Graylog Output with TCP+TLC

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
Hello Community,

I want to send logs from Graylog to logtash. Im using GELF output with TCP+TLS from graylog side and logstash with gelf input from the client side.
I assune there is a problem with the certificate format, because when I’m using netcat or curl with certifiates I can send the logs with TLS, but when using graylog no communication is established to the client.
Is there any specific certificate form that I should use in order to send logs from Graylog with TCP+TLS?

2. Describe your environment:

  • OS Information:
    PRETTY_NAME=“Ubuntu 22.04.1 LTS”
  • Package Version:
    Graylog v4.3.8+8c4705e
  • Service logs, configurations, and environment variables:
    the graylog is running in a docker environment for testing purposes
    2022-10-28 08:23:26,768 ERROR: org.graylog2.gelfclient.encoder.GelfMessageJsonEncoder - JSON encoding error
    io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE

3. What steps have you already taken to try and solve the problem?
with nc and curl I can send GELF messages to the receiving logstash

4. How can the community help?
Is there any specific format for the certificate that should be used in order to make it working?

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

Hello @nagyobbaron

Need to ask a couple questions.

When you executed nc & cURL did you use the Certificate’s from the Graylog Output? If so, ensure Graylog can access those certificates.

Does the requesting server requires SSLv3 protocol?

Yes, I’m using the same certificate to send logs with cURL, and graylog has the permission to read the files. It’s owner by graylog user and group, and file permission is 644.
I don’t know if the requesting server is requiring SSLv3, but the verbose output from the cURL doesn’t show any SSLv3 related information

  • ALPN, offering h2
  • ALPN, offering http/1.1
  • TLSv1.0 (OUT), TLS header, Certificate Status (22):
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.2 (IN), TLS header, Certificate Status (22):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Request CERT (13):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
  • TLSv1.2 (OUT), TLS handshake, Certificate (11):
  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
  • TLSv1.2 (OUT), TLS handshake, CERT verify (15):
  • TLSv1.2 (OUT), TLS header, Finished (20):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS header, Certificate Status (22):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS header, Finished (20):
  • TLSv1.2 (IN), TLS header, Certificate Status (22):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / AES256-SHA
  • ALPN, server did not agree to a protocol

Hello,

couple more questions.

These certificates being used what documentation did you use?

Was the curl command executed against Logstash?
Example:

curl -v --cacert /etc/graylog-certs/gelf_output.crt    https://logstash.com:5044

Since I have not used GELF output yet, I’m curious if the certs on Graylog are compatible with Logstash?

The reason I ask this is because of this Error.

By chance can you show the full logs when this happened?
I found this posts, it does have some examples to test out your certs. It might help trouble shoot this issue.

&&

EDIT: I forgot to mention check SSL common ciphers between Graylog and the endpoint, a packet trace would do wonders to find out where it fails.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.