Skip to main content

Hi

I'm in the process of setting up Cribl to send data from a syslog source ( AWS hosted Cisco FTDs) to Amazon S3 .

Although the firewall rules are locked down to source and destination , I'm concerned about transmitting unprotected data over the Internet .

Can you please advise on the best way to protect the traffic ?

Thanks

S3 delivery is TLS encrypted.

Thank you. How about the syslog traffic from the source to Cribl ?

The Cribl syslog source has TLS available.

  • It's on by default in Cloud, on port 6514. (Port 9514 in Cloud is open text syslog. Don't do that!)
  • Alternatively, place a Worker in the same VPC as your hosted FTDs and deliver to that group, then relay to S3 from there.

Thank you for the clarification and suggestions. I will give it a try .

Good Morning,

You mentioned that Cribl source has TLS that is on by default . I should however configure certificates though ? If that s the case , what certificate/s is being referred to ?

Sorry I have started using Cribl 2 weeks ago so still getting into grips with the tool

Thanks

Cribl CLOUD has TLS -enabled syslog on port 6514 set-up by default. It has certs based on your Cloud instance's name.

If you are setting up Cribl on-prem/self-managed, you'll need to provide certs before you can enable TLS.

Got it . Just to clarify , in my scenario I have AWS hosted Cisco Firewalls that need to send their syslog traffic to my Cribl cloud instance . Do I need to import some certs on Cribl Cloud to ensure communication over TLS ( 6514) ?

No. The 6514 port is ready for TLS comms out of the box.

Thank you . Appreciate all your assistance.

Hi ,

I have managed to setup the destination on Cribl which works fine . Cribl generated data is able to successfully populate the S3 bucket I have created in AWS . However I'm struggling to get the syslog data from the source devices ( Cisco firewalls ) to Cribl .

This is the syslog configuration I have used , using TLS as I would not want to send unencrypted data over the internet.

On the Cisco Firewalls :

Syslog IP Address : Cribl ( 52.204.198.31)

Protocol : TCP

Port : 6514 ( Although the default port for CIsco Firewalls is 1470 )

Enabled secure syslog

I have allowed traffic from source ( Cisco firewall device) to destination ( Cribl Cloud ) on port 6514 via the outbound firewall

On Cribl

Using the default " in_syslog_tls" as source

Not sure what I'm missing here ?

Thanks in advance for any input

Reply


Terms & ConditionsCookie settings