Hi @jan
Thanks for your response.
Okay I will share you all the necessary informations and configuration files. Please find it below,
I created keys for graylog using this script and my hostname is “graylogssl”
root@graylogssl:~/bartwickelmaschine/create_self_signed_ssl_certs# hostname
graylogssl
root@graylogssl:~/bartwickelmaschine/create_self_signed_ssl_certs# bash create_ssl_certs.sh -h graylogssl
This script will generate a SSL certificate with the following settings:
CN Hostname = graylogssl
subjectAltName = DNS:graylogssl,IP:127.0.0.1
the following files are written to the current directory:
- graylogssl.pkcs5-plain.key.pem
- graylogssl.pkcs8-plain.key.pem
- graylogssl.pkcs8-encrypted.key.pem
with the password: secret
Graylog server.conf
############################
# GRAYLOG CONFIGURATION FILE
############################
#
# This is the Graylog configuration file. The file has to use ISO 8859-1/Latin-1 character encoding.
# Characters that cannot be directly represented in this encoding can be written using Unicode escapes
# as defined in https://docs.oracle.com/javase/specs/jls/se8/html/jls-3.html#jls-3.3, using the \u prefix.
# For example, \u002c.
#
# * Entries are generally expected to be a single line of the form, one of the following:
#
# propertyName=propertyValue
# propertyName:propertyValue
#
# * White space that appears between the property name and property value is ignored,
# so the following are equivalent:
#
# name=Stephen
# name = Stephen
#
# * White space at the beginning of the line is also ignored.
#
# * Lines that start with the comment characters ! or # are ignored. Blank lines are also ignored.
#
# * The property value is generally terminated by the end of the line. White space following the
# property value is not ignored, and is treated as part of the property value.
#
# * A property value can span several lines if each line is terminated by a backslash (‘\’) character.
# For example:
#
# targetCities=\
# Detroit,\
# Chicago,\
# Los Angeles
#
# This is equivalent to targetCities=Detroit,Chicago,Los Angeles (white space at the beginning of lines is ignored).
#
# * The characters newline, carriage return, and tab can be inserted with characters \n, \r, and \t, respectively.
#
# * The backslash character must be escaped as a double backslash. For example:
#
# path=c:\\docs\\doc1
#
# If you are running more than one instances of Graylog server you have to select one of these
# instances as master. The master will perform some periodical tasks that non-masters won't perform.
is_master = true
# The auto-generated node ID will be stored in this file and read after restarts. It is a good idea
# to use an absolute file path here if you are starting Graylog server from init scripts or similar.
node_id_file = /etc/graylog/server/node-id
# You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters.
# Generate one by using for example: pwgen -N 1 -s 96
password_secret = yE3tQ931kKvFrLq2gdDbknUoAVIUqntipX2nMbybgftFZqP7fvmfONZ1Ea9woCNl0I4746p8trVBv0x5Csg9ZM1ZKacKrESr
# The default root user is named 'admin'
#root_username = admin
# You MUST specify a hash password for the root user (which you only need to initially set up the
# system and in case you lose connectivity to your authentication backend)
# This password cannot be changed using the API or via the web interface. If you need to change it,
# modify it in this file.
# Create one by using for example: echo -n yourpassword | shasum -a 256
# and put the resulting hash value into the following line
root_password_sha2 = e3c652f0ba0b4801205814f8b6bc49672c4c74e25b497770bb89b22cdeb4e951
# The email address of the root user.
# Default is empty
#root_email = ""
# The time zone setting of the root user. See http://www.joda.org/joda-time/timezones.html for a list of valid time zones.
# Default is UTC
#root_timezone = UTC
# Set plugin directory here (relative or absolute)
plugin_dir = /usr/share/graylog-server/plugin
# REST API listen URI. Must be reachable by other Graylog server nodes if you run a cluster.
# When using Graylog Collectors, this URI will be used to receive heartbeat messages and must be accessible for all collectors.
