Encrypt traffic from rsyslog

ale1 · June 19, 2018, 7:50am

Hello,

I managed to encrypt the data to a Windows client, but I can not manage with a Linux server.

In configuration file of rsyslog (/etc/rsyslog.conf), I add this 2 elements :

$DefaultNetstreamDriverCertFile /etc/ssl/certificats/cert.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/certificats/pkcs8-plain.pem

And on my graylog input, I’ve put this :

TLS cert file : /etc/graylog/server/certificats/cert.pem
TLS private key file :  /etc/graylog/server/certificats/pkcs8-plain.pem
Enable TLS

I can not receive logs anymore

Thanks in advance

jochen · June 19, 2018, 9:03am

What’s in the logs of all relevant components?

ale1 · June 19, 2018, 9:12am

There is authentication information, health of the server.

ale1 · June 19, 2018, 9:28am

Do you have an idea for the configuration ?

jochen · June 19, 2018, 9:36am

We won’t be able to help you if you don’t provide the requested information.

ale1 · June 19, 2018, 9:45am

I don’t understand your old question for me it’s not clear. I give you an answer

jochen · June 19, 2018, 9:50am

Post the complete logs and the complete configuration of the relevant components (i. e. rsyslog and the Graylog input you’re using).

ale1 · June 19, 2018, 10:15am

I’ve this on my graylog server :

2018-06-19T12:12:46.527+02:00 ERROR [NettyTransport] Error in Input [Syslog TCP/5b1fd7b009908a03a9386c0c] (channel [id: 0xa75fe695, /IP_addresse_client:36580 => /graylog_server_IP_address:5514])
org.jboss.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 3c38353e4a756e2031392031323a31323a3436207372632d63656e746f732d746573742d677261796c6f6720706f6c6b6974645b3632315d3a20556e726567697374657265642041757468656e7469636174696f6e204167656e7420666f7220756e69782d70726f636573733a373436363a3432323931373032202873797374656d20627573206e616d65203a312e333132362c206f626a6563742070617468202f6f72672f667265656465736b746f702f506f6c6963794b6974312f41757468656e7469636174696f6e4167656e742c206c6f63616c652066725f46522e5554462d38292028646973636f6e6e65637465642066726f6d20627573290a
at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:857) ~[graylog.jar:?]
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425) ~[graylog.jar:?]
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) ~[graylog.jar:?]
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) ~[graylog.jar:?]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) [graylog.jar:?]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) [graylog.jar:?]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) [graylog.jar:?]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) [graylog.jar:?]
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) [graylog.jar:?]
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) [graylog.jar:?]
at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176) [graylog.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_161]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_161]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]

On my configuration file in linux (rsyslog.conf) :

$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state

$DefaultNetstreamDriverCertFile /etc/ssl/certificats/cert.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/certificats/pkcs8-plain.pem

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
#*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
kern.* @@ip_address_graylog_server:5514
authpriv.* @@ip_address_graylog_server:5514
local7.* @@ip_address_graylog_server:5514
# ### end of the forwarding rule ###

jochen · June 19, 2018, 11:02am

You’re missing the configuration snippets in /etc/rsyslog.d/*.conf.

jochen · June 19, 2018, 11:03am

ale1:

2018-06-19T12:12:46.527+02:00 ERROR [NettyTransport] Error in Input [Syslog TCP/5b1fd7b009908a03a9386c0c] (channel [id: 0xa75fe695, /IP_addresse_client:36580 =&gt; /graylog_server_IP_address:5514])
org.jboss.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record:

You can check with Wireshark or tcpdump whether rsyslog really sends log messages over TCP with TLS to Graylog.

ale1 · June 19, 2018, 11:36am

before I check with wireshark, but I see that the frames are unencrypted.

In the configuration file (/etc/rsyslog.d/listen.conf). I have that :

$SystemLogSocketName /run/systemd/journal/syslog

on my client I have this :

1 0.000000000 IP_address_client → IP_address_graylog_server TCP 74 36592 > 5514 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=427970991 TSecr=0 WS=128
2 0.000383803 IP_address_graylog_server → IP_address_client TCP 74 5514 > 36592 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=107376632 TSecr=427970991 WS=4
3 0.000422647 IP_address_client → IP_address_graylog_server TCP 66 36592 > 5514 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=427970991 TSecr=107376632
4 0.000504084 IP_address_client → IP_address_graylog_server TCP 156 36592 > 5514 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=90 TSval=427970991 TSecr=107376632
5 0.000670962 IP_address_graylog_server → IP_address_client TCP 66 5514 > 36592 [ACK] Seq=1 Ack=91 Win=28960 Len=0 TSval=107376632 TSecr=427970991
6 0.007802258 IP_address_graylog_server → IP_address_client TCP 66 5514 > 36592 [FIN, ACK] Seq=1 Ack=91 Win=28960 Len=0 TSval=107376639 TSecr=427970991
7 0.007855835 IP_address_client → IP_address_graylog_server TCP 66 36592 > 5514 [ACK] Seq=91 Ack=2 Win=29312 Len=0 TSval=427970999 TSecr=107376639

jochen · June 19, 2018, 12:56pm

Check out https://www.rsyslog.com/doc/v8-stable/tutorials/tls_cert_summary.html and https://www.rsyslog.com/doc/v8-stable/tutorials/tls.html for instructions how to enable TLS in rsyslog.

ale1 · June 19, 2018, 1:28pm

yes but it’s just for create a certificat. The certificat and the keys are already presents, because they are create for use graylog in https

jochen · June 19, 2018, 1:33pm

No, it’s not. Read the documentation.

ale1 · June 19, 2018, 1:44pm

yes i see but I’ve already do that, and it’s for a client and server use rsyslog

jochen · June 19, 2018, 1:46pm

At least your rsyslogd has to be configured accordingly. Graylog’s syslog input is just a syslog server…

ale1 · June 19, 2018, 1:47pm

I know but we don’t have the same options in server and client part

jochen · June 19, 2018, 2:17pm

Please elaborate on that.

ale1 · June 19, 2018, 2:31pm

The two documents, it’s for configure an encrypted send of data beetween a rsyslog server and client. The differents options present in the server configuration files are not present in the graylog configuration.

jochen · June 19, 2018, 2:33pm

While that’s a strange thing to say, you’re of course correct. Graylog is not rsyslog.

This being said, you could start with configuring the rsyslog client correctly.

Topic		Replies	Views
Config for NXLOG and INPUT on SSL/TLS Graylog Central (peer support) sidecar , nxlog , nodatanx	18	5116	June 25, 2018
Rsyslog Linux encrypted Graylog Central (peer support)	9	3358	July 25, 2018
RSyslog over TLS Graylog Central (peer support)	6	11847	March 13, 2018
RSYSLOG - TLS encryption between Graylog sever - Client Graylog Central (peer support)	3	442	October 14, 2022
How to configure an syslog TLS input in Graylog2 Graylog Central (peer support)	1	3556	December 14, 2017

Encrypt traffic from rsyslog

Related topics