Certificate based client authentication not working in graylog

Hi All,

I have installed graylog 2.3.1 in ubuntu 16.04 and I configured beats input in my graylog as like below,

bind_address: 0.0.0.0
override_source: <empty>
port: 5045
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file: /etc/graylog/server/graylog-certificate.pem
tls_client_auth: optional
tls_client_auth_cert_file: <empty>
tls_enable: true
tls_key_file: /etc/graylog/server/graylogkey.pem

In my client windows machine I have installed Graylog collector sidecar and configured the below changes in .yml file,

server_url: https://devserver.com:9002/api 
update_interval: 30
tls_skip_verify: false
send_status: true
list_log_files:
node_id: graylog-collector-sidecar
collector_id: file:C:\Program Files\Graylog-Collector-Sidecar\agent\collector-id
cache_path: C:\Program Files\Graylog-Collector-Sidecar\agent\cache
log_path: C:\Program Files\Graylog-Collector-Sidecar\agent\logs
log_rotation_time: 86400
log_max_age: 604800
tags: [windows]
backends:
    - name: nxlog
      enabled: false
      binary_path: C:\Program Files (x86)\nxlog\nxlog.exe
      configuration_path: C:\Program Files\Graylog-Collector-Sidecar\agent\generated\nxlog.conf
    - name: winlogbeat
      enabled: true
      binary_path: C:\Program Files\Graylog-Collector-Sidecar\agent\winlogbeat.exe
      configuration_path: C:\Program Files\Graylog-Collector-Sidecar\agent\generated\winlogbeat.yml
    - name: filebeat
      enabled: false
      binary_path: C:\Program Files\Graylog-Collector-Sidecar\agent\filebeat.exe
      configuration_path: C:\Program Files\Graylog-Collector-Sidecar\agent\generated\filebeat.yml

After I started the collector sidecar and below are the response I could see in my collector_sidecar.log file,

time="2018-02-14T10:54:11+05:30" level=info msg="[winlogbeat] Configuration change detected, rewriting configuration file." 
time="2018-02-14T10:54:12+05:30" level=info msg="[winlogbeat] Stopping" 
time="2018-02-14T10:54:15+05:30" level=info msg="[winlogbeat] Starting (exec driver)" 

Below is the response when I checked the winlogbeat log file,

2018-02-14T11:12:46+05:30 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2018-02-14T05:42:46.1499282Z","start_time":"2018-02-14T05:24:16.0389301Z","uptime":"18m30.1109981s","uptime_ms":"1110110998"}
2018-02-14T11:12:57+05:30 ERR Connecting error publishing events (retrying): remote error: tls: unknown certificate
2018-02-14T11:13:16+05:30 INFO Non-zero metrics in the last 30s: libbeat.logstash.publish.read_bytes=1833 libbeat.logstash.publish.write_bytes=1933 uptime={"server_time":"2018-02-14T05:43:16.1492162Z","start_time":"2018-02-14T05:24:16.0389301Z","uptime":"19m0.1102861s","uptime_ms":"1140110286"}
2018-02-14T11:13:46+05:30 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2018-02-14T05:43:46.1497756Z","start_time":"2018-02-14T05:24:16.0389301Z","uptime":"19m30.1108455s","uptime_ms":"1170110845"}
2018-02-14T11:14:16+05:30 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2018-02-14T05:44:16.1494677Z","start_time":"2018-02-14T05:24:16.0389301Z","uptime":"20m0.1105376s","uptime_ms":"1200110537"}
2018-02-14T11:14:19+05:30 ERR Connecting error publishing events (retrying): remote error: tls: unknown certificate
2018-02-14T11:14:46+05:30 INFO Non-zero metrics in the last 30s: libbeat.logstash.publish.read_bytes=1833 libbeat.logstash.publish.write_bytes=1933 uptime={"server_time":"2018-02-14T05:44:46.1494595Z","start_time":"2018-02-14T05:24:16.0389301Z","uptime":"20m30.1105294s","uptime_ms":"1230110529"}
2018-02-14T11:15:16+05:30 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2018-02-14T05:45:16.1499364Z","start_time":"2018-02-14T05:24:16.0389301Z","uptime":"21m0.1110063s","uptime_ms":"1260111006"}
2018-02-14T11:15:41+05:30 ERR Connecting error publishing events (retrying): remote error: tls: unknown certificate
2018-02-14T11:15:46+05:30 INFO Non-zero metrics in the last 30s: libbeat.logstash.publish.read_bytes=1833 libbeat.logstash.publish.write_bytes=1933 uptime={"server_time":"2018-02-14T05:45:46.1496704Z","start_time":"2018-02-14T05:24:16.0389301Z","uptime":"21m30.1107403s","uptime_ms":"1290110740"}

Generated winlogbeat.yml file,

fields:
  collector_node_id: graylog-collector-sidecar
  gl2_source_collector: d6e8f47e-8e18-4a4a-8ec6-0e7e4e1563a1
output:
  logstash:
    hosts:
    - devserver.com:5045
    ssl:
      certificate: D:\certs\graylog-certificate.pem
      key: D:\certs\graylogkey.pem
      verification_mode: none
path:
  data: C:\Program Files\Graylog-Collector-Sidecar\agent\cache\winlogbeat\data
  logs: C:\Program Files\Graylog-Collector-Sidecar\agent\logs
tags:
- windows
winlogbeat:
  event_logs:
  - name: Application
  - name: System
  - name: Security

I have given the same certificates in both input & client output configuration. I am not using the certificate in the right way and I am doing something wrong.

Please share your thoughts and correct me it would be very helpful.

Regards,
Ganeshbabu R

The certificate authority which create the client certificate used by Winlogbeat has to be known to Graylog in order to validate the client certificate, see the tls_client_auth_cert_file setting of the Beats input.

@jochen

Yes I understand now the graylog has to know the client certificate and so that It will able to validate the client but right now I got stuck in how to generate the client certificate?

We have got the server certificate from the third party entrust and it is valid certificate. As of now I have the below files,

  • server.crt

  • server.key

  • chain.crt

I was trying to generate the client certificate on my own by referring this below link, (or) should I follow up with certificate authority to get the client certificate?

https://kb.op5.com/pages/viewpage.action?pageId=19073746#sthash.RNWIWkPc.dpbs

Also I am not sure what should be given to Common Name (Should be client IP or FQDN) while generating client certificate?

Please guide me how to proceed further…

Regards,
Ganeshbabu R

No, this is pretty much how far I’ll go on the community forums.

If you need individual support, please contact us for an Enterprise support contract at https://www.graylog.org/contact-sales.

Of course I’ll leave this topic open so that other users on the forums can step up and help you.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.