Syslog Encryption Configuration Example

This section describes the overall configuration procedure of syslog encryption.

Prerequisites

If you select TCP, to complete the syslog receiving configuration, you must ensure that you have completed the certificate configuration on the device.
1. Upload root certificate rootcert.cer and CA certificate cacert.cer of the management center to the cfcard:/security/ folder of the device through FTP. If this folder does not exist, create one.
2. Enter ssl policy ssldl and access the ssl policy view. ssldl indicates the view name.
3. Enter trusted-ca load asn1-ca rootcert.cer and import the root certificate.
  
  Enter trusted-ca load asn1-ca cacert.cer and import the CA certificate.
If you select TCP, to complete the syslog receiving configuration, you shall run the info-center loghost ip-address transport tcp ssl-policy policy-name command on the device.
If you select UDP, to complete the syslog receiving configuration, you shall run the info-center loghost ip-address command on the device.
If you select both TCP and UDP, to complete the syslog receiving configuration, you shall run the info-center loghost ip-address transport tcp ssl-policy policy-name or info-center loghost ip-address command on the device as required.
To complete the syslog sending configuration, you must construct the log server in advance. If the log server needs to authenticate the ATIC, you shall ensure that the ATIC certificate has been imported to the log server. For how to export the ATIC certificate, see How to Export Certificates from the Certificate Library.

Procedure

Configure syslog receiving.
1. Choose System > Log Management > Syslog Receive Configuration。
2. Click Edit and set syslog receiving parameters.
  NOTE:
  - UDP is insecure. You are advised to use the more secure TCP (TLSv1.2).
  - Usually, the default port is used. To change the port, ensure that the newly configured port is not in conflict with existing ones.
Configure syslog sending.
1. Choose System > Notification Server > Syslog Server .
2. In the Syslog Server area, click and configure basic information of the log server. After adding the log server certificate to the certificate library, click Browse and import the certificate to the ATIC through the certificate library file. For how to add a certificate to the certificate library, see How to Add Certificates to or Delete Certificates from the Certificate Library.
  NOTE:
  - UDP is insecure. You are advised to use the more secure TCP (TLSv1.2).