Graylog TLS INPUT with Nxlog Windows

jose-m · May 26, 2017, 5:30pm

Hi All,

Here my conf:

OS : CentOS 7
Graylog : 2.3.0
Elasticsearch 2.4.5
MonoDB : 2.6.12
Https enables using : http://docs.graylog.org/en/2.2/pages/configuration/https.html

Graylog works perfectly, whene i try to send Events Log witch Nxlog .But not with TLS enabled , I got this error message :

Here my INPUT :

bind_address:0.0.0.0
decompress_size_limit:8388608
max_message_size:2097152
override_source:<empty>
port:12201
recv_buffer_size:1048576
tcp_keepalive:false
tls_cert_file:/etc/pki/tls/certs/nxlog.crt
tls_client_auth:required
tls_client_auth_cert_file:/etc/pki/tls/certs/nxlog-ca.crt
tls_enable:true
tls_key_file:/etc/pki/tls/private/nxlog.key
tls_key_password:********
use_null_delimiter:true

I used this post to create the TLS certificate :

nxlog.conf :

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

Module xm_gelf

Module im_msvistalog Exec if ($TargetUserName == 'SYSTEM') OR ($EventType == 'VERBOSE') drop();

Module om_ssl Host graylog.labs Port 12201 CAFile c:\nxlog-ca.crt OutputType GELF_TCP

<Route 1>
Path in => out

Any idea ?

Thanks for you help.

jtkarvo · May 27, 2017, 6:05am

hi,

the error message tells that the issuer DN is empty in your certificate. To verify, try

openssl x509 -in /etc/pki/tls/certs/nxlog.crt -noout -issuer
openssl x509 -in /etc/pki/tls/certs/nxlog-ca.crt -noout -issuer

jan · May 28, 2017, 10:24am

additional you should check if the port for the input is not used by any other input!

and you are using alpha version that might contain bugs …

jose-m · May 29, 2017, 10:47am

[root@graylog ~]# openssl x509 -in /etc/pki/tls/certs/nxlog.crt -noout -issuer
issuer=
[root@graylog ~]# openssl x509 -in /etc/pki/tls/certs/nxlog-ca.crt -noout -issuer
issuer=
[root@graylog ~]#

How can i fix it ?

Thanks.

jose-m · May 29, 2017, 10:52am

I’m using Graylog 2.3.0-alpha.2+f24e575

jtkarvo · May 29, 2017, 11:01am

hi,

if you bought the certificates from somewhere, you can demand that they send you proper certificates.

If you made the certificates yourself, you can remake them and set the issuer to something you want, like “Jose-M-CA”

jose-m · May 29, 2017, 12:16pm

Thanks for your answer. I re-made the certificates :

[root@graylog tls]# openssl x509 -in /etc/pki/tls/certs/nxlog.crt -noout -issuer
issuer= /CN=graylog.labs
[root@graylog tls]# openssl x509 -in /etc/pki/tls/certs/nxlog-ca.crt -noout -issuer
issuer= /CN=graylog.labs

Now i have some traffic
But whene i click on “Show received messages” no message dipalyed.

I got an other error in the log of graylog :

2017-05-29T14:03:04.237+02:00 ERROR [NettyTransport] Error in Input [GELF TCP/5928220ee019260424db3ca0] (channel [id: 0x9114b5bc, /192.168.12.111:63310 :> /192.168.12.51:12201])
java.lang.IllegalStateException: GELF message is too short. Not even the type header would fit.
at org.graylog2.inputs.codecs.gelf.GELFMessage.getGELFType(GELFMessage.java:46) ~[graylog.jar:?]

Aby idea ?

jose-m · May 30, 2017, 11:11am

Hi all,

Finaly i resolved the problem. I used Graylog Certificate (http://docs.graylog.org/en/2.2/pages/configuration/https.html) in INPUT conf and nxlog.conf (CertFile not CAFILE)

Here an example of my nxlog.conf :

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

Module xm_gelf

Module im_msvistalog

Module om_ssl Host graylog.labs Port 12201 #CAFile %CERTDIR%\graylog-certificate.pem **CertFile** %CERTDIR%\graylog-certificate.pem OutputType GELF_TCP AllowUntrusted TRUE

<Route 1>
Path in => out

My INPUT conf :

Thanks All for your help.

system · June 13, 2017, 11:11am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.