Docker Build: Beats with TLS

Graylog Central (peer support)
1

Hey there,

I am new to the Topic and have a few troubles understanding the necessary steps to get a Graylog Sidecar running with Beats over TLS. I got everthing running without TLS. Could someone please elaborate what I have to do? I am using the docker compose file.

I am happy to share what I got so far:

  • created CA with ShadowCA
  • imported CA to jdk keystore with custom docker image
  • created client certificate and configured filebeat

The path of the keystore (usr/local/openjdk-8/lib/security/cacerts) differs from the one in the documentation. I guess it was written for a no docker install…

Can anyone further elaborate the TLS Input Options in the Beats Input configuration?

Much thanks in advance!

2

The default file locations is missing a docker section.

Where can I find the JVM settings for Graylog in the Docker container?

I imported my CA into the default keystore /usr/local/openjdk-8/lib/security/cacerts but this did not seem to work. I get an TLSV1_ALERT_UNKNOWN_CA error.

EDIT:
found it under /etc/profile.d/graylog.sh
Setting named GRAYLOG_SERVER_JAVA_OPTS not GRAYLOG_JAVA_OPTS

3

TLS is working fine but when I turn on client auth I get an “PEER_DID_NOT_RETURN_A_CERTIFICATE” error. Even though I configured everything properly. Might there be a problem with my certificates? I created them using shadowCA.

4

What is your configuration?

5

Hey there! Sorry for my late reply:

Beats:
bind_address:
0.0.0.0
no_beats_prefix:
false
number_worker_threads:
8
override_source:

port:
5044
recv_buffer_size:
1048576
tcp_keepalive:
false
tls_cert_file:
/etc/graylog.crt
tls_client_auth:
required
tls_client_auth_cert_file:
/etc/graylog-trusted/
tls_enable:
true
tls_key_file:
/etc/graylog.key
tls_key_password:
********

Sidecar
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: {sidecar.nodeName} fields.gl2_source_collector: {sidecar.nodeId}

filebeat.inputs:

  • input_type: log
    paths:
    • /var/log/apache2/*.log
      type: log
      output.logstash:
      hosts: [“xyz:5044”]
      ssl:
      certificate_authorities: ["/etc/ca.pem"]
      certificate: “/etc/client.crt”
      key: “/etc/client.key”
      verification_mode: “none”
      path:
      data: /var/lib/graylog-sidecar/collectors/filebeat/data
      logs: /var/lib/graylog-sidecar/collectors/filebeat/log
6

what version of Graylog did you use?

7

FROM graylog/graylog:3.1

8 
FROM graylog/graylog:3.1

# become root
USER 0

###### import shadowCA
# copy shadowCA files
COPY cert/CA/shadowCA.der /etc/shadowCA.der
COPY cert/CA/shadowCA.pem /etc/shadowCA.pem
# add the CA certificate to truststore
RUN cp /etc/shadowCA.pem /usr/local/share/ca-certificates/shadowCA.pem && update-ca-certificates
# test & import the .der file
RUN keytool -v -printcert -file /etc/shadowCA.der
RUN keytool -importcert -alias shadowCA -keystore /usr/local/openjdk-8/lib/security/cacerts -storepass changeit -file /etc/shadowCA.der -noprompt

RUN sed -i "s/export GRAYLOG_SERVER_JAVA_OPTS='-XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -XX:NewRatio=1 -XX:MaxMetaspaceSize=256m -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow'/export GRAYLOG_SERVER_JAVA_OPTS='-XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -XX:NewRatio=1 -XX:MaxMetaspaceSize=256m -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=\/usr\/local\/openjdk-8\/lib\/security\/cacerts'/" "/etc/profile.d/graylog.sh"

###### import keys & certs
# create dir for trusted clients
RUN mkdir /etc/graylog-trusted/
# copy graylog cert files
COPY cert/graylog.xyz.tl/graylog.xyz.tl.crt /etc/graylog.crt
COPY cert/graylog.xyz.tl/graylog.xyz.tl.key /etc/graylog.key
# copy trusted clients
COPY cert/test1/test1.crt /etc/graylog-trusted/test1.crt
# make graylog user owner of certs & keys
RUN chown graylog:graylog /etc/graylog.crt
RUN chown graylog:graylog /etc/graylog.key
RUN chown -R graylog:graylog /etc/graylog-trusted/

#RUN keytool -keystore /usr/local/openjdk-8/lib/security/cacerts -storepass changeit -list

USER graylog
9

I followed these instructions now and still get an “peer did not return certificate” error :frowning: anybody?

Filebeat says:
Failed to connect to backoff(async(tcp://xyz.tld:5044)): remote error: tls: handshake failure

10

can filebeat verify the certificate that it gets presented from the input?

11

Filebeat successfully verifies the certificate. Thanks for sticking with me…

could the client certificate be the source? And how do I verify that?

12

and is Graylog able to verify the certificate of the beat?

13

I only get the “Peer did not return certificate” error :frowning:

How can i make sure graylog is able to verify beat?

14

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.