Sending syslog to a remote over TLS?

frittentheke · September 21, 2023, 2:26pm

Since logs regularly contain sensible information, it seems sensible apply encryption and use TLS when sending logs to a remote / central log server.
Just like using SNMPv3 encryption+auth when fetching metrics, which RouterOS does support.

So I am wondering if the current RouterOS 7.xx might supports sending syslog to a remote syslog server over TLS?
From the config options I it seems, there was no way to configure the remote to be accessed (only) over TLS …

/system/logging/action> print detail
Flags: * - default
0 * name=“memory” target=memory memory-lines=1000 memory-stop-on-full=no
1 * name=“disk” target=disk disk-file-name=“log” disk-lines-per-file=1000 disk-file-count=2 disk-stop-on-full=no
2 * name=“echo” target=echo remember=yes
3 * name=“remote” target=remote remote=0.0.0.0 remote-port=514 src-address=0.0.0.0 bsd-syslog=no
syslog-time-format=bsd-syslog syslog-facility=daemon syslog-severity=auto

With certificate support and all already being well on board, this seemed to be a smaller feature to wish for?
But reading https://help.mikrotik.com/docs/display/ROS/Log#Log-Actions it seems that the remote can only be UDP currently?
(Apparently there TLS support for sending out emails though … )

So the wishlist kinda grew …
0) Add support for using TCP to log remotely

Enable transport via TCP+TLS, while (optionally) validating remote with installed CA certificate
Optionally send a client-certificate to authenticate to that remote

tangent · September 21, 2023, 4:55pm

While syslog is indeed traditionally a UDP-only protocol, RFC6587 documents how multiple independent implementations have converged on an interoperable quasi-standard that meets your goals.

This includes the de facto standard implementation on POSIX systems, rsyslog. Their setup doc is here. Note that the caviling about a lack of a suitable standard reflects the fact that this doc preceded the RFC by four years.

While the now 11-year-old RFC that eventuated from that IETF process did not end up setting a standard — it merely documents the obvious extensions to the old one — it does give MikroTik a paved path to follow.

This forum is unsuited to formal requests for features. They want you to use this method since it feeds directly into their development process.

frittentheke · September 25, 2023, 11:38am

Yes, but looking around at other network devices vendors, TLS support for syslog is really common - Juniper, Arista, Cisco, …
And yes, on the service-side, rsyslog, syslog-ng, … they all support TCP transport + TLS (including auth via client certs).
and all the building blocks are there with RouterOS7, just need to combine certificates and a TCP client to have this.

Thanks for the hint, I submitted this as SUP-129076 now.

pe1chl · September 25, 2023, 12:14pm

In the meantime you may work around your problem by setting up a VPN to your syslog host and sending the traffic over that.