Connect McAfee ePO with Graylog

Hello everyone!

I want to connect my McAfee ePO Server with Graylog. As far as I know does the ePO only communicate via TLS. So I have created the key and cert files, put my Graylog-Input to TLS enable and all the stuff but still can’t get a test-connection between ePO and Graylog.
So I tried sending test syslog messages from the syslog-server to its syslog port with tls enalbed but this messages won’t get through either.
When I enable rest-tls and web-tls I can’t connect to the webinterface, proxy blocks it
I only get following error message in the graylog-logfile:

Graylog-Logs.png923×520 15 KB

My config of the input:

allow_override_date: true
bind_address: "deletet"
expand_structured_data: true
force_rdns: false
max_message_size: 2097152
override_source: <empty>
port: 6514
recv_buffer_size: 1048576
store_full_message: true
tcp_keepalive: true
tls_cert_file: /etc/graylog/server/certificate/cert.pem
tls_client_auth: required
tls_client_auth_cert_file: /etc/graylog/server/certificate/cert.pem
tls_enable: true
tls_key_file: /etc/graylog/server/certificate/pkcs8-encrypted.pem
tls_key_password: ********
use_null_delimiter: false

and my graylog-config

# Enable HTTPS support for the REST API. This secures the communication with the REST API with
# TLS to prevent request forgery and eavesdropping. This is disabled by default. Uncomment the
# next line to enable it.
#rest_enable_tls = true

# The X.509 certificate chain file in PEM format to use for securing the REST API.
#rest_tls_cert_file = /etc/graylog/server/certificate/cert.pem

# The PKCS#8 private key file in PEM format to use for securing the REST API.
#rest_tls_key_file = /etc/graylog/server/certificate/pkcs8-encrypted.pem

# The password to unlock the private key used for securing the REST API.
#rest_tls_key_password = "deletet"


# Enable HTTPS support for the web interface. This secures the communication of the web browser with the web interface
# using TLS to prevent request forgery and eavesdropping.
# This is disabled by default. Uncomment the next line to enable it and see the other related configuration settings.
#web_enable_tls = true

# The X.509 certificate chain file in PEM format to use for securing the web interface.
#web_tls_cert_file = /etc/graylog/server/certificate/cert.pem

# The PKCS#8 private key file in PEM format to use for securing the web interface.
#web_tls_key_file = /etc/graylog/server/certificate/pkcs8-encrypted.pem

# The password to unlock the private key used for securing the web interface.
#web_tls_key_password = "deletet"

My guess is that your certificate files are somehow broken or generated in a wrong way. That has nothing to do with ePO.

To create my certificates I just followed all steps mentioned in "
Creating a self-signed private key/certificate"
http://docs.graylog.org/en/2.4/pages/configuration/https.html

I’ve tried to create new keys like in “Converting an existing Java Keystore to private key/certificate pair”
Test-connections here seem to load a little bit longer until the error message comes up, but now it says “Short read of DER length”

Anyone got some solution?

Which commands did you execute and what was their complete output?

openssl req -x509 -days 365 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out cert.pem

“Generating a 2048 bit RSA private key
.+++
…+++
writing new private key to ‘pkcs5-plain.pem’
-----”

openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem

openssl pkcs8 -in pkcs5-plain.pem -topk8 -out pkcs8-encrypted.pem -passout pass:secret

keytool -importkeystore -srckeystore cacerts.jks -destkeystore keystore.p12 -deststoretype PKCS12

openssl pkcs12 -in keystore.p12 -nokeys -out graylog-certificate.pem

openssl pkcs12 -in keystore.p12 -nocerts -out graylog-pkcs5.pem

openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem
This creates the graylog-key.pem but says:

unable to load key
139784334886144:error:0906D06C:PEM routines:PEM_read_bio:no start line:…/crypto/pem/pem_lib.c:691:Expecting: ANY PRIVATE KEY

After this I have edit the Input in my Graylog-Webinterface to enable TLS and pointing to the key und cert but all without any success

Maybe the error in the previous command could have something to do with it?

Also, why are you creating the PKCS#12 key store, add the created certificate and private key, and immediately try to export them again?

I just tried to do all steps mentioned in the documentation, so I barely knew, which steps I will need, so I tryed all steps, figuring out which cert and key must be used…

I’m sorry to say this, but TLS (or SSL) isn’t for the faint of heart.

Please read the OpenSSL documentation (or whatever program you’re using to create the private key and certificates) to find out what each command is doing in detail and then decide what you need to do.

The Graylog documentation tries to be as concise and “copy & paste” friendly as possible in this regard and doesn’t cover all important details.

Ok thank you, I will try again and find the best solution for me

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.