SYSLOG collector infrastructure for Cortex XSIAM

[mTouhid]

Environment details

This SYSLOG collector needs to be connected to the MoJ_Prod_TGW to receive SYSLOG over udp on port 514 that Atos is planning to send. This SYSLOG collector is a product PaloAlto Cortext XSIAM. This SYSLOG collector is capable of parsing and filtering incoming logs and it will ship collected logs to XSIAM Cloud for analysis and monitoring.

Application Name

Cortex XSIAM Broker

Description of application

This SYSLOG collector needs to be connected to the MoJ_Prod_TGW so that it receives SYSLOG over udp on port 514 that Atos is planning to send. This SYSLOG collector is a product PaloAlto Cortext XSIAM. This SYSLOG collector is capable of parsing and filtering incoming logs and it will ship collected logs to XSIAM Cloud for analysis and monitoring.

Use Cases

MoJ_Prod_TGW:
Cisco AnyConnect devices in ARK to be able to securely transport logs over the SD-WAN / VPN
Future syslogging from non MOJ supported devices in ARK, DMVPN and site LAN to be able to trsnsport the logs securely over the SD-WAN / VPN

MoJ_NOC_TGW:
ARK Management Network to allow any Cisco devices to securely transfer SYSLOGs over unencrypted UDP port 514 via a VPN
102PF to allow any Cisco devices to securely transfer SYSLOGs over unencrypted UDP port 514 via a VPN
MoJ Managed DIA Networks to allow any devices to securely transfer SYSLOGs over unencrypted UDP port 514 via a VPN

GitHub team slug

mip-devops

GitHub code owner team slug

mip-devops

Environments

• Development
• test
• Preproduction
• Production

Environment access level Development

No response

Environment access level Test

No response

Environment access level Preproduction

developer

Environment access level Production

developer

application

Cortex XSIAM Broker

business-unit

HQ

infrastructure-support

mip team: monitoring-and-integration-platform@justice.gov.uk

owner

mip team: monitoring-and-integration-platform@justice.gov.uk

Subnet sets

• General
• Isolated

How do users connect to the application

With a MoJ Official device

Additional features

Please check any additional features required

• Additional VPC Endpoints
• Extended DNS Zones
• Other - please specify

Other information

No response

Definition of Done

Definition of Done

• account created
• customer informed
• Allow syslog traffic to Cortex XSIAM accounts #6157
• Configure connectivity between NOC TGW and MOJ TGW #6162

[mTouhid]

IN addition to have connectivity to MoJ-TGW, can we also have connectivity to NOC-TGW. It is needed because 102PF management network has a VPN connectivity with NOC-TGW and this SYSLOG collector needs to be able to collect SYSLOGS from networking alliances in 102PF too. Thank you.

[mTouhid]

As @davidkelliott requested, I am sharing the design proposal here:

1. We are planning to deploy three EC2 instances in a VPC in three private subnets from three AZs with high availability cluster configuration.
2. We are then planning to deploy a Network Load Balancer in public subnets from all AZs which will have a public interface (x.x.x.x) with a listener for TCP-6514)
3. We are also planning to deploy a Network Load Balancer in private subnets from all AZs which will have three private interfaces (10.180.96.100, 10.180.97.100, 10.180.98.100) with a listener for UDP-514.
4. Plan is to attach the VPC to MoJ_prod_TGW and to NOC-TGW. Because this broker VM cluster needs to be reached from PA-5260 in Ark DCs as well as from switches in 102 PF and other sites.
5. The Cisco devices (including those in 102 PF) are only able to send syslogs in plain text over UDP on port 514, and therefore need to be protected inside a VPN tunnel. Hence this Broker VM needs a connection to NOC-TGW, which has a secure VPN connection with 102PF network.
6. Devices that can send secure syslog with TLS encryption will be sending logs over the public internet to the public interface of the NLB (x.x.x.x).
7. The TCP 6514 connection should be available on the public internet to allow logs from other sources to connect securely.
8. The local TGWs should allow TCP 6514 to allow correction of the endpoints in case of misconfiguration
9. UDP port 514 should be configured to log and drop any connection over the public internet. This will allow MoJ to be advised if any equipment running on this port have been misconfigured.

I have attached the HLD of the proposed VPC here.

[dms1981]

Looking at this one in conjunction with #6048

[dms1981]

The bulk of the work here has been done, but I'm also working through the RAM share bug. Once I've got a solution for that I'll be able to progress this on to the TGW connectivity questions.

[github-actions]

Hello @mTouhid 👋 Welcome to the Modernisation Platform! Your new accounts have now been created. Please see our user guidance for details on how to build and access infrastructure in the Modernisation Platform. If you require help or assistance please contact us via the #ask-modernisation-platform Slack channel.

[dms1981]

OK! The RAM share bug has been resolved. I've created a 1 point issue for the firewall rules, and will create another issue for the NOC-TGW peering.