Deliver Syslog Messages through Single Reliable Pipeline with Encryption and Authentication
The fuel that runs a security information and event management (SIEM) is Syslog messages. Historically, Syslog messages were sent using Universal Datagram Protocol (UDP) as described in RFC 3164 (Figure 1). Unfortunately, UDP provides neither reliable delivery nor encryption and authentication.
To that end Syslog protocol has been “enhanced” by various software vendors without the benefit of an industry standard to ensure reliable delivery, encryption, and authentication. These vendors are randomly using various methods. These enhancements however, have created a Syslog “Tower of Babel” in which many Syslog collectors are unable to receive messages sent across complex IT environments. SyslogDefender bridges that gap by accepting Syslog messages using any of the common Syslog protocols including IPv6, TCP/IP, and TLS, and forwards them to one or more Syslog collectors using protocols that every Syslog collector can accept. (Figure 2).
With no industry standard, large enterprises running on complex infrastructures and application architectures are at risk because 1) there is no proven method for the most reliable connection, and 2) the gateway is not secured through encryption and authentication. CorreLog SyslogDefender ensures a reliable connection because each Syslog stream, regardless of the protocol, is “wrapped” within an encrypted and authenticated pipeline whose reliability is traceable. In this method, you have the luxury of knowing your highly-sensitive SIEM log data is secure and all of it is ported over to your SIEM system with 100% reliability (Figure 3).
In Figure 3, a number of Syslog senders are installed at a remote location. One instance of SyslogDefender in the remote location is used to “bundle” all of the remote Syslog messages into a single, reliable, encrypted connection. Even though some or all of the Syslog senders are only capable of unreliable, unencrypted UDP Syslog, all messages flow over the public Internet using a reliable protocol and state-of-the art TLS encryption and authentication. A second instance of SyslogDefender, located in the datacenter, receives and decrypts the messages and passes them to the CorreLog Correlation Server (or other SIEM), which is installed on the same machine or LAN segment.
SyslogDefender collects Syslog messages from any source (IPv4, IPv6, UDP, TCP/IP, and TLS) and combines them into a single encrypted, reliable tunnel and delivers them to CorreLog or other Syslog collector established in a remote location. The main customer benefits are:
- Reliable delivery
- Encryption and authentication – SyslogDefender can use both public and client certificates
- Single “hole” through the firewall, and
- Support of any protocol (as shown below).
For enterprises, data security through a verifiable and reliable connection is critical for adherence to corporate and industry compliance standards such as PCI DSS, HIPAA, Sarbanes-Oxley, FISMA, NERC and many others. CorreLog SyslogDefender helps ensure your data management meets these rigorous standards, much to the satisfaction of your compliance auditors.
For more information on CorreLog SyslogDefender please contact us.