see the documentation specific to your Syslog server. If you are using rsyslog, refer to http://www.rsyslog.com/doc/tls_cert_server.html.

Task 4: Configure the delivery of alert messages in Security Analytics

Configure Reporting Engine to send syslog messages over TCP with Transport Layer Security (TLS) when an alert is triggered by enabling SECURE_TCP in the Output Actions tab for the Reporting Engine service in the Reporting Engine Services Config View. For more information, see Reporting Engine Output Actions topic in the Host and Services Configuration Guide.

Previous Topic:Investigating an Alert
You are here
Table of Contents > Working with Alerts in the Reporting Module > Configuring Reporting Engine to Send Sylog Messages over TCP/TLS for Alerts

Attachments

    Outcomes