Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question. Don’t forget to select tags to help index your topic!
1. Describe your incident:
Hello Community,
I want to send logs from Graylog to logtash. Im using GELF output with TCP+TLS from graylog side and logstash with gelf input from the client side.
I assune there is a problem with the certificate format, because when I’m using netcat or curl with certifiates I can send the logs with TLS, but when using graylog no communication is established to the client.
Is there any specific certificate form that I should use in order to send logs from Graylog with TCP+TLS?
2. Describe your environment:
OS Information:
PRETTY_NAME=“Ubuntu 22.04.1 LTS”
Package Version:
Graylog v4.3.8+8c4705e
Service logs, configurations, and environment variables:
the graylog is running in a docker environment for testing purposes
2022-10-28 08:23:26,768 ERROR: org.graylog2.gelfclient.encoder.GelfMessageJsonEncoder - JSON encoding error
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE
3. What steps have you already taken to try and solve the problem?
with nc and curl I can send GELF messages to the receiving logstash
4. How can the community help?
Is there any specific format for the certificate that should be used in order to make it working?
Yes, I’m using the same certificate to send logs with cURL, and graylog has the permission to read the files. It’s owner by graylog user and group, and file permission is 644.
I don’t know if the requesting server is requiring SSLv3, but the verbose output from the cURL doesn’t show any SSLv3 related information
ALPN, offering h2
ALPN, offering http/1.1
TLSv1.0 (OUT), TLS header, Certificate Status (22):
TLSv1.3 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS header, Certificate Status (22):
TLSv1.3 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (IN), TLS handshake, Request CERT (13):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS header, Certificate Status (22):
TLSv1.2 (OUT), TLS handshake, Certificate (11):
TLSv1.2 (OUT), TLS header, Certificate Status (22):
Since I have not used GELF output yet, I’m curious if the certs on Graylog are compatible with Logstash?
The reason I ask this is because of this Error.
By chance can you show the full logs when this happened?
I found this posts, it does have some examples to test out your certs. It might help trouble shoot this issue.
&&
EDIT: I forgot to mention check SSL common ciphers between Graylog and the endpoint, a packet trace would do wonders to find out where it fails.