# Collect data using TCP

{% hint style="info" %}
See the changelog of the **TCP** Listener type [here](https://app.gitbook.com/s/1OZWDcmMPrhfCtF1rMJP/syslog-listener).
{% endhint %}

## Overview

Onum supports integration with **Transmission Control Protocol**. 

## Prerequisites

[Contact Onum](https://app.gitbook.com/s/cSjT21I4EUhzghjc1rER/) to get the cert information needed for TLS communication, which will be needed on the Listener setup.

## TCP Setup

**Transmission Control Protocol (TCP)** is not a collector itself but a transport protocol that a collector component uses to receive data. In the context of observability and OpenTelemetry (OTel), you set up the [OpenTelemetry Collector](https://docs.onum.com/the-workspace/data-sinks/data-sink-integrations/send-data-using-opentelemetry) to listen on a TCP port using a specific Receiver component.

## Important Considerations Regarding Cloud Deployments

* In cloud-based Onum installations, the **TLS** configuration section of the Listener is not visible and you won't need to enter these values. In these setups, Onum automatically manages TLS certificates, eliminating the need for manual configuration. If your Listener configuration requires you to manually enter these TLS certificates, you can generate them following the instructions [in this article](https://docs.onum.com/usecases/routing/crowdstrike-integration/self-signed-ssl-tls-certificates-creation).
* If you are defining this Listener in a cloud instance, Onum will automatically provide the **Port** and **TLS** configuration. 
* Cloud Listeners have an additional step in their creation process: **Network configuration**. Use these details to configure your data source to communicate with Onum. Click **Download certificate** to get the required certificate for the connection. You can also download it from the Listener details once it is created.
* When configuring a Listener in a Cloud tenant, the **port** will be `443`. In on-prem, the selected port must fall within the range of `1024` to `10000`.
* Cloud Listener endpoints are created in Onum's DNS. This process is usually fast, and Listeners are normally available immediately. However, note that this may last up to 24-48 hours, depending on your organization's DNS configuration.
* Your data input must use the **Server Name Indication (SNI)** method, which means it must send its hostname in the TLS authentication process. If SNI is not used, the certificate routing will fail, and data will not be received, even if the certificate is valid.

## Onum Setup

{% stepper %}
{% step %}
Log in to your Onum tenant and click **Listeners > New listener**.
{% endstep %}

{% step %}
Double-click the **TCP** Listener.
{% endstep %}

{% step %}
Enter a **Name** for the new Listener. Optionally, add a **Description** and some **Tags** to identify the Listener.
{% endstep %}

{% step %}
Enter the IP **Port**<mark style="color:red;">**\***</mark> and **Trailer Character**<mark style="color:red;">**\***</mark>

A **trailer** in TCP typically refers to the end portion of a packet that may contain optional information like checksums, padding, or other metadata. It is part of the TCP header.

* **LF - Line Feed** character is a control character used to signify the end of a line of text or the start of a new line.
* &#x20;**CR+LF - Carriage Return (CR)** followed by a **Line Feed (LF)** character pair, which is commonly used to signify the end of a line in text-based communication.
* &#x20;**NULL**

For cloud-based Onum installations, the Port section is not visible (**port** `443` by default). If you see it, enter the required port in the **Port** field.&#x20;

{% hint style="warning" %}
Note that by default, available TCP ports are 1024 to 10000.
{% endhint %}

While UDP 514 is the standard, some implementations may use TCP 514 or other ports, depending on specific configurations or security requirements. To determine the syslog port value, check the configuration settings of your syslog server or consult the documentation for your specific device or application.
{% endstep %}

{% step %}
In cloud-based Onum installations, the **TLS** configuration section is not visible. In these setups, Onum automatically manages **TLS** certificates, eliminating the need for manual configuration.&#x20;

If you see this section, you must enter the required **Certificate**, **Private key** and **CA Chain.** Learn how to generate these self-signed certificates in [this article](https://docs.onum.com/usecases/routing/crowdstrike-integration/self-signed-ssl-tls-certificates-creation). Once you have them, click **New secret** in each field and add the corresponding values.

**Now there are two possible scenarios:**

If you didn't enter your **TLS** certificates, when you click **Create listener** you'll see the **Network configuration** screen, which shows the **Address** and **Port** needed to communicate with Onum. Here you will download the certificate (see the[ steps after creation to do this](#download-certificate)).

{% hint style="info" %}
You can access all this information in the Listener details after creation, so don't worry.
{% endhint %}

If you entered the TLS certificates, you'll go directly to the Labels when you eventually click **create Listener**.
{% endstep %}

{% step %}
These values are stored as Secrets in Onum. Open the **Secret** fields and click **New secret** to create a new one:

* Give the secret a **Name**.
* Turn off the **Expiration date** option.
* Click **Add new value** and paste the secret corresponding to the JWT token you generated before. Remember that the token will be added in the Zscaler configuration.
* Click **Save**.

<figure><picture><source srcset="https://965373739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkxZeV4nlXcIAjMGZxzLI%2Fuploads%2FlUo7CuVpPgIVm5VNjLw6%2Fnenenew.png?alt=media&#x26;token=eb7a7231-0ac2-4099-93f9-18f9ead5add1" media="(prefers-color-scheme: dark)"><img src="https://965373739-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FkxZeV4nlXcIAjMGZxzLI%2Fuploads%2FTSD53FxGQOjijA3W3DhE%2Fimage.png?alt=media&#x26;token=9941a3c0-100a-4759-b603-30079fbc90de" alt=""></picture><figcaption></figcaption></figure>

{% hint style="info" %}
Learn more about secrets in Onum in [this article](https://docs.onum.com/administration/global-settings/organization-settings/secrets-management).
{% endhint %}

You can now select the secret you just created in the corresponding fields.
{% endstep %}

{% step %}
Finally, click **Create labels**. Optionally, you can set labels to be used for internal Onum routing of data. By default, data will be set as **Unlabeled**. Click **Create listener** when you're done.

{% hint style="info" %}
Learn more about labels in [this article](https://docs.onum.com/the-workspace/listeners/labels).
{% endhint %}
{% endstep %}
{% endstepper %}

Click **Create listener** when you're done.

### Download certificate

Now, download the certificate from the **Listeners** view by clicking the created listener and selecting the three dots in the top right-hand corner of the menu > **Download Certificate**.

{% hint style="info" %}
This .p12 does not require password to access.
{% endhint %}

To extract the certificates from the download:

```
#!/bin/bash
# Extract certs from certificate.p12

# Client certificate (PEM)
openssl pkcs12 -in certificate.p12 -clcerts -nokeys -out client.crt -password pass:

# Client private key (PEM)
openssl pkcs12 -in certificate.p12 -nocerts -nodes -out client.key -password pass:

# CA chain (PEM)
openssl pkcs12 -in certificate.p12 -cacerts -nokeys -out ca-chain.crt -password pass:
```