- 07 Feb 2025
- 5 Minutes to read
- PDF
Integrate Your Syslog Data Source with the Security Data Lake
- Updated on 07 Feb 2025
- 5 Minutes to read
- PDF
Any external data source that can be configured to forward logs from a Syslog receiver can forward data to the Red Canary Security Data Lake.
By integrating your security logs with the Red Canary Security Data Lake, you can meet data retention requirements, export logs when needed for investigation or reporting, and ensure greater visibility into your security infrastructure for your team and Red Canary. To integrate an external data source with Red Canary through Syslog, follow the procedure below from beginning to end.
Step 1: Red Canary–Create your Red Canary generated URL
From your Red Canary homepage, navigate to Integrations, click the split button to the right of Add Integration, and click Add Data Lake Integration.
Enter a name for your integration.
Under Ingest Format / Method, select Data Source via Syslog (Security Data Lake).
Select the desired data retention period in days (default: 90).
Click Save.
Click Edit Configuration.
Click Activate.
After a few minutes, Red Canary will generate a URL and Port that you will use to set up log forwarding in your external data source. Copy and then save these values. You will use them in a later step.
These configuration settings will not be generated until the Red Canary integration is saved and activated.
Step 2: External Data Source–Configure log forwarding
From your external data source, set up log forwarding using the URL and Port values noted in the previous section.
Ensure that the data source is configured to emit logs in a Syslog-compatible format.
Examples of Syslog-compatible formats: RFC 3164, RFC 5424, etc.
If you are unable to see data flowing into the Security Data Lake, check your SSL logs in your external data source to confirm if there are any reset/connection errors. If so, move to the next step to address them.
Step 3: Command Line–Generate passphrase keys and TLS certificates
By default, the Syslog server that Red Canary creates is secured with a Transport Layer Security (TLS) certificate issued by the “Let’s Encrypt” Certificate Authority (CA), but if you are experiencing reset/connection errors, SSL certificate verification failures, or messages claiming there is a self-signed certificate in the certificate chain, this can often be related to certificate trust issues.
We recommend first ensuring that Let’s Encrypt is being properly recognized as a Root CA on your server. To resolve this, you will need to install the ISRG Root X1 certificate in the appropriate trust store: on Windows, this would be added to the Trusted Root Certification Authorities Certificate Store. On Linux, this would be added to the system-wide trust store. If your server has internet access, the simplest way to do this is to open a browser and visit a website that uses a Let’s Encrypt certificate, such as https://valid-isrgrootx1.letsencrypt.org/. Otherwise, you can download the ISRG Root X1 certificate and install it manually.
If this resolves your certificate/connection error, skip the rest of steps 3 and 4.
If the previous approach is not possible in your environment, we recommend generating and uploading a custom TLS server certificate of your own. In your environment, you will need to generate the necessary keys and TLS certificates that are used to configure the external data source to send Syslog events to Red Canary.
Note: Use PowerShell for Windows machines, and Linux or Terminal for Mac OS. The commands below are Linux-based. You should be running OpenSSL version 3.1 or later.
Open your native terminal.
Copy and run the command below to generate a private key for a Root CA:
openssl genrsa -out rootCA.key 4096
Copy and run the command below to generate the public key for signing certificates:
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.pem
Enter the values requested.
Note: You can leave all of these values as default if you want. The only entry that you need to enter is the CN.
Enter the URL from Step 1 when prompted for a Common Name (CN).
Copy and run the command below to generate an RSA private key:
openssl genrsa -out server.key 2048
Create a
server.cnf
file. This file will tell OpenSSL what configurations to use during the CSR generation process. If you follow the commands below, this file will be created in the same file location that you are generating your certificate files (i.e.: whatever directory you’re in while running the OpenSSL commands).Note: This config file describes the certificate request the certificate authority will then sign.
Open a text editor and create a new file called
server.cnf
. An example using the vi text editor:vi server.cnf
The contents of the file should be as follows. Replace
#{COLLECTOR_FQDN}
with the URL from Step 1:## Inside the server.cnf please enter the following lines: [req] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [dn] CN = #{COLLECTOR_FQDN} ###NOTE:this should be the collector FQDN - do not use the brackets [req_ext] subjectAltName = @alt_names keyUsage = critical, digitalSignature, keyAgreement extendedKeyUsage = serverAuth, clientAuth [alt_names] DNS.1 = #{COLLECTOR_FQDN} ###NOTE:this should be the collector FQDN - do not use the brackets
Run the command below to generate a Certificate Signing Request (CSR):
openssl req -new -key server.key -out server.csr -config server.cnf
Run the command below to sign the CSR and create a Red Canary client certificate using the Root CA private key and certificate from the previous steps:
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile server.cnf -extensions req_ext
Note: You can adjust the validity period for the issued certificate by changing the number after the
-days
flag. In the example above, it is set to 365 days.
You should have at least the following files after this process is complete:
rootCA.key
rootCA.pem
rootCA.srl
server.crt
server.key
Step 4: Red Canary–Upload custom certificates to Red Canary
To connect your custom certificates generated in Step 3 to Red Canary and enable ingest over TLS, follow these steps:
From your Red Canary homepage, navigate to Integrations, scroll down, and select the integration configured in Step 1.
Click Edit Configuration.
Select Use custom TLS server certificate for ingest over TLS?
Upload the certificates and key from Step 3:
Upload
server.crt
to the first upload section Upload a certificate file (PEM or DER).Upload
server.key
to the second upload section Upload the corresponding private key file.Upload
rootCA.pem
to the last upload location Upload the CA certificate corresponding to your certificate (PEM or DER).
Click Save.
Note: Please confirm that your configured DNS can resolve our collector.