Scribd
Upload
12 views6 pages

Implementing Secure Logging

This document outlines the implementation of secure logging on Cisco ASR 9000 Series Routers using Transport Layer Security (TLS) to ensure the secure transfer of syslog messages. It details the configuration steps, restrictions, and the TLS handshake process necessary for establishing a secure connection between the router and an external syslog server. Additionally, it provides verification steps to confirm the successful setup of secure logging.

Uploaded by

Richard Bravo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
12 views6 pages

Implementing Secure Logging

This document outlines the implementation of secure logging on Cisco ASR 9000 Series Routers using Transport Layer Security (TLS) to ensure the secure transfer of syslog messages. It details the configuration steps, restrictions, and the TLS handshake process necessary for establishing a secure connection between the router and an external syslog server. Additionally, it provides verification steps to confirm the successful setup of secure logging.

Uploaded by

Richard Bravo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Implementing Secure Logging

This chapter describes the implementation of secure logging on the Cisco ASR 9000 Series Routers over
Transport Layer Security (TLS). TLS, the successor of Secure Socket Layer (SSL), is an encryption protocol
designed for data security over networks.

Table 1: Feature History Table

Release Modification

Release 6.2.1 This feature was introduced.

• System Logging over Transport Layer Security (TLS), on page 1


• Restrictions for Syslogs over TLS, on page 3
• Configuring Syslogs over TLS, on page 3

System Logging over Transport Layer Security (TLS)


System Log (syslog) messages indicate the health of the device and provide valuable information about any
problems encountered. By default, the syslog process sends messages to the console terminal.
Due to limited size of the logging buffer in a router, these syslog messages get overwritten in a short time.
Moreover, the logging buffer doesn’t retain syslogs across router reboots. To avoid these issues, you can
configure the router to send syslog messages to an external syslog server for storage.

Note For more information on configuring system logging, see Implementing Logging Services chapter in the System
Monitoring Configuration Guide for Cisco ASR 9000 Series Routers.

Traditionally, routers transfer syslogs to an external syslog server using User Datagram Protocol (UDP), which
is an insecure way of transferring logs. To guarantee secure transport of syslogs, Cisco ASR 9000 Series
Router supports Secure Logging based on RFC 5425 (Transport Layer Security Transport Mapping for Syslog).
With this feature, the router sends syslogs to a remote server, over a trusted channel which implements the
secure Transport Layer Security (TLS) encryption protocol.
TLS ensures secure transport of syslogs by:
• Authenticating the server and client

Implementing Secure Logging


1
Implementing Secure Logging
System Logging over Transport Layer Security (TLS)

• Encrypting the syslog data transferred


• Verifying the integrity of data

The Cisco ASR 9000 Series Router is the TLS client and remote syslog server is the TLS server. TLS runs
over Transmission Control Protocol (TCP). So, the client must complete the TCP handshake with the server
before starting TLS handshake.

Sequence of TLS Handshake


Figure 1: TLS Handshake

To establish the TLS session, the following interactions take place between the router and the syslog server
after TCP handshake is complete:
1. The router sends Client Hello message to the server to begin TLS handshake.
2. The server shares its TLS certificate, which contains its public key and a unique session key, with the
router to establish a secure connection. Each TLS certificate consists of a key pair made of a public key
and private key.
3. The router confirms the server certificate with the Certification Authority and checks the validity of the
TLS certificate. Then, the router sends a Change Cipher Spec message to the server to indicate that
messages sent are encrypted using the negotiated key and algorithm.

Implementing Secure Logging


2
Implementing Secure Logging
Restrictions for Syslogs over TLS

4. The server decrypts the message using its private key. And then, sends back a Change Cipher Spec message
encrypted with the session key to complete the TLS handshake and establish the session.

For more information on configuring Certification Authority interoperability, refer Implementing Certification
Authority Interoperability chapter in this guide.

Restrictions for Syslogs over TLS


The following restrictions apply for sending syslogs to a remote syslog server over TLS:
• While configuring the settings for the syslog server on the router, specify only one server identifier, either
the hostname or the ipv4/v6 address.
• In the TLS certificate of the syslog server, if Subject Alternative Name (SAN) field matches the configured
server hostname but Common Name (CN) field doesn’t match the configured server hostname, TLS
session setup fails.

