1. Describe your incident:
I have POC (my local machine) with Graylog in Docker and Filebeat deployed via APT which is workig fine but I need to secure the communication between Graylog and Filebeat because in PROD env Filebeat is in other network and I need to encrypt logs which will be transferred via public internet. I’ve tried doing this using self-signed certificates and have a problem but if someone can relate more secure method will be grateful.
2. Describe your environment:
- OS Information: Graylog stack deployed in Docker. Filebeat deployed via APT both on Ubuntu server 22.04LTS
- Service logs, configurations, and environment variables:
Graylog logs:
2024-11-02 00:19:24,480 INFO : org.graylog2.inputs.InputStateListener - Input [Beats/test-filebeat/672367daad475e6e5844140a] is now RUNNING
2024-11-02 00:19:29,638 WARN : org.graylog2.plugin.inputs.transports.AbstractTcpTransport - Client auth configured, but no authorized certificates / certificate authorities configured for input [Beats/test-filebeat/672367daad475e6e5844140a]
2024-11-02 00:19:29,660 ERROR: org.graylog2.plugin.inputs.transports.AbstractTcpTransport - Error in Input [Beats/test-filebeat/672367daad475e6e5844140a] (channel [id: 0xa6915d00, L:/172.18.0.4:5044 ! R:/172.18.0.1:42444]) (cause io.netty.handler.codec.DecoderException: io.netty.handler.ssl.ReferenceCountedOpenSslEngine$OpenSslHandshakeException: error:10000412:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE)
2024-11-02 00:19:37,695 WARN : org.graylog2.plugin.inputs.transports.AbstractTcpTransport - Client auth configured, but no authorized certificates / certificate authorities configured for input [Beats/test-filebeat/672367daad475e6e5844140a]
Filebeat filebeat test output:
logstash: localhost:5044...
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... ERROR x509: certificate signed by unknown authority
3. What steps have you already taken to try and solve the problem?
Generate the Certificate Authority (CA):
openssl genpkey -algorithm RSA -out ca.key -pkeyopt rsa_keygen_bits:4096
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt -subj "/CN=Graylog CA"
Generate the Server Certificate for Graylog:
openssl genpkey -algorithm RSA -out graylog-server.key -pkeyopt rsa_keygen_bits:4096
openssl req -new -key graylog-server.key -out graylog-server.csr -subj "/CN=graylog-server"
openssl x509 -req -in graylog-server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out graylog-server.crt -days 3650 -sha256
Generate the Client Certificate for Filebeat:
openssl genpkey -algorithm RSA -out filebeat-client.key -pkeyopt rsa_keygen_bits:4096
openssl req -new -key filebeat-client.key -out filebeat-client.csr -subj "/CN=filebeat-client"
openssl x509 -req -in filebeat-client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out filebeat-client.crt -days 3650 -sha256
Copy certificates to the directories for Graylog and Filebeat.
Created input using TLS:
bind_address: 0.0.0.0
charset_name: UTF-8
no_beats_prefix: false
number_worker_threads: 20
override_source: <empty>
port: 5044
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file: /etc/graylog/ssl/graylog-server.crt
tls_client_auth: required
tls_client_auth_cert_file: /etc/graylog/ssl/ca.crt
tls_enable: true
tls_key_file: /etc/graylog/ssl/graylog-server.key
tls_key_password:********
Created Filebeat config for TLS:
filebeat:
# List of inputs.
inputs:
[{"type": "log", "paths": ["/var/log/syslog"]}]
### Logstash as output
logstash:
# The Logstash hosts
hosts: ["localhost:5044"]
ssl:
certificate_authorities: ["/etc/filebeat/certs/ca.crt"]
certificate: "/etc/filebeat/certs/filebeat-client.crt"
key: "/etc/filebeat/certs/filebeat-client.key"
verification_mode: full
Output from OpenSSL cert verification:
openssl verify -CAfile ca.crt /home/user/graylog-filebeat-test/ssl/graylog-server.crt
/home/user/graylog-filebeat-test/ssl/graylog-server.crt: OK
4. How can the community help?
If someone can help me to make this setup running even if I should use anything else from self-signed because I know that they’re not most suitable for PROD.