rest_listen_uri = http://graylogssl:9000/api/
# REST API transport address. Defaults to the value of rest_listen_uri. Exception: If rest_listen_uri
# is set to a wildcard IP address (0.0.0.0) the first non-loopback IPv4 system address is used.
# If set, this will be promoted in the cluster discovery APIs, so other nodes may try to connect on
# this address and it is used to generate URLs addressing entities in the REST API. (see rest_listen_uri)
# You will need to define this, if your Graylog server is running behind a HTTP proxy that is rewriting
# the scheme, host name or URI.
# This must not contain a wildcard address (0.0.0.0).
#rest_transport_uri = https://graylogssl:9000/api/
rest_transport_uri = https://104.154.130.117:9000/api/
# Enable CORS headers for REST API. This is necessary for JS-clients accessing the server directly.
# If these are disabled, modern browsers will not be able to retrieve resources from the server.
# This is enabled by default. Uncomment the next line to disable it.
#rest_enable_cors = false
# Enable GZIP support for REST API. This compresses API responses and therefore helps to reduce
# overall round trip times. This is enabled by default. Uncomment the next line to disable it.
#rest_enable_gzip = false
# Enable HTTPS support for the REST API. This secures the communication with the REST API with
# TLS to prevent request forgery and eavesdropping. This is disabled by default. Uncomment the
# next line to enable it.
rest_enable_tls = true
# The X.509 certificate chain file in PEM format to use for securing the REST API.
rest_tls_cert_file = /home/graylogssl/bartwickelmaschine/create_self_signed_ssl_certs/graylog-certificate.pem
#rest_tls_cert_file = /etc/graylog/server/graylog-certificate.pem
# The PKCS#8 private key file in PEM format to use for securing the REST API.
rest_tls_key_file = /home/graylogssl/bartwickelmaschine/create_self_signed_ssl_certs/graylog-key.pem
#rest_tls_key_file = /etc/graylog/server/graylog-key.pem
# The password to unlock the private key used for securing the REST API.
rest_tls_key_password = secret
# The maximum size of the HTTP request headers in bytes.
#rest_max_header_size = 8192
# The maximal length of the initial HTTP/1.1 line in bytes.
#rest_max_initial_line_length = 4096
# The size of the thread pool used exclusively for serving the REST API.
#rest_thread_pool_size = 16
# Comma separated list of trusted proxies that are allowed to set the client address with X-Forwarded-For
# header. May be subnets, or hosts.
#trusted_proxies = 127.0.0.1/32, 0:0:0:0:0:0:0:1/128
# Enable the embedded Graylog web interface.
# Default: true
#web_enable = false
# Web interface listen URI.
# Configuring a path for the URI here effectively prefixes all URIs in the web interface. This is a replacement
# for the application.context configuration parameter in pre-2.0 versions of the Graylog web interface.
web_listen_uri = http://graylogssl:9000/
# Web interface endpoint URI. This setting can be overriden on a per-request basis with the X-Graylog-Server-URL header.
# Default: $rest_transport_uri
#web_endpoint_uri =
# Enable CORS headers for the web interface. This is necessary for JS-clients accessing the server directly.
# If these are disabled, modern browsers will not be able to retrieve resources from the server.
#web_enable_cors = false
# Enable/disable GZIP support for the web interface. This compresses HTTP responses and therefore helps to reduce
# overall round trip times. This is enabled by default. Uncomment the next line to disable it.
#web_enable_gzip = false
# Enable HTTPS support for the web interface. This secures the communication of the web browser with the web interface
# using TLS to prevent request forgery and eavesdropping.
# This is disabled by default. Uncomment the next line to enable it and see the other related configuration settings.
web_enable_tls = true
# The X.509 certificate chain file in PEM format to use for securing the web interface.
web_tls_cert_file = /home/graylogssl/bartwickelmaschine/create_self_signed_ssl_certs/graylog-certificate.pem
# The PKCS#8 private key file in PEM format to use for securing the web interface.
web_tls_key_file = /home/graylogssl/bartwickelmaschine/create_self_signed_ssl_certs/graylog-key.pem
