Skip to main content

OpenVPN Support Center

Welcome to the new and improved OpenVPN Support Center.

Search the Support Center

Access Server: Send Access Server Logs to Splunk over TLS

  • Updated

Description

Splunk is used to collect and analyze data from servers and applications. While Access Server can forward logs to external systems using the standard Syslog (as described in the guide "How To Log To Syslog"), some users require sending logs over TLS.

This article explains configuring Access Server to forward logs to a Splunk server over TLS using rsyslog.

Step 1: Prepare the Splunk server

  1. Locate the required certificates ("server.pem" and "cacert.pem") and the sslPasswordon your Splunk server:
    ls /opt/splunk/etc/auth/
    • Look for:
      server.pem
      cacert.pem
      Your configured 
  2. Locate your sslPassword in server.conf, located in this directory:
    /opt/splunk/etc/system/default/
  3. Launch Splunk Web and sign in.
  4. Click Settings>Data>Data Inputs and select TCP.
    Imagen3.jpg
  5. Click New Local TCP.
    Imagen4.jpg
  6. Enter port 1514 and follow the prompts to finish setup.
  7. Next, we locate the inputs.conf file to configure the TLS options in one of these directories:
    • /opt/splunk/etc/apps/search/local/
    • /opt/splunk/etc/apps/launcher/local/
  8. Configure inputs.conf with TLS settings:
    [tcp-ssl:1514]

    [SSL]
    serverCert = /opt/splunk/etc/auth/server.pem
    sslPassword = password
    Important: The value for "sslPassword" must match what's configured in server.conf

Once this is done, we should get a file like this.

[tcp://1514]
connection_host = ip
host = LogForward
sourcetype = generic_single_line

[tcp-ssl:1514]

[SSL]
serverCert = /opt/splunk/etc/auth/server.pem
sslPassword = password

Step 2: Configure Access Server to send logs via TLS

2.1: Install TLS support for rsyslog

  1. Connect to the Access Server console and get root privileges.
  2. Install the required package, rsyslog-gnutls:
    apt install rsyslog-gnutls

2.2: Add the CA certificate from the Splunk server

  1. Copy the cacert.pem from your Splunk server to the Access Server host and rename it for clarity (we saved it to /etc/rsyslog.d/):
    scp user@splunk:/opt/splunk/etc/auth/cacert.pem /etc/rsyslog.d/splunkCA.pem
    Important: The file must be readable by rsyslog.

2.3: Configure rsyslog on Access Server

  1. Configure forwarding the openvpnas.conf file under /etc/rsyslog.d/:
    # certificate CA file for a client
    $DefaultNetstreamDriverCAFile /etc/rsyslog.d/splunkCA.pem

    # set up the action
    $DefaultNetstreamDriver gtls # use gtls netstream driver
    $ActionSendStreamDriverMode 1 # require TLS for the connection
    $ActionSendStreamDriverAuthMode anon # server is NOT authenticated
    if $programname == 'openvpnas' then @@203.0.113.0:151
    Important: Replace 203.0.113.0 with your Splunk server's actual IP.

2.4: Restart rsyslog

  1. Apply the changes by restarting the rsyslog.d process:
    systemctl restart rsyslog
    • Access Server should start sending the syslog encrypted.
  2. Verify the service is running:
    systemctl status rsyslog

Step 3: Confirm encrypted log forwarding

You can confirm the connection and encryption using tcpdump:

tcpdump -i any tcp port 1514 -X -s 0 -nn

Imagen8.jpg

Once all this is correctly set, we can see the logs on the Splunk search dashboards.

Imagen9.jpg


If you have additional questions, please submit a ticket.

Comments

0 comments

Please sign in to leave a comment.