Graylog TLS Input setup questions

Graylog Central (peer support)
1

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
We have graylog setup internally with our firewall correctly sending logs,
I am now attempting to setup a TLS input for external FW , I have setup the java store and imported the CA chain
I have converted the cert and the key to the appropriate formats( i beleive)
However i received errors when i enable tls

2. Describe your environment:

  • OS Information:
    Debian 10
  • Package Version:
    graylog-server 5.2.4-1
  • Service logs, configurations, and environment variables:
    if my input is set like this
allow_override_date: true
bind_address: 192.168.20.243
charset_name: UTF-8
expand_structured_data: false
force_rdns: false
max_message_size: <empty>
number_worker_threads: 2
override_source: <empty>
port: 1514
recv_buffer_size: 262144
store_full_message: false
tcp_keepalive: false
timezone: NotSet
tls_cert_file: /etc/graylog/server/trusted_clients/syslog.pem
tls_client_auth: disabled
tls_client_auth_cert_file: /etc/graylog/server/trusted_clients
tls_enable: true
tls_key_file: /etc/graylog/server/trusted_clients/syslog.key.pem
tls_key_password:********
use_null_delimiter: false

I receive this error

2024-02-21T11:27:32.867Z ERROR [AbstractTcpTransport] Error in Input [Syslog TCP/External-FW-input/65d3358d3bc9927f36fbefbc] (channel [id: 0xb98f398a, L:/192.168.20.243:1514 ! R:/192.168.102.74:16194]) (cause io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem)

But i can see connection attempts

Throughput / Metrics
1 minute average rate: 0 msg/s
Network IO: 0B 0B (total: 34.3KiB 854.0B )
Active connections: 0 (122 total)
Empty messages discarded: 0

If i have my config set like this

allow_override_date: true
bind_address: 192.168.20.243
charset_name: UTF-8
expand_structured_data: false
force_rdns: false
max_message_size: <empty>
number_worker_threads: 2
override_source: <empty>
port: 1514
recv_buffer_size: 262144
store_full_message: false
tcp_keepalive: false
timezone: NotSet
tls_cert_file: /etc/graylog/server/trusted_clients/syslog.pem
tls_client_auth: optional
tls_client_auth_cert_file: /etc/graylog/server/trusted_clients
tls_enable: true
tls_key_file: /etc/graylog/server/trusted_clients/syslog.key.pem
tls_key_password:********
use_null_delimiter: false

I receive this error

2024-02-21T11:35:59.825Z WARN  [ChannelInitializer] Failed to initialize a channel. Closing: [id: 0x8e7c0798, L:/192.168.20.243:1514 - R:/192.168.102.74:16311]
java.security.cert.CertificateException: java.io.IOException: Header and footer do not match: -----BEGIN CERTIFICATE----- -----END CERTIFICATE----------BEGIN CERTIFICATE-----
        at sun.security.provider.X509Factory.engineGenerateCertificates(Unknown Source) ~[?:?]
        at java.security.cert.CertificateFactory.generateCertificates(Unknown Source) ~[?:?]
        at org.graylog2.plugin.inputs.transports.util.KeyUtil.loadCertificates(KeyUtil.java:108) ~[graylog.jar:?]
        at org.graylog2.plugin.inputs.transports.util.KeyUtil.loadX509Certificates(KeyUtil.java:91) ~[graylog.jar:?]
        at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$3.createSslEngine(AbstractTcpTransport.java:349) ~[graylog.jar:?]
        at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$3.call(AbstractTcpTransport.java:338) ~[graylog.jar:?]
        at org.graylog2.plugin.inputs.transports.AbstractTcpTransport$3.call(AbstractTcpTransport.java:334) ~[graylog.jar:?]
        at org.graylog2.plugin.inputs.transports.NettyTransport$1.initChannel(NettyTransport.java:105) ~[graylog.jar:?]
        at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129) [graylog.jar:?]
        at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112) [graylog.jar:?]
        at io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:1114) [graylog.jar:?]
        at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:609) [graylog.jar:?]
        at io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:46) [graylog.jar:?]
        at io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1463) [graylog.jar:?]
        at io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1115) [graylog.jar:?]
        at io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:650) [graylog.jar:?]
        at io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:514) [graylog.jar:?]
        at io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:429) [graylog.jar:?]
        at io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:486) [graylog.jar:?]
        at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173) [graylog.jar:?]
        at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166) [graylog.jar:?]
        at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:470) [graylog.jar:?]
        at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:416) [graylog.jar:?]
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) [graylog.jar:?]
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [graylog.jar:?]
        at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:180) [graylog.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:?]
        at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
        at java.lang.Thread.run(Unknown Source) [?:?]
Caused by: java.io.IOException: Header and footer do not match: -----BEGIN CERTIFICATE----- -----END CERTIFICATE----------BEGIN CERTIFICATE-----
        at sun.security.provider.X509Factory.checkHeaderFooter(Unknown Source) ~[?:?]
        at sun.security.provider.X509Factory.readOneBlock(Unknown Source) ~[?:?]
        at sun.security.provider.X509Factory.parseX509orPKCS7Cert(Unknown Source) ~[?:?]
        ... 30 more

3. What steps have you already taken to try and solve the problem?
Followed any guides i could find and attempted to search up the error messages but have had no luck

4. How can the community help?

Any guidance or direction on how i can fix this
Is this an issue with my FW that is sending the logs
or is this an issue with my graylog tls setup

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.