Appendix C: Configuring a syslog-ng Server

Virtual Scan Appliance

Veracode enables VSA customers to configure a syslog-ng server to receive system log messages that relate to audit log files, yum updates, Veracode logins/logouts, and iptables logs. We support messaging with UDP, TCP, or TCP with TLS encryption. When TLS is used, the client runs with peer-verify (optional-untrusted), which means we do not check or verify the server certificate. The client is setup to provide a self-signed certificate, which means that we are instantly able to connect to servers running TLS with peer-verify set to optional-untrusted, optional-trusted, or required-untrusted. To support peer-verify (required-trusted) on your syslog-ng server, you must install our CA certificate in the directory that syslog-ng is configured to look in to find CA certificates. Please contact Veracode Support to obtain the CA certificate.

Server Configuration Suggestions

Depending on the current configuration of your syslog-ng server, there may be some filtering and rewriting rules that help to identify messages coming from different VSAs into a single log. The hostname of our VSA is veracode-appliance and is not configurable. If you have multiple VSAs, to distinguish them from each other, you look at the token sent in the message portion of the log entry. With a few configuration rules you can replace the HOST portion of the syslog message with the VSA token or the name you gave the VSA when you created it in the Veracode Platform.

All examples below involve the syslog-ng.conf file. In the examples, the VSA token from the Veracode Platform is ABC-123-DEFG-456-HIJK.

Example 1: Rewrite the source of a message to correspond to the VSA name in the Veracode Veracode Platform

#Add a filter that matches messages containing your token
filter f_my_vsa_name {  match(“ABC-123-DEFG-456-HIJK” value(“MESSAGE”)); };
#Rewrite the source
host of messages that pass through the filter rewrite r_my_vsa_name { set(“my_vsa_name_from_platform” value(“HOST”)
condition(filter(f_my_vsa_name))); };
#apply the rewrite rule to your log rule
log {source(s_your_remote_source); rewrite(r_my_vsa_name); destination(d_your_destination); };
This code results in messages similar to the following:
Apr 20 14:50:01 my_vsa_name_from_platform audispd[15508]: vsa_token= ABC-123-DEFG-456-HIJK  …

Example 2: Rewrite the source of a message coming from a VSA to be the source IP address

#Add a filter that matches messages which contain “vsa_token” 
filter f_vsa_message{ match("vsa_token" value("MESSAGE")); }; 
#Rewrite the source host of messages that pass through the filter to be the SOURCE_IP 
rewrite r_host_ip { set("$SOURCEIP" value("HOST") condition(filter(f_vsa_message)));
}; 
#apply the rewrite rule to you log rule log { source(s_your_remote_source); rewrite(r_host_ip); destination(d_your_destination);};

This code results in messages similar to the following:

Apr 23 14:55:55 10.130.28.149 SYSLOG_NG_TEST[5091]: vsa_token=XAT-HHMF-EU6-C8C1-U7A This is a test message.

The syslog Command in the Veracode Platform

The syslog_ng command manages the syslog-ng server on the VSA. The command requires one of the following valid arguments:
  • -configure: configures remote syslog destination

  • -off: turns off remote syslogging
  • -status: prints the current configurations of syslog-ng remote destination

  • -debug: prints the last 10 log messages received from the syslog-ng process (excludes log statistics)

  • -test: sends the test log message to the remote syslog destination

When run with the configure argument, you must enter the protocol, IP address, port, and specify if the server is using TLS for the existing syslog-ng server. You must then run the save command to save the configuration and restart the syslog-ng client. After configure has run, you can choose to turn off remote syslogging by running syslog_ng off. In addition, you can review the current configuration by running syslog_ng status, viewing the last 10 syslog-ng log messages to debug connection issues by running syslog_ng debug, or sending a test log message to the syslog-ng server by running syslog_ng test.