Encrypt traffic from rsyslog


(alexis) #21

yes I do that
but it don’t works


(Jochen) #22

This indicates that your rsyslog client is not configured to use TCP+TLS for sending log messages to Graylog:


(alexis) #23

yes, it’s before when I succeeded to send data without TLS encryption.

Now I can’t receive any log with the TLS configuration

It’s write this for the client configuration :

The client setup is equally simple. You need less certificates, just the CA cert.

But we don’t have a CA cert on the server because we use the JVM Store.


(Jochen) #24

The JVM certificate and trust stores are where the certificates, CA certificates, and private keys are stored.


(alexis) #27

What is the default CA when you follow your tutorial with the JVM store ?

Because I try to found the self signed certificate with this command :

keytool -list -v -keystore /etc/graylog/server/certificats/cacerts.jks

In the https tutorial, it’s write to add self signed certificat, but at no time there is CA part :

$ keytool -importcert -keystore /path/to/cacerts.jks -storepass changeit -alias graylog-self-signed -file cert.pem


(alexis) #28

Do you have an idea ?


(Jochen) #29

This is a community forum. If you want fixed SLA for your questions and support requests, you’ll have to buy professional support: https://www.graylog.org/pricing


(alexis) #30

if you have to buy a support every time you ask questions about your documents because it’s not clear, we will not get out.


(Beth) #31

This is what worked for me.

I add this to a file in /etc/rsyslog.d

#First, setup disk assisted queues

$WorkDirectory /var/spool/rsyslog # where to place spool files
$ActionQueueFileName fwdRule1 # unique name prefix for spool files
$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
$ActionQueueType LinkedList # run asynchronously
$ActionResumeRetryCount -1 # infinite retries if host is down

#RsyslogGnuTLS
$DefaultNetstreamDriverCAFile /etc/ssl/yourcert.pem
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.your.domain.com

. @@10.20.x.x:12255;RSYSLOG_SyslogProtocol23Format

We also have our own certificate authority, so had to import the root cert into both the Java keystore and server keystore.

apt-get install java-common
apt-get install openjdk-8-jdk-headless

  1. Make sure the public certificate is in pem format and Linux file (no Windows characters)
  2. The default trust store of an installed Java runtime environment can be found at $JAVA_HOME/jre/lib/security/cacerts or /etc/ssl/certs/java/cacerts (due to all the symbolic links).

import:
keytool -importcert -keystore /etc/ssl/certs/cacerts -storepass changeit -alias YourCA -file cert.pem

View:
keytool -list -v -keystore /etc/ssl/certs/java/cacerts | grep your.domain.com

For my server root certificate store I followed the process in:

https://manpages.debian.org/jessie/ca-certificates/update-ca-certificates.8.en.html

Good luck!


(alexis) #32

Thanks a lot for informations.

I managed to encrypt the data using the nxlog solution finally


(alexis) #33

Hello,

I have some questions about your solution. Do you have installed the java-common packet on the client ?

Because, I have only installed this on the Graylog server

Thanks

Have a good day


(Beth) #34

Hi,

I don’t think Java is needed on any syslog client. The one other think I did not mention in my solution above is selinux may need configuration if you have it on.

Good luck.


(alexis) #35

OK, thanks I try to use your configuration for a CentOS server, but it can’t work

What is the name of your file in /etc/rsyslog.d ? Because you don’t use the /etc/rsyslong.conf files ?

Thanks in advance


(alexis) #36

Do you use the same certificat than https ?


(system) closed #37

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.