Document toolboxDocument toolbox

Sending SSL/TLS encrypted events to the relay

Owned by Juan Tomás Alonso Nieto (Deactivated)
Jul 06, 2022
3 min read
[ 1 Install and configure stunnel ] [ 2 Set up the relay rules ] [ 3 Set up event forwarding from the source systems to stunnel ]

Devo Relay was designed to reside within a customer's secure network, receive events over an unencrypted channel, then forward them to the Devo cloud using SSL/TLS encryption. As a result, it is not equipped to receive inbound SSL connections.

However, your data environment may consist of several, separate secure networks, each containing data sources whose events you want to forward to Devo via a single relay. In order to send events over an encrypted channel to the relay, we use a tunneling service, in this example, stunnel, installed on the relay machine to accept connections with SSL encryption, then forward the data to the relay. 

We'll describe this process using the example of an environment where two event sources, a firewall, and a DNS, reside in separate networks and the relay resides in a third network. 

Install and configure stunnel

You need to install stunnel on the same machine where the relay resides, then set it up to manage the inbound SSL connections and forward data received to the relay.

Install stunnel with the following command:

sudo apt-get install stunnel4

Enable stunnel by editing the file and setting ENABLED to 1.

vi /etc/default/stunnel4

Open the stunnel configuration file for editing. Depending on your Linux distribution, you may need to use a different command:

vi /etc/stunnel/stunnel4.conf

or

Modify the configuration file to accept inbound SSL connections, then forward data to the Devo relay on the localhost. You need to plan which ports stunnel will listen on for inbound SSL traffic and which ports the relay will listen to for data sent from stunnel.  

The sample configuration file below manages the traffic from two sources, a firewall, and a DNS.

  • The firewall will direct its SSL traffic to port 6515 where stunnel will receive and forward it to the relay on localhost port 13005. Any rules designed to process the firewall events must be set up on this port, 13005.

  • The DNS will direct its SSL traffic to port 6516 where stunnel will receive and forward it to the relay on localhost port 13006. Any rules designed to process the DNS events must be set up on this port, 13006.

Any events that are already correctly formatted with the Devo tag can be received by stunnel, then directed to port 13000 on the relay - this is the port designed simply to forward events to the Devo cloud.

Read more about the stunnel configuration file.

Set up the relay rules

For our example, we would set up a rule (or rules) on port 13005 to process the firewall events and another rule (or rules) on port 13006 to process DNS events.

Just a few tips for setting up relay rules in this configuration:

  • Follow the guidance provided in the article about the supported technology you are sending.

  • Don't forget the four predefined relay rules on the relay machine's dedicated ports (12999-13002). These ports cannot be used for custom relay rules nor can you use them for stunnel inbound traffic. 

  • You should use the reserved Devo relay port 13000 if the events sent to the stunnel already contain the Devo tag.

Set up event forwarding from the source systems to stunnel

Every event source offers different capabilities for event forwarding. Consult the vendor's documentation for details. 

If available/applicable, you can use the following methods to send events to stunnel:

  • Source machine's syslog daemon (rsyslog or syslog-ng)

  • Set up stunnel as a remote syslog server 



Related articles