Hello,
I’m trying to encrypt the connection between my sidecars and graylog-server but it doesn’t work.
What I’ve done:
configured https for graylog
configured: http_enable_tls = true, http_tls_key_file and http_tls_key_password on server.conf
configure the input with Enable TLS ticked and TLS cert file, TLS private key and TLS key password pointing to the certificate in my graylog server (the same I put for https)
in the sidecar.yml I put the https url of my graylog-server and tls_skip_verify: true (I’m using a self-signed certificate
in the sidecar configuration and collector I put hosts: [“https://myserveraddress:5044”] where 5044 is the input port.
What am I missing here?
Do I need to put on my sidecar configuration output.logstash.ssl.certificate_authorities, output.logstash.ssl.certificate and output.logstash.ssl.key?
EDIT: Your GL Sidecar is just a wrapper for ALL your collectors. GL sidecar uses a token to connect to Graylog server and received orders on howto configure your Collectors or enable which ones. All your data/logs should be encrypted on your Collector (filebeat, winlogbeat,etc…). That as you know, is done on the Web UI
without specify the certificate and it seems to be working.
If I specify the certificate, the path to them is the one on the graylog server or I need to copy all certificates in every client where I want to use sidecar?
I had to copy my certs to the other clients. I used another application to copy over the certs which made it easy for me to do over 100+ clients. Specially when the certificates expire. Ansible works great if your familiar with it. For our Windows OS I just copied the certs on the desktop from Graylog using FileZilla then I did a ctrl +c then ctrl +v that work pretty quick but I still had to log into each VM.
I don’t think it’s a great solution to copy the certificate an all the client where sidecar is installed. And also you’re gonna have a private key in hundreds of computer and that is a big security issue!
When sending a message between two parties you have two problems that you need to address.
Encrypt it.– This makes the content unreadable so that to anyone viewing the message it is just gibberish.
Sign it– This allows the recipient to be confident that it was you who sent the message, and that the message hasn’t been changed.
Both processes require the use of keys. Almost all encryption methods in use today employ public and private keys.
The problem with this type of key arrangement is if you lose the key anyone who finds it can unlock it and will have complete access.
So where you store your Key’s it must be in a secure place. This would depend on how you set up your environment for security (GPO’s, Authentication, Firewall, Selinux/AppArmor, etc…).
I’ve been looking into a way which this can be done without transferring these certs to a remote destination but I have other things I need to do first