nki
September 23, 2019, 11:49am
1
Hey there,
I am new to the Topic and have a few troubles understanding the necessary steps to get a Graylog Sidecar running with Beats over TLS. I got everthing running without TLS. Could someone please elaborate what I have to do? I am using the docker compose file.
I am happy to share what I got so far:
created CA with ShadowCA
imported CA to jdk keystore with custom docker image
created client certificate and configured filebeat
The path of the keystore (usr/local/openjdk-8/lib/security/cacerts) differs from the one in the documentation. I guess it was written for a no docker install…
Can anyone further elaborate the TLS Input Options in the Beats Input configuration?
Much thanks in advance!
nki
September 27, 2019, 11:57am
2
The default file locations is missing a docker section.
Where can I find the JVM settings for Graylog in the Docker container?
I imported my CA into the default keystore /usr/local/openjdk-8/lib/security/cacerts but this did not seem to work. I get an TLSV1_ALERT_UNKNOWN_CA error.
EDIT:
found it under /etc/profile.d/graylog.sh
Setting named GRAYLOG_SERVER_JAVA_OPTS not GRAYLOG_JAVA_OPTS
nki
September 30, 2019, 3:56am
3
TLS is working fine but when I turn on client auth I get an “PEER_DID_NOT_RETURN_A_CERTIFICATE” error. Even though I configured everything properly. Might there be a problem with my certificates? I created them using shadowCA.
jan
(Jan Doberstein)
September 30, 2019, 5:47am
4
What is your configuration?
nki
October 3, 2019, 1:45am
5
Hey there! Sorry for my late reply:
Beats:
bind_address:
0.0.0.0
no_beats_prefix:
false
number_worker_threads:
8
override_source:
port:
5044
recv_buffer_size:
1048576
tcp_keepalive:
false
tls_cert_file:
/etc/graylog.crt
tls_client_auth:
required
tls_client_auth_cert_file:
/etc/graylog-trusted/
tls_enable:
true
tls_key_file:
/etc/graylog.key
tls_key_password:
********
Sidecar
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: {sidecar.nodeName}
fields.gl2_source_collector: {sidecar.nodeId}
filebeat.inputs:
input_type: log
paths:
/var/log/apache2/*.log
type: log
output.logstash:
hosts: [“xyz:5044”]
ssl:
certificate_authorities: ["/etc/ca.pem"]
certificate: “/etc/client.crt”
key: “/etc/client.key”
verification_mode: “none”
path:
data: /var/lib/graylog-sidecar/collectors/filebeat/data
logs: /var/lib/graylog-sidecar/collectors/filebeat/log
jan
(Jan Doberstein)
October 4, 2019, 5:07am
6
what version of Graylog did you use?
nki
October 12, 2019, 3:35am
8
FROM graylog/graylog:3.1
# become root
USER 0
###### import shadowCA
# copy shadowCA files
COPY cert/CA/shadowCA.der /etc/shadowCA.der
COPY cert/CA/shadowCA.pem /etc/shadowCA.pem
# add the CA certificate to truststore
RUN cp /etc/shadowCA.pem /usr/local/share/ca-certificates/shadowCA.pem && update-ca-certificates
# test & import the .der file
RUN keytool -v -printcert -file /etc/shadowCA.der
RUN keytool -importcert -alias shadowCA -keystore /usr/local/openjdk-8/lib/security/cacerts -storepass changeit -file /etc/shadowCA.der -noprompt
RUN sed -i "s/export GRAYLOG_SERVER_JAVA_OPTS='-XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -XX:NewRatio=1 -XX:MaxMetaspaceSize=256m -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow'/export GRAYLOG_SERVER_JAVA_OPTS='-XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -XX:NewRatio=1 -XX:MaxMetaspaceSize=256m -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=\/usr\/local\/openjdk-8\/lib\/security\/cacerts'/" "/etc/profile.d/graylog.sh"
###### import keys & certs
# create dir for trusted clients
RUN mkdir /etc/graylog-trusted/
# copy graylog cert files
COPY cert/graylog.xyz.tl/graylog.xyz.tl.crt /etc/graylog.crt
COPY cert/graylog.xyz.tl/graylog.xyz.tl.key /etc/graylog.key
# copy trusted clients
COPY cert/test1/test1.crt /etc/graylog-trusted/test1.crt
# make graylog user owner of certs & keys
RUN chown graylog:graylog /etc/graylog.crt
RUN chown graylog:graylog /etc/graylog.key
RUN chown -R graylog:graylog /etc/graylog-trusted/
#RUN keytool -keystore /usr/local/openjdk-8/lib/security/cacerts -storepass changeit -list
USER graylog
nki
October 20, 2019, 12:13am
9
I followed these instructions now and still get an “peer did not return certificate” error anybody?
How to configure SSL for FileBeat and Logstash step by step (Create CA, CSRs, Certificates, etc) - Busindre/How-to-configure-SSL-for-FileBeat-and-Logstash-step-by-step
Filebeat says:
Failed to connect to backoff(async(tcp://xyz.tld:5044)): remote error: tls: handshake failure
jan
(Jan Doberstein)
October 21, 2019, 5:45am
10
can filebeat verify the certificate that it gets presented from the input?
nki
October 21, 2019, 11:24pm
11
Filebeat successfully verifies the certificate. Thanks for sticking with me…
could the client certificate be the source? And how do I verify that?
jan
(Jan Doberstein)
October 22, 2019, 6:49am
12
and is Graylog able to verify the certificate of the beat?
nki
October 22, 2019, 10:12am
13
I only get the “Peer did not return certificate” error
How can i make sure graylog is able to verify beat?
system
(system)
Closed
November 5, 2019, 10:12am
14
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.