Configuring Syslogs over TLS


The following steps show how to configure syslog over TLS:
1. Configure the trust-point for establishing the TLS channel as shown:
Router#conf t
Router(config)#crypto ca trustpoint tp
Router(config-trustp)#subject-name CN=new
Router(config-trustp)#enrollment terminal
Router(config-trustp)#rsakeypair k1
Router(config-trustp)#commit

Note You can either use the command enrollment url SCEP-url or the command enrollment terminal for
configuring trustpoint certification authority (CA) enrollment. For more information, see Implementing
Certification Authority Interoperability chapter in this guide.

2. Configure the settings to access the remote syslog server. You can use either the IPv4/v6 address of the
server or the server hostname for this configuration. Based on the configured severity, the router sends
syslogs to the server. Logging severity options include alerts, critical, debugging, emergencies, errors,
informational, notifications and warnings. For more information about logging severity levels, see
Syslog Message Severity Level Definitions topic in Implementing Logging Services chapter in System
Monitoring Configuration Guide for Cisco ASR 9000 Series Routers.
This example shows you how to configure syslog server settings with the IPv4 address.
Router(config)#logging tls-server TEST
Router(config-logging-tls-peer)#severity debugging
Router(config-logging-tls-peer)#trustpoint tp
Router(config-logging-tls-peer)#address ipv4 [Link]
Router(config-logging-tls-peer)#commit

Alternately, you can configure the syslog server settings with server hostname instead of the IPv4/v6
address.

Implementing Secure Logging


3
Implementing Secure Logging
Configuring Syslogs over TLS

Router(config)#logging tls-server TEST


Router(config-logging-tls-peer)#severity debugging
Router(config-logging-tls-peer)#trustpoint tp
Router(config-logging-tls-peer)#tls-hostname [Link]
Router(config-logging-tls-peer)#commit

3. Configure the domain to map the IP address of the remote syslog server and its hostname.
Router(config)#domain ipv4 host [Link] [Link]
Router(config)#domain name [Link]
Router(config)#commit

Verification Steps
TCP port 6514 is the default port for syslog over TLS. Verify the TLS configuration by checking if port 6514
is associated with the IP address of the syslog server in the output of the command show lpts bindings brief.
Router#show lpts bindings brief

@ - Indirect binding; Sc - Scope

Location Clnt Sc L3 L4 VRF-ID Interface Local-Address,Port Remote-Address,Port

---------- ---- -- ---- ------ --------- ------------ --------------------------------------

0/RP0/CPU0 TCP LR IPV4 TCP default any [Link],35926 [Link],6514

The output of show logging command displays the IP address of the TLS server and the number of messages
sent to the remote syslog server.
Router#show logging

Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)


Console logging: level debugging, 185 messages logged
Monitor logging: level debugging, 94 messages logged
Trap logging: level informational, 0 messages logged
Logging to TLS server [Link], 66 message lines logged
Buffer logging: level debugging, 183 messages logged

Log Buffer (2097152 bytes):


...................

The output of show crypto ca certificates command displays the Certification Authority (CA) certificate
details.
Router#show crypto ca certificates

Trustpoint : tp
==================================================
CA certificate
Serial Number : [Link]
Subject:
CN=cacert,OU=SPBU,O=CSCO,L=BGL,ST=KA,C=IN
Issued By :
CN=cacert,OU=SPBU,O=CSCO,L=BGL,ST=KA,C=IN
Validity Start : [Link] UTC Tue Aug 13 2019
Validity End : [Link] UTC Mon Aug 08 2039

CRL Distribution Point


[Link]
SHA1 Fingerprint:

Implementing Secure Logging


4
Implementing Secure Logging
Configuring Syslogs over TLS

03BD57E04A2AA4648A84F515A46EF99CCF488387

When the TLS channel between the router and syslog server comes up, the router displays the following syslog
messages on the console:
RP/0/RP0/CPU0: syslogd[148]: %SECURITY-XR_SSL-6-CERT_VERIFY_INFO : SSL Certificate
verification: Peer certificate verified successfully
RP/0/RP0/CPU0: syslogd[148]: %OS-SYSLOG-5-LOG_NOTICE : Secure Logging: Successfully
established TLS session , server :[Link]

Implementing Secure Logging


5
Implementing Secure Logging
Configuring Syslogs over TLS

Implementing Secure Logging


6

You might also like