General Information
Preference Documentation
Log Data Documentation
- Log Data Examples
- Interesting Types of Events
  - SSH Logins and Activity
Related Tech and Configurations
- macOS
Compliance
- cmdReporter and US Govt Standards Details
  - How cmdReporter Meets CMMC, DFARS, and NIST 800-171 Requirements
  - NIST 800-53r4 (high) controls met by using cmdReporter
- Security Baseline Reporting Preferences
  - Security Benchmark Reporting Logs

Syslog Protocol and Format (RFC5424 & RFC3164)

Daniel Griggs

Modified on: Wed, 6 Jan, 2021 at 11:57 AM

Overview

This article describes the preference keys available to configure the cmdReporter Syslog with TLS remote logging interface. Setting syslog remote endpoint type will also change the format of the log data being sent to comply with RFC5424. Normal syslog headers will be generated and the full cmdReporter event JSON will be sent in the "message" portion of the syslog format event.

Remote Logging Preferences (TLS Syslog)

All preference keys are required unless marked (Optional)

Key		Value Type	Sample Value	Function
LogRemoteEndpointEnabled		bool	true	Enable network transmission of log data
LogRemoteEndpointType		String	Syslog5424	Type of remote log aggregation server. Used to define network protocol and preferences used. syslog3164 can also be specified here to use the older syslog header format.
LogRemoteEndpointURL		String	tls://server.address:9977	URL where log data is to be sent. Applies to all remote logging types. tls:// prepend is required
LogRemoteEndpointTLS		Dictionary	-	Container dictionary for TLS preferences, no preferences directly set to this key.
	TLSServerCertificate	Array of Strings	server.company.com intemediate ca name root_ca-name	Public TLS certificate and chain common names to verify the remote server. Only System keychain is searched for certificates

Download Server Public Certificate(s)

# The resulting file may have more than one certificate. Keychain Access will 
# automatically parse them into separate cert entries when you 
# double-click or drag-drop the file this command generates
echo -n | openssl s_client -showcerts -connect HOSTNAME:PORT | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ~/Downloads/server-public-cert.pem

Install server's public certificate(s) into the System (not System Roots) keychain. Reference certificate common names in the TLSServerCertificate preference.

Example TLS Preferences

<!-- Remote endpoint logging master switch -->
<key>LogRemoteEndpointEnabled</key>
<true/>
<!-- Start TLS Configs -->
<key>LogRemoteEndpointType</key>
<string>Syslog5424</string>
<key>LogRemoteEndpointURL</key>
<string>tls://server.company.com:4477</string>
<key>LogRemoteEndpointSyslog</key>
<dict>
  <key>TLSServerCertificate</key>
  <array>
    <string>server_name.company.com</string>
    <string>Let's Encrypt Authority X3</string>
    <string>DST Root CA X3</string>
  </array>
</dict>
<!-- End TLS Configs -->