Graylog TLS INPUT with Nxlog Windows

(jose) #1

Hi All,

Here my conf:

Graylog works perfectly, whene i try to send Events Log witch Nxlog .But not with TLS enabled , I got this error message :

image.png1195x400 257 KB

Here my INPUT :

bind_address:0.0.0.0
decompress_size_limit:8388608
max_message_size:2097152
override_source:<empty>
port:12201
recv_buffer_size:1048576
tcp_keepalive:false
tls_cert_file:/etc/pki/tls/certs/nxlog.crt
tls_client_auth:required
tls_client_auth_cert_file:/etc/pki/tls/certs/nxlog-ca.crt
tls_enable:true
tls_key_file:/etc/pki/tls/private/nxlog.key
tls_key_password:********
use_null_delimiter:true

I used this post to create the TLS certificate :
https://stackoverflow.com/questions/26789903/using-nxlog-to-ship-logs-in-to-logstash-from-windows-using-om-ssl

nxlog.conf :

define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

Module xm_gelf
Module im_msvistalog Exec if ($TargetUserName == 'SYSTEM') OR ($EventType == 'VERBOSE') drop();
Module om_ssl Host graylog.labs Port 12201 CAFile c:\nxlog-ca.crt OutputType GELF_TCP

<Route 1>
Path in => out

Any idea ?

Thanks for you help.

Graylog TLS INPUT with Nxlog for Windows
#2

hi,

the error message tells that the issuer DN is empty in your certificate. To verify, try

openssl x509 -in /etc/pki/tls/certs/nxlog.crt -noout -issuer
openssl x509 -in /etc/pki/tls/certs/nxlog-ca.crt -noout -issuer

(Jan Doberstein) #3

additional you should check if the port for the input is not used by any other input!

and you are using alpha version that might contain bugs …

(jose) #4

[root@graylog ~]# openssl x509 -in /etc/pki/tls/certs/nxlog.crt -noout -issuer
issuer=
[root@graylog ~]# openssl x509 -in /etc/pki/tls/certs/nxlog-ca.crt -noout -issuer
issuer=
[root@graylog ~]#

How can i fix it ?

Thanks.

(jose) #5

I’m using Graylog 2.3.0-alpha.2+f24e575

#6

hi,

if you bought the certificates from somewhere, you can demand that they send you proper certificates.

If you made the certificates yourself, you can remake them and set the issuer to something you want, like “Jose-M-CA”

(jose) #7

Thanks for your answer. I re-made the certificates :

[root@graylog tls]# openssl x509 -in /etc/pki/tls/certs/nxlog.crt -noout -issuer
issuer= /CN=graylog.labs
[root@graylog tls]# openssl x509 -in /etc/pki/tls/certs/nxlog-ca.crt -noout -issuer
issuer= /CN=graylog.labs

Now i have some traffic :slight_smile:
But whene i click on “Show received messages” no message dipalyed.

I got an other error in the log of graylog :

2017-05-29T14:03:04.237+02:00 ERROR [NettyTransport] Error in Input [GELF TCP/5928220ee019260424db3ca0] (channel [id: 0x9114b5bc, /192.168.12.111:63310 :> /192.168.12.51:12201])
java.lang.IllegalStateException: GELF message is too short. Not even the type header would fit.
at org.graylog2.inputs.codecs.gelf.GELFMessage.getGELFType(GELFMessage.java:46) ~[graylog.jar:?]

Aby idea ? :wink:

(jose) #8

Hi all,

Finaly i resolved the problem. I used Graylog Certificate (http://docs.graylog.org/en/2.2/pages/configuration/https.html) in INPUT conf and nxlog.conf (CertFile not CAFILE)

Here an example of my nxlog.conf :

define ROOT C:\Program Files (x86)\nxlog
define CERTDIR %ROOT%\cert

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

Module xm_gelf
Module im_msvistalog
Module om_ssl Host graylog.labs Port 12201 #CAFile %CERTDIR%\graylog-certificate.pem **CertFile** %CERTDIR%\graylog-certificate.pem OutputType GELF_TCP AllowUntrusted TRUE

<Route 1>
Path in => out

My INPUT conf :

Thanks All for your help.

(system) #9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.