EDR: How to Configure Rsyslog Over TLS
search cancel

EDR: How to Configure Rsyslog Over TLS

book

Article ID: 291145

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to Configure Syslog to Use TLS

Environment

  • EDR Server: All Supported Version

Resolution

  1. Install the rsyslog-gnutls package to support TLS over rsyslog
  2. Edit theĀ /etc/rsyslog.d/cb-coreservices.conf file with the following informationĀ  
    if $programname startswith 'cb-notifications-' then -?DynaFile;CbSyslogStandardFormatWithPID
$WorkDirectory <spool dir> # location of spoolfiles on the disk
$ActionQueueFileName cbremote # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down

# TLS config
$DefaultNetstreamDriverCAFile <pem certificate file of the remote destination CA chain>
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode anon
& @@IP Address:Port;CbSyslogStandardFormatWithPID
& stop

Additional Information

This is best effort support rsyslog is not product specific
Powered by Wolken Software