Certificate based client authentication not working in graylog


(Ganeshbabu Ramamoorthy) #1

Hi All,

I have installed graylog 2.3.1 in ubuntu 16.04 and I configured beats input in my graylog as like below,

bind_address: 0.0.0.0
override_source: <empty>
port: 5045
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file: /etc/graylog/server/graylog-certificate.pem
tls_client_auth: optional
tls_client_auth_cert_file: <empty>
tls_enable: true
tls_key_file: /etc/graylog/server/graylogkey.pem

In my client windows machine I have installed Graylog collector sidecar and configured the below changes in .yml file,

server_url: https://devserver.com:9002/api 
update_interval: 30
tls_skip_verify: false
send_status: true
list_log_files:
node_id: graylog-collector-sidecar
collector_id: file:C:\Program Files\Graylog-Collector-Sidecar\agent\collector-id
cache_path: C:\Program Files\Graylog-Collector-Sidecar\agent\cache
log_path: C:\Program Files\Graylog-Collector-Sidecar\agent\logs
log_rotation_time: 86400
log_max_age: 604800
tags: [windows]
backends:
    - name: nxlog
      enabled: false
      binary_path: C:\Program Files (x86)\nxlog\nxlog.exe
      configuration_path: C:\Program Files\Graylog-Collector-Sidecar\agent\generated\nxlog.conf
    - name: winlogbeat
      enabled: true
      binary_path: C:\Program Files\Graylog-Collector-Sidecar\agent\winlogbeat.exe
      configuration_path: C:\Program Files\Graylog-Collector-Sidecar\agent\generated\winlogbeat.yml
    - name: filebeat
      enabled: false
      binary_path: C:\Program Files\Graylog-Collector-Sidecar\agent\filebeat.exe
      configuration_path: C:\Program Files\Graylog-Collector-Sidecar\agent\generated\filebeat.yml

After I started the collector sidecar and below are the response I could see in my collector_sidecar.log file,

time="2018-02-14T10:54:11+05:30" level=info msg="[winlogbeat] Configuration change detected, rewriting configuration file." 
time="2018-02-14T10:54:12+05:30" level=info msg="[winlogbeat] Stopping" 
time="2018-02-14T10:54:15+05:30" level=info msg="[winlogbeat] Starting (exec driver)" 

Below is the response when I checked the winlogbeat log file,

2018-02-14T11:12:46+05:30 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2018-02-14T05:42:46.1499282Z","start_time":"2018-02-14T05:24:16.0389301Z","uptime":"18m30.1109981s","uptime_ms":"1110110998"}
2018-02-14T11:12:57+05:30 ERR Connecting error publishing events (retrying): remote error: tls: unknown certificate
2018-02-14T11:13:16+05:30 INFO Non-zero metrics in the last 30s: libbeat.logstash.publish.read_bytes=1833 libbeat.logstash.publish.write_bytes=1933 uptime={"server_time":"2018-02-14T05:43:16.1492162Z","start_time":"2018-02-14T05:24:16.0389301Z","uptime":"19m0.1102861s","uptime_ms":"1140110286"}
2018-02-14T11:13:46+05:30 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2018-02-14T05:43:46.1497756Z","start_time":"2018-02-14T05:24:16.0389301Z","uptime":"19m30.1108455s","uptime_ms":"1170110845"}
2018-02-14T11:14:16+05:30 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2018-02-14T05:44:16.1494677Z","start_time":"2018-02-14T05:24:16.0389301Z","uptime":"20m0.1105376s","uptime_ms":"1200110537"}
2018-02-14T11:14:19+05:30 ERR Connecting error publishing events (retrying): remote error: tls: unknown certificate
2018-02-14T11:14:46+05:30 INFO Non-zero metrics in the last 30s: libbeat.logstash.publish.read_bytes=1833 libbeat.logstash.publish.write_bytes=1933 uptime={"server_time":"2018-02-14T05:44:46.1494595Z","start_time":"2018-02-14T05:24:16.0389301Z","uptime":"20m30.1105294s","uptime_ms":"1230110529"}
2018-02-14T11:15:16+05:30 INFO Non-zero metrics in the last 30s: uptime={"server_time":"2018-02-14T05:45:16.1499364Z","start_time":"2018-02-14T05:24:16.0389301Z","uptime":"21m0.1110063s","uptime_ms":"1260111006"}
2018-02-14T11:15:41+05:30 ERR Connecting error publishing events (retrying): remote error: tls: unknown certificate
2018-02-14T11:15:46+05:30 INFO Non-zero metrics in the last 30s: libbeat.logstash.publish.read_bytes=1833 libbeat.logstash.publish.write_bytes=1933 uptime={"server_time":"2018-02-14T05:45:46.1496704Z","start_time":"2018-02-14T05:24:16.0389301Z","uptime":"21m30.1107403s","uptime_ms":"1290110740"}

Generated winlogbeat.yml file,

fields:
  collector_node_id: graylog-collector-sidecar
  gl2_source_collector: d6e8f47e-8e18-4a4a-8ec6-0e7e4e1563a1
output:
  logstash:
    hosts:
    - devserver.com:5045
    ssl:
      certificate: D:\certs\graylog-certificate.pem
      key: D:\certs\graylogkey.pem
      verification_mode: none
path:
  data: C:\Program Files\Graylog-Collector-Sidecar\agent\cache\winlogbeat\data
  logs: C:\Program Files\Graylog-Collector-Sidecar\agent\logs
tags:
- windows
winlogbeat:
  event_logs:
  - name: Application
  - name: System
  - name: Security

I have given the same certificates in both input & client output configuration. I am not using the certificate in the right way and I am doing something wrong.

Please share your thoughts and correct me it would be very helpful.

Regards,
Ganeshbabu R


(Jochen) #2

The certificate authority which create the client certificate used by Winlogbeat has to be known to Graylog in order to validate the client certificate, see the tls_client_auth_cert_file setting of the Beats input.


(Ganeshbabu Ramamoorthy) #3

@jochen

Yes I understand now the graylog has to know the client certificate and so that It will able to validate the client but right now I got stuck in how to generate the client certificate?

We have got the server certificate from the third party entrust and it is valid certificate. As of now I have the below files,

  • server.crt

  • server.key

  • chain.crt

I was trying to generate the client certificate on my own by referring this below link, (or) should I follow up with certificate authority to get the client certificate?

https://kb.op5.com/pages/viewpage.action?pageId=19073746#sthash.RNWIWkPc.dpbs

Also I am not sure what should be given to Common Name (Should be client IP or FQDN) while generating client certificate?

Please guide me how to proceed further…

Regards,
Ganeshbabu R


(Jochen) #4

No, this is pretty much how far I’ll go on the community forums.

If you need individual support, please contact us for an Enterprise support contract at https://www.graylog.org/contact-sales.

Of course I’ll leave this topic open so that other users on the forums can step up and help you.


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.