Is there a way to encrypt Syslog traffic using TLS like syslog-ng or rsyslog do? I'm trying to avoid having to set up syslog-ng or rsyslog on the Sumo Logic Collector box in order to receive the encrypted Syslog traffic and forward it to the Sumo Logic Collector. 

Answer:

Unfortunately, the Collector does not currently support receiving TLS syslog data directly with a Syslog Source. You need to set up an intermediary service to receive the TLS data and then forward the plain text to the Source. An alternative to using syslog-ng or rsyslog for this is to use stunnel. As described on https://www.stunnel.org, "Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code."

Downloaded from https://www.stunnel.org/downloads.html. Or on CentOS/RedHat, you can also run the following command to install stunnel:

> yum install stunnel

 Once installed, generate a key/cert on the host, and then use a stunnel config similar to the following to proxy the syslog data:

cert = /etc/stunnel/stunnel.pem 
sslVersion = SSLv3 
chroot = /var/run/stunnel/ 
setuid = nobody 
setgid = nobody 
pid = /stunnel.pid 
socket = l:TCP_NODELAY=1 
socket = r:TCP_NODELAY=1 
output = stunnel.log 
client = no 
[syslog] 
accept = 1543 
connect = 1514

 In this example, we're listening for incoming TLS connections on the host port 1543/TCP ("accept = 1543"). Then this forwards the plain text data to port 1514/TCP, ("connect = 1514") or the port defined in the Collector Syslog config, via the loop back.

For complete instructions, see Configure a Syslog Source.  

Note: Your Collector Syslog source must be configured to listen over TCP for this proxy to work correctly.

Find more information on Stunnel and its available configuration options, see:

https://www.stunnel.org/docs.html