With the release of Management Center (MC) version 3.1.1.1, MC administrators can now configure Management Center to send syslogs over TLS without signing the syslog server's certificate using the MC's default_CA .
MC version 3.0.x and earlier requires the signing of the syslog server certificate using MC's default_CA. Refer to Management Center is unable to verify the CA certificate for syslog servers using TLS if you are running older versions of Management Center.
This article demonstrates how to configure syslog over TLS on Management Center, with or without mutual certificate checks. We will also use a certificate chain composing of an intermediate and root signers in our example.
Management Center 3.1.1.1 or above
TLS syslog server
Assuming you have followed the Create keypair and import signed certificate in Management Center for creating/importing sslkey keyrings, certificates, and imported the the ca-certificates to MC:
SSH to MC and go to (config-ssl) prompt:
% en
# conf t
(config)#ssl
(config-ssl)#create ssl-context syslog-tls
(config-ssl)#create ccl syslog-ccl
(config-ssl)# edit ccl syslog-ccl
(config-ccl-syslog-ccl)#add intermediate-ca-certificate
(config-ccl-syslog-ccl)#add root-ca-certificate
(config-ccl-syslog-ccl)#exit
(config-ssl)#edit ssl-context syslog-tls
(config-ssl-context syslog-tls)#keyring sslkey
Note: If a mutual certificate check is not a required, the self-signed default keyring could be used. Replace the "sslkey" string above with "default" if a mutual certificate check isn't required.
(config-ssl-context syslog-tls)#ccl syslog-ccl
(config-ssl-context syslog-tls)#exit
(config-ssl)#exit
(config)# event-log
(config-event-log)#syslog
(config-syslog)#add tls host syslog-server-cert port 6514 ssl-context syslog-tls
(config-syslog)exit
(config)#exit
Restart the MC after multiple configuration changes are made on the CLI: #restart
For the mutual authentication option, a keyring and certificate signed by your internal PKI needs to be created/imported to Management Center. You could also use the self-signed "default" if mutual authentication is not required. For this demonstration, we will use the keyring and certificate named sslkey. Please refer to Create keypair and import signed certificate in Management Center for creating and importing certificates to Management Center.
Terminologies used in this article and examples:
syslog-server-cert - Certificate presented by syslog server. Syslog server certificate should have the host name or IP of the server under CN (common name) or SAN (server alternative name).
intermediate-ca-certificate - In our example, this is CA that signed the syslog-server-cert.
root-ca-certificate - In our example, this is the CA that signed the intermediate-ca-certificate
syslog-tls - Thsi is the ssl-context to be used for our TLS syslogging. The ssl-context dictates the ciphers, protocol versions, trusted certificates (CCL) and other TLS options used by service (e.g TLS syslog) on MC.
syslog-ccl - This is a collection of trusted certificates and their signers ( e.g intermediate-ca-certificate, root-ca-certificate) associated to syslog-tls.
default - MC's default self-signed certificate.