Category Archives: Articles

Securely Collecting rsyslog Data onto Synology over TCP with SSL Encryption (from a CentOS Server)

If you are managing other servers, and are not exporting those server logs somewhere else, then you really should consider doing so. I won’t try to make the case for why in this blog post. You can do your own research (this might be a good place to start).

Screenshot of Synology Log Center

Click this screenshot of Synology’s Log Center to enlarge

Synology’s Log Center package can be used as a central log collector for other servers. It is certainly not elegant, it is simple, and it doesn’t have very many features. But it is easy and fast to implement, and is definitely better than not centralizing your logs at all.

Here are steps to configure CentOS 7 to securely send its log data to Synology’s Log Center package:

Prerequisites

  1. Ensure that the firewall where your Synology is located has NAT enabled for TCP/514 to send that traffic to your Synology (you do have a firewall, right? Never, ever connect your Synology directly to the internet).

Steps to perform on the Synology:

  1. Install the “Log Center” package using Synology’s Package Manager. The default log center in DSM is very limited. You’ll need the extra features that the Log Center “add-on” package provides.
  2. Open the Log Center package, and click on “Log Receiving”
  3. Click Create
  4. Give your Logging Rule a name. It can be anything (mine is named “ServerLogs”)
  5. The Log Format should be set to BSD
  6. Transfer Protocol should be changed to TCP
  7. The Default Port for syslog traffic is 514, but you can change the port to something else if you want, as long as you remember to set the correct port on the CentOS server (rsyslog client)
  8. Check the checkbox to Enable secure connection (SSL)
  9. Click OK
  10. Click the “Export Certificate” tab inside Log Center (see above screenshot, the tab is far right) and save the CA file somewhere. You’ll need to upload this to the CentOS server in a later step.

Steps to perform on the CentOS 7 Server (rsyslog client):

  1. Ensure port TCP/514 is open (incoming and outgoing). CentOS 7 uses firewalld, and if that is enabled, you can run:
    $  firewall-cmd --permanent --add-port=514/tcp
  2. Upload the CA file you saved in step 10 above into /etc/ssl/certs/synology-ca.crt
  3. Ensure rsyslog-gnutls is installed
    $ yum install rsyslog-gnutls
  4. Edit /etc/rsyslog.conf and add the following lines to the bottom of the file:
    $DefaultNetstreamDriver gtls # use gtls netstream driver
    $ActionSendStreamDriverMode 1 # require TLS for the connection
    $ActionSendStreamDriverAuthMode anon # server is NOT authenticated
    $DefaultNetstreamDriverCAFile /etc/ssl/certs/synology-ca.crt
    *.* @@Your-Synology-IP-Address:514
  5. Restart rsyslog:
    systemctl restart rsyslog

 

You’re done!

If your CentOS server ever gets hacked, or if you want to review logs from your CentOS server without having to SSH into it, you can now review those logs using Synology Log Center.

I hope that this was helpful. Visit https://developcents.com/knowledge-base/#Synology to view several other how-to tutorials that I’ve created for Synology users.

 

Share

Should you use a VPN? And other resources

A good friend of mine recently emailed me with the following question:

I’ve been working out of coffee shops a good bit and I think it would be a good idea to use a VPN for a more secure connection. Can you point me to a good resource on how I can do that?

As I was responding to his email, I realized that this short, introductory information on VPNs (and why you SHOULD use one) could be helpful as a blog post. So without further ado, here is (an edited) version of the email I sent in response to the above question:

Short answer:
I would definitely and strongly recommend that you use a VPN.

Longer answer:
While you’re thinking about a VPN for your computer, you might also consider a VPN for your phone as well – that is, if you connect your phone to coffee shop WiFi.

Personally, I run my own VPN server because I don’t trust (nor am very familiar with) 3rd party VPN providers. There’s a ton of services out there that offer VPN for a small fee (usually, monthly). My VPN server sits here in my home office and routes my internet connection completely through my home internet when I use it. So, I’m sitting in a coffee shop, I connect to my VPN, the traffic between my computer and my house is encrypted and secure, and then from the perspective of the websites I visit, it “looks” like I’m sitting at my desk at home.

Obviously I don’t expect you or the average person to know how to setup your own VPN server. But if you’re going to choose to go with a VPN service, you need to make sure you go with a reputable source. Generally speaking, VPN technology can be very weak (if configured improperly), or very secure (if configured properly).

Lots of 3rd party providers don’t do a good job with security (hence the reason I distrust 3rd party providers by default). I use an open source technology called OpenVPN (https://openvpn.net/) for my software, and then as I mentioned earlier, the server itself is located at my house. So I have fully configured and secured my own server.

This looks like a really good place to start, in terms of searching for 3rd party providers. I generally trust CNET, and like most of the things they put out: https://www.cnet.com/best-vpn-services-directory/. Another resource that looks like a good introduction is:  https://www.pcmag.com/article2/0,2817,2403388,00.asp

Based on the above resources, and (briefly) reviewing their websites, NordVPN or StrongVPN would probably be my recommendation. I don’t know anything about these guys, but this looks like a reasonable option, that is also based on the OpenVPN software: https://www.privatetunnel.com/pricing/

It looks to me like you’d be paying about $5/month for the above services.

Do you use a VPN? If so, is it self-hosted, or do you use a 3rd party VPN service? Who is your service through, and why do you use it? Let me know in the comments!

Share