Upgrade TLS Certificate

Loggly will soon upgrade our TLS / SSL encryption certificates to the newer and more robust SHA-256 algorithm. If you are currently using TLS encryption to send logs to Loggly, you may need to take action in order to keep sending them to Loggly.

*If you are running an operating system that does not fully support TLS 1.1 or 1.2, (e.g. CentOS 5, RHEL5, etc) please scroll to the end of this page for specific options.

HTTPS (March 21st 2016)
If you are using our HTTPS endpoint and the default certificate authorities for most browsers and programming languages, you will automatically get the upgrade. If you have a custom certificate store, you can download the new version and then import it into your browser or certificate store. After the switch, we will stop accepting data using the old certificate.

Syslog (March 30th 2016)
If you are using our syslog TLS endpoint, you must install the new certificate. We have instructions available for rsyslog, syslog-ng, and nxlog. Additionally, you may download the new certificate directly. You may upgrade at any time because the bundle contains both the old and new certificates. After the switch, we will stop accepting data using the old certificate.

This guide shows you how to upgrade current SHA1 certificate to a new SHA2 certificate and is tested on Ubuntu, CentOS and Redhat. This guide assumes you already have set up Rsyslog TLS in your machine.

Upgrade Linux Rsyslog TLS Certificate

  • Run Automatic Script

Run our automatic Upgrade Certificate script below to setup and verify if logs are reaching to Loggly with the new SHA2 certificate.. Alternatively, you can Manually Upgrade TLS Certificate.

curl -O https://www.loggly.com/install/update-loggly-certificate.sh 
sudo bash update-loggly-certificate.sh -a SUBDOMAIN -u USERNAME

By default script runs in test mode which verifies the updated certificate by sending an event to Loggly. To disable the test mode you can run the script using –notest.

sudo bash update-loggly-certificate.sh -a SUBDOMAIN -u USERNAME --notest

Replace:

      • SUBDOMAIN: your account subdomain that you created when you signed up for Loggly
      • USERNAME: your Loggly username, which is visible at the top right of the Loggly console
  • Verify Events

Search Loggly for events with the tag as RsyslogTLS over the past hour. If if doesn’t work, see the troubleshooting section below.

tag:"RsyslogTLS"

Rsyslog TLS

Manual Certificate Upgrade

For Linux or Unix-based machines, follow the below instructions to upgrade your rsyslog TLS certificate. For Windows machines, follow the instructions on the nxlog TLS Configuration page. For Syslog-ng, follow the instructions on the Syslog-ng TLS configuration page.

  • Install New Certificate

Browse to ca.d directory inside /etc/rsyslog.d/keys/ca.d which we created in Rsyslog TLS Configuration.

cd /etc/rsyslog.d/keys/ca.d/
sudo curl -O https://logdog.loggly.com/media/logs-01.loggly.com_sha12.crt
  • Change Certificate name in 22-loggly.conf

Open up the configuration file (22-loggly.conf)

sudo vim /etc/rsyslog.d/22-loggly.conf

Update the certificate path with the new path given below.

/etc/rsyslog.d/keys/ca.d/logs-01.loggly.com_sha12.crt
  • Restart Rsyslog

Restart rsyslog after making changes in configuration.

sudo service rsyslog restart
  • Manually test the Updated Certificate

We provide a test collector with the new certificate installed so that you can test the connection to Loggly. The test collector is only meant for temporary use and should not be used for full data volume. Therefore, you should switch back to the regular collector after the test is complete. Follow the steps below to perform the test:

Open the /etc/hosts file

sudo vim /etc/hosts

Update the hosts file with test collector IP.

52.1.106.130 logs-01.loggly.com

Send a Sample event through logger

$ logger 'Hello'

After the event has reached Loggly, revert the changes made in hosts file by removing the test collector IP from it.

HTTPS Test Instructions

Run the following command to confirm if the endpoint is sha-1 or sha-2

openssl s_client -connect logs-01.loggly.com:443 /dev/null | openssl x509 -text -in /dev/stdin | grep "Signature Algorithm"

The output of the above command should be

Signature Algorithm: sha256WithRSAEncryption
Signature Algorithm: sha256WithRSAEncryption

Advanced Rsyslog TLS Configuration Options

  • Rsyslog TLS Configuration – – sending logs using TLS Encryption.
  • Syslog-ng TLS Configuration – sending syslog-ng logs using TLS Encryption.
  • Nxlog TLS Configuration – sending Windows nxlog logs using TLS Encryption.
  • Revert changes – if you want to revert the changes which the script made and shift back to previous configuration. Run the following command and replace SUBDOMAIN with your account subdomain that you created when you signed up for Loggly.
    sudo bash update-loggly-certificate.sh -a SUBDOMAIN -r
  • Search or post your own rsyslog TLS configuration questions in the community forum.

Troubleshooting Your Rsyslog TLS Configuration

  • Wait a few minutes in case indexing needs to catch up
  • Make sure you restarted rsyslog
  • Troubleshooting Rsyslog if the files are being written but not being sent to Loggly
  • Search or post your own Rsyslog TLS questions in the community forum.

Operating Systems that do not Fully Support TLS 1.1 or 1.2 (CentOS 5, RHEL5, etc)

Customers that are running Operating Systems that do not fully support TLS 1.1 or 1.2 have a few options to ensure their logs continue to flow to Loggly.

  1. For traffic that does not need to be encrypted, customers can switch back to non-encrypted syslog traffic on these Operating Systems.
  2. For traffic that requires encryption, customers can configure their application to send to our HTTP(S) endpoint via our RESTful API.
  3. Customers can upgrade to an Operating System that does support a version of OpenSSL that supports TLS 1.1 or 1.2, for example, CentOS 6.
Thanks for the feedback! We'll use it to improve our support documentation.


Top