Configure secure (TLS) TCP options
This documentation is for legacy Kiwi Syslog Server versions 9.8.2 and older.
Some devices support sending secure syslog messages over the TCP channel with transport layer security (TLS). Kiwi Syslog Server supports Secure (TLS) Syslog (RFC 5425).
By default, Kiwi Syslog Server does not listen for TCP messages, because syslog messages are traditionally sent using UDP. If any of your network devices send syslog messages over the TCP channel with transport layer security (TLS), complete the following steps to enable Kiwi Syslog Server to listen for these messages.
- Choose File > Setup to open the Kiwi Syslog Server Setup dialog box.
- Expand the Inputs node.
- Click TCP.
Specify the following options:
Listen for secure (TLS) TCP Syslog messages
Select this option to enable Kiwi Syslog Server to receive secure TCP messages.
TLS relies on certificate-based authentication. A proper certificate has to be selected from certificate store before any client will be able to successfully connect to Kiwi Syslog Server using TLS secured TCP channel. "Select Certificate" button allows the user to browse local certificate stores and pickup a suitable certificate. The selected certificate is used to prove identity of Kiwi Syslog Server to the client. The server itself does not check client certificate and accepts TLS connection from any client.
Certificates that will be used by Kiwi Syslog Server have to be installed into the Local Machine certificate store. Use the Microsoft Management Console to install certificates.
What kind of certificate should be used and configuration of public key infrastructure (PKI) is device-specific. See the manufacturer documentation.
The default port for secure TCP syslog messages is 6514. If you want to listen on a different port for TCP messages, you can enter any port value from 1 to 65535. If you change the port from 6514, the device sending the syslog message must also be able to support the alternate port number.
Bind to address
By default, the TCP socket listens for messages on all connected interfaces. To limit the binding to a single specific interface, you can specify the IP address in the Bind to address field. Otherwise, leave this field blank. (If the Bind to address field is left blank, it will listen on all interfaces. This is the best option in most cases.)
For example, if you have two non-routed interfaces on the computer, 192.168.1.1 and 192.168.2.1, then you can choose to bind to only the 192.168.1.1 interface. This will ignore any syslog messages sent to the other interface.
If you are receiving messages from systems that use different data encoding formats, you can specify the decoding method to apply to the incoming data. The default is to use the System code page.
Select a commonly used encoding format from the drop-down menu. Or, to select a different encoding, choose "Other-->" and then enter the code page number into the field on the right.
The various code pages available on most Windows systems can be found on the Microsoft website. Here are some common code page numbers that can be used.
System Code Page
Japanese Extended Unix Code
If the number you specify is not a valid Code Page on your system, the incoming data will not be decoded correctly and will be dropped. If in doubt, use UTF-8 encoding (65001) as it will handle all Unicode characters.
Because Syslog messages that are sent via TCP are not necessarily contained in a single TCP packet, Kiwi Syslog Server has a buffering facility which accumulates sequential TCP packets in an internally. Because of this, Kiwi Syslog Server needs to know how to identify separate Syslog messages in a single TCP stream. It does this through the use of message delimiters (or separators). Each delimiter signifying the character (or sequence of characters) that will be used to split the stream into individual Syslog messages.
The kind of delimiter to use depends very much on the client or device which is sending Syslog over TCP.
The RFC 5425 option is available for secure TCP messages. This delimiter conforms to the rule defined in RFC 5425. If you decide to look for this delimiter inside incoming message stream the search for this delimiter is performed before other delimiters are checked.
- Click Apply to save your changes.