This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Will sending logs over TLS work?

Am I able to send syslogs over TLS to a logging service like Papertrail in UTM 9?

This conversation: https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/73827/aws-sophos-utm-9---how-to-properly-send-logs-to-siem seems to suggest it's impossible but it's dated: 6 Apr 2017 12:23 PM

Is it the same case now?



This thread was automatically locked due to age.
  • Hi Paul and welcome to the UTM Community!

    I'm not sure what to read in that linked thread, so I don't understand your question.  I believe Splunk supports encrypted connections from the UTM, so I would expect that Papertrail also would.  What did you see that made you conclude otherwise?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • TLS is not a file transfer protocol.

    Please explain how the intended receiving system works.

  • Hi DouglasFoster,

    You are right that TLS is not a File Transfer Protocol, it is an encryption method, and can be used with a file transfer protocol.

    that is why there is FTP and then (either) FTPS or SFTP.

    TLS will only encrypt the data transfer.

    XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
    Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!

  • It is pretty clear from the documentation that SFTP and FTPS are not supported options.   Remote Syslog, CIFS/SMB, and FTP all require a VPN tunnel to obtain encryption.   SCP/SSH is the only one that provides integral encryption, if your organization considers SCP over the Internet to be an acceptable level of encryption.

    So the workaround seem to be:

    • Establish a VPN tunnel to the logging server
    • Use SCP/SSH to the logging server
    • Use a dedicated point-to-point link between UTM and an adjacent logging server
    • Use an unencrypted connection to an interim server, then move the files to the destination server using SFTP, FTPS, or any other encryption method.

    The first three can be used even if the organizational requirement is for the logs to always be encrypted, even when moving internally.