Communication requirements for ePolicy Orchestrator syslog integration

Technical Articles ID: KB91194
Last Modified: 2023-04-10 04:21:02 Etc/GMT

Environment

ePolicy Orchestrator (ePO) 5.10.x

Summary

ePO syslog forwarding only supports the TCP protocol and requires Transport Layer Security (TLS). Specifically, it supports receivers following RFC 5424 and RFC 5425, which is known as syslog-ng.

You don't need to import the certificate used by the syslog receiver into ePO. As long as the certificate is valid, ePO accepts it. Self-signed certificates are supported and are commonly used for this purpose.

ePO doesn't support Mutual TLS when connecting to a syslog receiver.

ePO 5.10.0 up to ePO 5.10.0 CU15 support TLSv1.2 and the following cipher suites:

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA

ePO 5.10 SP1 and later support TLSv1.2 and the following cipher suites:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

The syslog receiver must support at least one of the above suites for the TLS handshake to succeed.

If your syslog receiver doesn't support the above requirements, event forwarding fails. The exact symptoms depend on the particular syslog receiver, but might include one or more of the following:

When the Test Connection option on the syslog-registered server page is clicked, an error message is displayed, or an ellipsis: '...'
No events are received at the syslog receiver.
Events are received, but the entire event is garbled and unreadable.

NOTES:

Parts of some product events, such as Data Loss Protection (DLP), aren't readable. The text is unreadable because some products encrypt sensitive fields in the event. These fields are decrypted via the managed product extension to be displayed in ePO. Events are forwarded to the syslog receiver in their raw state before the extension decrypts them. So, the encrypted sections of the event aren't readable.
Events are forwarded using the event parser service, which exists on the ePO server itself and any additional Agent Handlers. So, all Agent Handlers must make a connection to the syslog receiver. If you have multiple syslog receivers configured, events are forwarded to all receivers. The ePO server and any additional Agent Handlers must be configured to communicate with all syslog receivers. So, you must adjust your firewall rules accordingly.

Related Information

Also see the related articles below:

Affected Products

ePolicy Orchestrator 5.10.x

Languages:

This article is available in the following languages:

Knowledge Center

Communication requirements for ePolicy Orchestrator syslog integration

Environment

Summary

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

Communication requirements for ePolicy Orchestrator syslog integration

Environment

Summary

Related Information

Affected Products

Languages:

Choose your region

Title

Title