Graylog TLS not working

Hello, i’m using Graylog 4.0 with Ubuntu 20.04.2 LTS, elasticsearch 7.10.2 and mongodb 4.4.2.
Graylog is working fine with HTTPS and logs coming from other servers.
I tried to implement TLS for the inputs coming from RSYSLOG.
But unfortunaly it’s not working. I tried to use the same certificates .pem as i did for making HTTPS working, but it’s not working !
Maybe someone know how to do it properly with commands?

Thank you very much!

Have you seen Using Syslog with TLS - #3 by aaronsachs?

1 Like

Yes i already saw your post on this topic !
Unfortunaly i don’t know if i’m doing badly my self-signed certificate.
But it’s working for the web page of graylog in HTTPS so … Or maybe the problem is maybe because i didn’t put :

IP.2=“ip_of_rsyslog_server”

???
I only wrote the IP of the graylog server.

Hello,

Just chimming in.
By chance you see anything in the log files that pertain to this issue?

On the RSYSLOG client, i have this error :

GnuTLS error -48: Key usage violation in certificate has been detected

On another try i had this error too :

gnutls decryption has failed

To be honest i’m kinda lost with making working TLS between the logs transfer, and it’s the last thing i need to implement !

Probably your certificate is wrongly generated. Which command did you use to create cert?

Check your key usage section:
echo | openssl s_client -connect graylog_server:input_port 2>/dev/null | openssl x509 -noout -text | grep -i -A1 usage

I used the commands from the documentation of graylog

$ openssl req -x509 -days 365 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out cert.pem

$ openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem

I tried your command. This is the output i have :

Your key usage missing Digital Signature i think, but maybe i’m wrong.

I don’t know if this is the problem :confused:

How about content of file openssl-graylog.cnf?

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

Details about the issuer of the certificate

[req_distinguished_name]
C = XXXX
ST = XXX
L = XXXX
O = XXXX
OU = XXXX
CN = graylog-server.home

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

IP addresses and DNS names the certificate should include

Use IP.### for IP addresses and DNS.### for DNS names,

with “###” being a consecutive number.

[alt_names]
IP.1 = 192.X.X.X (ip of graylog server)
IP.2 = 192.X.X.X (ip of rsyslog server)
DNS.1 = graylog-server.X
DNS.2 = rsyslog-server.X

The first one of this file wasn’t with IP.2 and DNS.2
I’ve wrote this file yesterday and took the cert.pem and key.pem to the rsyslog client.
The other things is that i don’t know if my RSYSLOG.CONF file is good. Because in the :

$DefaultNetstreamDriverCAFile /graylog/cert.pem
$DefaultNetstreamDriverCertFile /graylog/cert.pem
$DefaultNetstreamDriverKeyFile /graylog/pkcs8-plain.pem

I took the same cert.pem (generated on the graylog server) for the CA and the CERTFile so i don’t know if this is that.

Furthermore, i changed some settings by adding the x509 streamdriver auth and now i have this error (and not the other one that i show you in the other message):

rsyslogd[3681]: authentication not supported by gtls netstream driver in the configured authentication mode - ignored [v8.1901.0 try https://www.rsyslog.com/e/2087 ]

Based on error:
https://www.gnutls.org/faq.html#key-usage-violation

"The software I use outputs the following error: “Key usage violation in certificate has been detected.” and the connection is terminated.

Answer: The server you have tried to connect has its certificate marked for encryption-only but the server uses it with a ciphersuite that requires signing (or vice-versa). This is either due to an attack, or due to a serious server misconfiguration. Contact the server administrator.

It doesn’t really help me. Because i don’t have this error since i added :

$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer 192.168.X.X
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
$ActionSendStreamDriverAuthMode anon

I found the solution ! It’s working well.
Editing some files in my server with $ActionSendStream…
Changing the key on graylog-server made it working!

All is ok now ! Thank you very much guys for your help

Hi @Veak,
please post functional configuration, so it can help other people here. Thanks.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.