Accept messages only from some hosts / authentication


(Neil Clayton) #1

I feel I must be missing something fundamental. Is there a way to restrict message acceptance (on the server side) to certain clients? within greylog itself? Or is it presumed this is done by the firewall / reverse proxy?

My simple case is a couple of VPS servers that I’d like to have sending messages. Could be GELF (HTTP or UDP). The greylog server is elsewhere tho, so the comms at this stage I intend to go over public internet. I’d rather not expose a general message reception port without some kind of authentication.

It seems that there is little in the way of auth built into GL, which make me think I’m missing something! The only thing I have found really so far in the docs mentions using a password protected TLS cert (I was hoping for something simpler, like basic auth over HTTPS).

Tips / ideas appreciated! Thank you!


(Jan Doberstein) #2

@scornflake

it highly depends how you transfer to the log data and what kind of log data you use. Several ways to have the transport secured are possible and mainly depend on your skill and how deep the rabbit hole should be.

Should you just want to transport some logfiles, use filebeat and add transport encryption and client cert authentication.

My personal setup looks similar like this: https://marketplace.graylog.org/addons/246dc332-7da7-4016-b2f9-b00f722a8e79 with https://www.cloudamqp.com as queue provider.


(Neil Clayton) #3

Thanks Jan,

At this stage I am wanting to be sendlng logs via filbeat and maybe GELF from a Django app. I had hoped that filbeat would be able to talk AMQP directly, but it appears not. I supposed I’m a little surprised that the setups seem to have as many moving parts as they do (filbeat -> log stash, ampq then finally graylog). Perhaps it’s just my inexperience with these kinds of things.

I don’t mind the rabbit hole. I was simply hoping to avoid it :slight_smile:

Out of interest, do you know if there’s a good reason that filebeat doesn’t talk AMQP direct? Or is it simply historic / not high enough priority?


(Jan Doberstein) #4

You could use logstash reading a file and transport it via AMQP to Graylog.

The Beats protocol design does not include other transports than direct TCP connections (AFAIK) by design. For a reason.

Transport Logs and Metrics over insecure networks is always a challenge. I know other setups that build a VPN Network that includes all hosts and use the internal IP for communication. As I have some road warrior in my setup and more than one changing IP my way includes the queue way.


(Jochen) #5

It supports Kafka and Redis out of the box (as of Filebeat 6.0.0) and if you absolutely have to use an AMQP broker, you can use Logstash as an intermediary.


(Neil Clayton) #6

I’ll take a look - thanks.

Absolutely no reason to use AMQP other than it looked like a reasonable option for possibly disconnected clients (and I have no experience with Kafka). If there are transports I should consider before AMQP, I’m totally open to that. The app already has AMQP installed for some background work, so I gravitated to it for that reason.


(Jochen) #7

For reference:


(system) #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.