Integrate Your Syslog Data Source with the Security Data Lake
    • 07 Feb 2025
    • 5 Minutes to read
    • PDF

    Integrate Your Syslog Data Source with the Security Data Lake

    • PDF

    Article summary

    Any external data source that can be configured to forward logs from a Syslog receiver can forward data to the Red Canary Security Data Lake.

    By integrating your security logs with the Red Canary Security Data Lake, you can meet data retention requirements, export logs when needed for investigation or reporting, and ensure greater visibility into your security infrastructure for your team and Red Canary. To integrate an external data source with Red Canary through Syslog, follow the procedure below from beginning to end.

    Step 1: Red Canary–Create your Red Canary generated URL

    1. From your Red Canary homepage, navigate to Integrations, click the split button to the right of Add Integration, and click Add Data Lake Integration.

    2. Enter a name for your integration.

    3. Under Ingest Format / Method, select Data Source via Syslog (Security Data Lake).

    4. Select the desired data retention period in days (default: 90).

    5. Click Save.

    6. Click Edit Configuration.

    7. Click Activate.

    8. After a few minutes, Red Canary will generate a URL and Port that you will use to set up log forwarding in your external data source. Copy and then save these values. You will use them in a later step.

      These configuration settings will not be generated until the Red Canary integration is saved and activated.

    Step 2: External Data Source–Configure log forwarding

    1. From your external data source, set up log forwarding using the URL and Port values noted in the previous section.

    2. Ensure that the data source is configured to emit logs in a Syslog-compatible format.

      Examples of Syslog-compatible formats: RFC 3164, RFC 5424, etc.

    3. If you are unable to see data flowing into the Security Data Lake, check your SSL logs in your external data source to confirm if there are any reset/connection errors. If so, move to the next step to address them.

    Step 3: Command Line–Generate passphrase keys and TLS certificates

    By default, the Syslog server that Red Canary creates is secured with a Transport Layer Security (TLS) certificate issued by the “Let’s Encrypt” Certificate Authority (CA), but if you are experiencing reset/connection errors, SSL certificate verification failures, or messages claiming there is a self-signed certificate in the certificate chain, this can often be related to certificate trust issues.

    We recommend first ensuring that Let’s Encrypt is being properly recognized as a Root CA on your server. To resolve this, you will need to install the ISRG Root X1 certificate in the appropriate trust store: on Windows, this would be added to the Trusted Root Certification Authorities Certificate Store. On Linux, this would be added to the system-wide trust store. If your server has internet access, the simplest way to do this is to open a browser and visit a website that uses a Let’s Encrypt certificate, such as https://valid-isrgrootx1.letsencrypt.org/. Otherwise, you can download the ISRG Root X1 certificate and install it manually.

    If this resolves your certificate/connection error, skip the rest of steps 3 and 4.

    If the previous approach is not possible in your environment, we recommend generating and uploading a custom TLS server certificate of your own. In your environment, you will need to generate the necessary keys and TLS certificates that are used to configure the external data source to send Syslog events to Red Canary.

    Note: Use PowerShell for Windows machines, and Linux or Terminal for Mac OS. The commands below are Linux-based. You should be running OpenSSL version 3.1 or later.

    1. Open your native terminal.

    2. Copy and run the command below to generate a private key for a Root CA:

      openssl genrsa -out rootCA.key 4096

    3. Copy and run the command below to generate the public key for signing certificates:

      openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem

      1. Enter the values requested.

        Note: You can leave all of these values as default if you want. The only entry that you need to enter is the CN.

      2. Enter the URL from Step 1 when prompted for a Common Name (CN).

    4. Copy and run the command below to generate an RSA private key:

      openssl genrsa -out server.key 2048

    5. Create a server.cnf file. This file will tell OpenSSL what configurations to use during the CSR generation process. If you follow the commands below, this file will be created in the same file location that you are generating your certificate files (i.e.: whatever directory you’re in while running the OpenSSL commands).

      Note: This config file describes the certificate request the certificate authority will then sign.

      1. Open a text editor and create a new file called server.cnf. An example using the vi text editor:
        vi server.cnf

      2. The contents of the file should be as follows. Replace #{COLLECTOR_FQDN} with the URL from Step 1:

        ## Inside the server.cnf please enter the following lines: 
        
        [req]
        default_bits = 2048
        prompt = no
        default_md = sha256
        req_extensions = req_ext
        distinguished_name = dn
        [dn]
        CN = #{COLLECTOR_FQDN} ###NOTE:this should be the collector FQDN - do not use the brackets
        [req_ext]
        subjectAltName = @alt_names
        keyUsage = critical, digitalSignature, keyAgreement
        extendedKeyUsage = serverAuth, clientAuth
        [alt_names]
        DNS.1 = #{COLLECTOR_FQDN} ###NOTE:this should be the collector FQDN - do not use the brackets
    6. Run the command below to generate a Certificate Signing Request (CSR):

      openssl req -new -key server.key -out server.csr -config server.cnf

    7. Run the command below to sign the CSR and create a Red Canary client certificate using the Root CA private key and certificate from the previous steps:

      openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile server.cnf -extensions req_ext

    Note: You can adjust the validity period for the issued certificate by changing the number after the -days flag. In the example above, it is set to 365 days.

    You should have at least the following files after this process is complete:

    • rootCA.key

    • rootCA.pem

    • rootCA.srl

    • server.crt

    • server.key

    Step 4: Red Canary–Upload custom certificates to Red Canary

    To connect your custom certificates generated in Step 3 to Red Canary and enable ingest over TLS, follow these steps:

    1. From your Red Canary homepage, navigate to Integrations, scroll down, and select the integration configured in Step 1.

    2. Click Edit Configuration.

    3. Select Use custom TLS server certificate for ingest over TLS?

    4. Upload the certificates and key from Step 3:

      1. Upload server.crt to the first upload section Upload a certificate file (PEM or DER).

      2. Upload server.key to the second upload section Upload the corresponding private key file.

      3. Upload rootCA.pem to the last upload location Upload the CA certificate corresponding to your certificate (PEM or DER).

    5. Click Save.

      Note: Please confirm that your configured DNS can resolve our collector.


    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.