Encrypt traffic from rsyslog

(alexis) #1


I managed to encrypt the data to a Windows client, but I can not manage with a Linux server.

In configuration file of rsyslog (/etc/rsyslog.conf), I add this 2 elements :

$DefaultNetstreamDriverCertFile /etc/ssl/certificats/cert.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/certificats/pkcs8-plain.pem

And on my graylog input, I’ve put this :

TLS cert file : /etc/graylog/server/certificats/cert.pem
TLS private key file :  /etc/graylog/server/certificats/pkcs8-plain.pem
Enable TLS

I can not receive logs anymore

Thanks in advance

(Jochen) #2

What’s in the logs of all relevant components?

(alexis) #3

There is authentication information, health of the server.

(alexis) #4

Do you have an idea for the configuration ?

(Jochen) #5

We won’t be able to help you if you don’t provide the requested information.

(alexis) #6

I don’t understand your old question for me it’s not clear. I give you an answer

(Jochen) #7

Post the complete logs and the complete configuration of the relevant components (i. e. rsyslog and the Graylog input you’re using).

(alexis) #8

I’ve this on my graylog server :

2018-06-19T12:12:46.527+02:00 ERROR [NettyTransport] Error in Input [Syslog TCP/5b1fd7b009908a03a9386c0c] (channel [id: 0xa75fe695, /IP_addresse_client:36580 => /graylog_server_IP_address:5514])
org.jboss.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 3c38353e4a756e2031392031323a31323a3436207372632d63656e746f732d746573742d677261796c6f6720706f6c6b6974645b3632315d3a20556e726567697374657265642041757468656e7469636174696f6e204167656e7420666f7220756e69782d70726f636573733a373436363a3432323931373032202873797374656d20627573206e616d65203a312e333132362c206f626a6563742070617468202f6f72672f667265656465736b746f702f506f6c6963794b6974312f41757468656e7469636174696f6e4167656e742c206c6f63616c652066725f46522e5554462d38292028646973636f6e6e65637465642066726f6d20627573290a
at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:857) ~[graylog.jar:?]
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425) ~[graylog.jar:?]
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) ~[graylog.jar:?]
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) ~[graylog.jar:?]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) [graylog.jar:?]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) [graylog.jar:?]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) [graylog.jar:?]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) [graylog.jar:?]
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) [graylog.jar:?]
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) [graylog.jar:?]
at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176) [graylog.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_161]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_161]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]

On my configuration file in linux (rsyslog.conf) :

$IncludeConfig /etc/rsyslog.d/*.conf

# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on

# File to store the position in the journal
$IMJournalStateFile imjournal.state

$DefaultNetstreamDriverCertFile /etc/ssl/certificats/cert.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/certificats/pkcs8-plain.pem

#### RULES ####

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
#*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList   # run asynchronously
#$ActionResumeRetryCount -1    # infinite retries if host is down
# remote host is: name/ip:port, e.g., port optional
#*.* @@remote-host:514
kern.* @@ip_address_graylog_server:5514
authpriv.* @@ip_address_graylog_server:5514
local7.* @@ip_address_graylog_server:5514
# ### end of the forwarding rule ###

(Jochen) #9

You’re missing the configuration snippets in /etc/rsyslog.d/*.conf.

(Jochen) #10

You can check with Wireshark or tcpdump whether rsyslog really sends log messages over TCP with TLS to Graylog.

(alexis) #11

before I check with wireshark, but I see that the frames are unencrypted.

In the configuration file (/etc/rsyslog.d/listen.conf). I have that :

$SystemLogSocketName /run/systemd/journal/syslog

on my client I have this :

1 0.000000000 IP_address_client -> IP_address_graylog_server TCP 74 36592 > 5514 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=427970991 TSecr=0 WS=128
2 0.000383803 IP_address_graylog_server -> IP_address_client TCP 74 5514 > 36592 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=107376632 TSecr=427970991 WS=4
3 0.000422647 IP_address_client -> IP_address_graylog_server TCP 66 36592 > 5514 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=427970991 TSecr=107376632
4 0.000504084 IP_address_client -> IP_address_graylog_server TCP 156 36592 > 5514 [PSH, ACK] Seq=1 Ack=1 Win=29312 Len=90 TSval=427970991 TSecr=107376632
5 0.000670962 IP_address_graylog_server -> IP_address_client TCP 66 5514 > 36592 [ACK] Seq=1 Ack=91 Win=28960 Len=0 TSval=107376632 TSecr=427970991
6 0.007802258 IP_address_graylog_server -> IP_address_client TCP 66 5514 > 36592 [FIN, ACK] Seq=1 Ack=91 Win=28960 Len=0 TSval=107376639 TSecr=427970991
7 0.007855835 IP_address_client -> IP_address_graylog_server TCP 66 36592 > 5514 [ACK] Seq=91 Ack=2 Win=29312 Len=0 TSval=427970999 TSecr=107376639

(Jochen) #12

Check out https://www.rsyslog.com/doc/v8-stable/tutorials/tls_cert_summary.html and https://www.rsyslog.com/doc/v8-stable/tutorials/tls.html for instructions how to enable TLS in rsyslog.

(alexis) #13

yes but it’s just for create a certificat. The certificat and the keys are already presents, because they are create for use graylog in https

(Jochen) #14

No, it’s not. Read the documentation.

(alexis) #15

yes i see but I’ve already do that, and it’s for a client and server use rsyslog

(Jochen) #16

At least your rsyslogd has to be configured accordingly. Graylog’s syslog input is just a syslog server…

(alexis) #17

I know but we don’t have the same options in server and client part

(Jochen) #18

Please elaborate on that.

(alexis) #19

The two documents, it’s for configure an encrypted send of data beetween a rsyslog server and client. The differents options present in the server configuration files are not present in the graylog configuration.

(Jochen) #20

While that’s a strange thing to say, you’re of course correct. Graylog is not rsyslog.

This being said, you could start with configuring the rsyslog client correctly. :roll_eyes: