Integrate Your Syslog Data Source with the Security Data Lake

1. From your Red Canary homepage, navigate to Integrations, click the split button to the right of Add Integration, and click Add Data Lake Integration.
   

2. Next to Add Integration, enter a name for your integration.
   

3. Choose how Red Canary will receive this data:

   1. Under Ingest Format / Method, select Data Source via Syslog (Security Data Lake).
      

   2. Click the Next button.

4. Configure Red Canary to retrieve data from this integration:

   1. Click the Provision button.
      

   2. This will save and activate your integration. If successful, you should get a “Collector provisioned successfully” notification.
      

   3. Under Send data to Red Canary, there will be a URL and Port that you can use to set up log forwarding in your external data source. Copy and save these values. You will use them in a later step.
      

   4. Check I’ve configured this integration to send data to Red Canary.

   5. Under Configure transport encryption, leave the default selection for now.

   6. Click the Next button.

5. Customize how data from this integration is handled:

   1. Specify your desired data retention period in days.
      

6. Click Save in the bottom right corner.

1. From your external data source, set up log forwarding using the URL and Port values noted in the previous section.

2. Ensure that the data source is configured to emit logs in a Syslog-compatible format.

   Examples of Syslog-compatible formats: RFC-3164, RFC-5424, etc.

3. Red Canary requires Transport Layer Security (TLS) 1.2+ encryption for Syslog integrations. Make sure your external source is configured to use TLS over Transmission Control Protocol (TCP) when forwarding Syslog messages.

   1. By default, the Syslog server that Red Canary creates is secured with a TLS certificate issued by the “Let’s Encrypt” Certificate Authority (CA), but if you are experiencing reset/connection errors, SSL certificate verification failures, or messages claiming there is a self-signed certificate in the certificate chain, this can often be related to certificate trust issues.

   2. We recommend first ensuring that Let’s Encrypt is being properly recognized as a Root CA from your external source. If it isn’t, you will need to install the ISRG Root X1 certificate in the appropriate trust store: on Windows, this might be the Trusted Root Certification Authorities Certificate Store. On Linux, this might be the system-wide trust store. It is also common for your external source to have its own separate trust store it uses instead. If your server has internet access, the simplest way to add the appropriate CA certificates to your OS trust store is to open a browser and visit a website that uses a Let’s Encrypt certificate, such as https://valid-isrgrootx1.letsencrypt.org/. Otherwise, you can download the ISRG Root X1 .pem certificate and copy it to the appropriate location manually.

   3. If this resolves your certificate/connection error, skip steps 3 and 4.

If the previous approach is not working or not possible in your environment, we recommend generating and uploading a custom TLS server certificate of your own. In your environment, you will need to generate the necessary keys and TLS certificates that are used to configure the external data source to send Syslog events to Red Canary.

Note: Use PowerShell for Windows machines, and Linux or Terminal for Mac OS. The commands below are Linux-based. You should be running OpenSSL version 3.1 or later.

1. Open your native terminal.

2. Copy and run the command below to generate a private key for a Root CA:

   openssl genrsa -out rootCA.key 4096

3. Copy and run the command below to generate the public key for signing certificates:

   openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem

   1. Enter the values requested.

      Note: You can leave all of these values as default if you want. The only entry that you need to enter is the CN.

   2. Enter the URL from Step 1 when prompted for a Common Name (CN).

      

4. Copy and run the command below to generate an RSA private key:

   openssl genrsa -out server.key 2048

5. Create a server.cnf file. This file will tell OpenSSL what configurations to use during the CSR generation process. If you follow the commands below, this file will be created in the same file location that you are generating your certificate files (i.e.: whatever directory you’re in while running the OpenSSL commands).

   Note: This config file describes the certificate request the certificate authority will then sign.

   1. Open a text editor and create a new file called server.cnf. An example using the vi text editor:
      vi server.cnf

   2. The contents of the file should be as follows. Replace {COLLECTOR_FQDN} with the URL from Step 1:

      ## Inside the server.cnf please enter the following lines: 
      
      [req]
      default_bits = 2048
      prompt = no
      default_md = sha256
      req_extensions = req_ext
      distinguished_name = dn
      [dn]
      CN = {COLLECTOR_FQDN} ###NOTE:this should be the collector FQDN - do not use the brackets
      [req_ext]
      subjectAltName = @alt_names
      keyUsage = critical, digitalSignature, keyAgreement
      extendedKeyUsage = serverAuth, clientAuth
      [alt_names]
      DNS.1 = {COLLECTOR_FQDN} ###NOTE:this should be the collector FQDN - do not use the brackets

6. Run the command below to generate a Certificate Signing Request (CSR):

   openssl req -new -key server.key -out server.csr -config server.cnf

7. Run the command below to sign the CSR and create a Red Canary client certificate using the Root CA private key and certificate from the previous steps:

   openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile server.cnf -extensions req_ext

Note: You can adjust the validity period for the issued certificate by changing the number after the -days flag. In the example above, it is set to 365 days.

You should have at least the following files after this process is complete:

• rootCA.key

• rootCA.pem

• rootCA.srl

• server.crt

• server.key

To connect your custom certificates generated in Step 3 to Red Canary and enable ingest over TLS, follow these steps:

1. From your Red Canary homepage, navigate to Integrations, scroll down, and select the integration configured in Step 1.

2. Expand Configure Red Canary to retrieve data from this integration.

3. Under Configure transport encryption, select “Yes” for Do you want to use a custom TLS certificate for this integration?

4. Upload the certificates and key from Step 3:

   1. Upload server.crt to the first upload section Upload a certificate file (PEM or DER).

   2. Upload server.key to the second upload section Upload the corresponding private key file.

   3. Upload rootCA.pem to the last upload location Upload the CA certificate corresponding to your certificate (PEM or DER).

5. Click Save.

   Note: Please confirm that your configured DNS can resolve our collector.