# The password to unlock the private key used for securing the web interface.
web_tls_key_password = secret
# The maximum size of the HTTP request headers in bytes.
#web_max_header_size = 8192
# The maximal length of the initial HTTP/1.1 line in bytes.
#web_max_initial_line_length = 4096
# The size of the thread pool used exclusively for serving the web interface.
#web_thread_pool_size = 16
# List of Elasticsearch hosts Graylog should connect to.
# Need to be specified as a comma-separated list of valid URIs for the http ports of your elasticsearch nodes.
# If one or more of your elasticsearch hosts require authentication, include the credentials in each node URI that
# requires authentication.
#
# Default: http://127.0.0.1:9200
elasticsearch_hosts = http://graylogssl:9200
#,http://user:password@node2:19200
# Maximum amount of time to wait for successfull connection to Elasticsearch HTTP port.
#
# Default: 10 Seconds
#elasticsearch_connect_timeout = 10s
# Maximum amount of time to wait for reading back a response from an Elasticsearch server.
#
# Default: 60 seconds
#elasticsearch_socket_timeout = 60s
# Maximum idle time for an Elasticsearch connection. If this is exceeded, this connection will
# be tore down.
#
# Default: inf
#elasticsearch_idle_timeout = -1s
# Graylog will use multiple indices to store documents in. You can configured the strategy it uses to determine
# when to rotate the currently active write index.
# It supports multiple rotation strategies:
# - "count" of messages per index, use elasticsearch_max_docs_per_index below to configure
# - "size" per index, use elasticsearch_max_size_per_index below to configure
# valid values are "count", "size" and "time", default is "count"
#
# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
# to your previous 1.x settings so they will be migrated to the database!
rotation_strategy = count
# (Approximate) maximum number of documents in an Elasticsearch index before a new index
# is being created, also see no_retention and elasticsearch_max_number_of_indices.
# Configure this if you used 'rotation_strategy = count' above.
#
# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
# to your previous 1.x settings so they will be migrated to the database!
elasticsearch_max_docs_per_index = 20000000
# (Approximate) maximum size in bytes per Elasticsearch index on disk before a new index is being created, also see
# no_retention and elasticsearch_max_number_of_indices. Default is 1GB.
# Configure this if you used 'rotation_strategy = size' above.
#
# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
# to your previous 1.x settings so they will be migrated to the database!
#elasticsearch_max_size_per_index = 1073741824
# Disable checking the version of Elasticsearch for being compatible with this Graylog release.
# WARNING: Using Graylog with unsupported and untested versions of Elasticsearch may lead to data loss!
#elasticsearch_disable_version_check = true
# Disable message retention on this node, i. e. disable Elasticsearch index rotation.
#no_retention = false
# How many indices do you want to keep?
#
# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
# to your previous 1.x settings so they will be migrated to the database!
elasticsearch_max_number_of_indices = 20
# Decide what happens with the oldest indices when the maximum number of indices is reached.
# The following strategies are availble:
# - delete # Deletes the index completely (Default)
# - close # Closes the index and hides it from the system. Can be re-opened later.
#
# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
# to your previous 1.x settings so they will be migrated to the database!
retention_strategy = delete
# How many Elasticsearch shards and replicas should be used per index? Note that this only applies to newly created indices.
# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
# to your previous settings so they will be migrated to the database!
elasticsearch_shards = 4
elasticsearch_replicas = 0
# Prefix for all Elasticsearch indices and index aliases managed by Graylog.
#
# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
# to your previous settings so they will be migrated to the database!
elasticsearch_index_prefix = graylog
# Name of the Elasticsearch index template used by Graylog to apply the mandatory index mapping.
# Default: graylog-internal
#
# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
# to your previous settings so they will be migrated to the database!
#elasticsearch_template_name = graylog-internal
# Do you want to allow searches with leading wildcards? This can be extremely resource hungry and should only
# be enabled with care. See also: http://docs.graylog.org/en/2.1/pages/queries.html
allow_leading_wildcard_searches = false
# Do you want to allow searches to be highlighted? Depending on the size of your messages this can be memory hungry and
# should only be enabled after making sure your Elasticsearch cluster has enough memory.
allow_highlighting = false
# Analyzer (tokenizer) to use for message and full_message field. The "standard" filter usually is a good idea.
# All supported analyzers are: standard, simple, whitespace, stop, keyword, pattern, language, snowball, custom
# Elasticsearch documentation: https://www.elastic.co/guide/en/elasticsearch/reference/2.3/analysis.html
# Note that this setting only takes effect on newly created indices.
#
# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
# to your previous settings so they will be migrated to the database!
elasticsearch_analyzer = standard
# Flush interval (in seconds) for the Elasticsearch output. This is the maximum amount of time between two
# batches of messages written to Elasticsearch. It is only effective at all if your minimum number of messages
# for this time period is less than output_batch_size * outputbuffer_processors.
output_flush_interval = 1
# As stream outputs are loaded only on demand, an output which is failing to initialize will be tried over and
# over again. To prevent this, the following configuration options define after how many faults an output will
# not be tried again for an also configurable amount of seconds.
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
# The number of parallel running processors.
# Raise this number if your buffers are filling up.
processbuffer_processors = 5
outputbuffer_processors = 3
# Wait strategy describing how buffer processors wait on a cursor sequence. (default: sleeping)
# Possible types:
# - yielding
# Compromise between performance and CPU usage.
# - sleeping
# Compromise between performance and CPU usage. Latency spikes can occur after quiet periods.
# - blocking
# High throughput, low latency, higher CPU usage.
# - busy_spinning
# Avoids syscalls which could introduce latency jitter. Best when threads can be bound to specific CPU cores.
processor_wait_strategy = blocking
# Size of internal ring buffers. Raise this if raising outputbuffer_processors does not help anymore.
# For optimum performance your LogMessage objects in the ring buffer should fit in your CPU L3 cache.
# Must be a power of 2. (512, 1024, 2048, ...)
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
# Enable the disk based message journal.
message_journal_enabled = true
# MongoDB connection string
# See https://docs.mongodb.com/manual/reference/connection-string/ for details
mongodb_uri = mongodb://localhost/graylog
# Authenticate against the MongoDB server
#mongodb_uri = mongodb://grayloguser:secret@localhost:27017/graylog
# Use a replica set instead of a single host
#mongodb_uri = mongodb://grayloguser:secret@localhost:27017,localhost:27018,localhost:27019/graylog
# Increase this value according to the maximum connections your MongoDB server can handle from a single client
# if you encounter MongoDB connection problems.
mongodb_max_connections = 1000
# Number of threads allowed to be blocked by MongoDB connections multiplier. Default: 5
# If mongodb_max_connections is 100, and mongodb_threads_allowed_to_block_multiplier is 5,
# then 500 threads can block. More than that and an exception will be thrown.
# http://api.mongodb.com/java/current/com/mongodb/MongoOptions.html#threadsAllowedToBlockForConnectionMultiplier
mongodb_threads_allowed_to_block_multiplier = 5
# The directory which contains content packs which should be loaded on the first start of Graylog.
content_packs_dir = /usr/share/graylog-server/contentpacks
# A comma-separated list of content packs (files in "content_packs_dir") which should be applied on
# the first start of Graylog.
# Default: empty
content_packs_auto_load = grok-patterns.json
# For some cluster-related REST requests, the node must query all other nodes in the cluster. This is the maximum number
# of threads available for this. Increase it, if '/cluster/*' requests take long to complete.
# Should be rest_thread_pool_size * average_cluster_size if you have a high number of concurrent users.
proxied_requests_thread_pool_size = 32
I have added self signed certificate to the jvm trust store and below is the commands,
root@graylogssl:~/bartwickelmaschine/create_self_signed_ssl_certs# keytool -import -trustcacerts -file /home/graylogssl/bartwickelmaschine/create_self_signed_ssl_certs/graylog-certificate.pem -alias graylogssl -keystore /home/graylogssl/bartwickelmaschine/create_self_signed_ssl_certs/cacerts.jks
Enter keystore password:
Owner: CN=graylogssl, OU=graylogssl, O=graylogssl, L=mumbai, ST=maharastra, C=IN
Issuer: CN=graylogssl, OU=graylogssl, O=graylogssl, L=mumbai, ST=maharastra, C=IN
Serial number: 60fc6153
Valid from: Tue Nov 07 08:05:02 UTC 2017 until: Wed Nov 07 08:05:02 UTC 2018
Certificate fingerprints:
MD5: 92:5D:70:08:77:80:0D:F8:3C:18:86:A5:56:53:65:76
SHA1: 12:C1:38:BB:3D:35:72:96:18:A9:EE:E0:BA:6C:D0:65:01:AD:5F:1E
SHA256: 59:15:39:EC:72:AB:EC:B5:E9:FB:0F:85:D4:12:22:0D:62:3E:9B:AB:F4:DA:0B:8E:AD:02:A3:E4:04:6E:31:EB
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 81 AB E2 5A F1 B7 98 8F D2 E0 49 13 7C 77 C8 CA ...Z......I..w..
0010: 77 E0 07 95 w...
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
root@graylogssl:~/bartwickelmaschine/create_self_signed_ssl_certs#
root@graylogssl:~/bartwickelmaschine/create_self_signed_ssl_certs# keytool -keystore /home/graylogssl/bartwickelmaschine/create_self_signed_ssl_certs/cacerts.jks -storepass changeit -list | grep graylogssl -A1
graylogssl, Nov 7, 2017, trustedCertEntry,
Certificate fingerprint (SHA1): 12:C1:38:BB:3D:35:72:96:18:A9:EE:E0:BA:6C:D0:65:01:AD:5F:1E
I have added the new JVM trust store in the Graylog_Java_Opts /etc/default/graylog-server
# Default Java options for heap and garbage collection.
GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/home/graylogssl/bartwickelmaschine/create_self_signed_ssl_certs/cacerts.jks -Djavax.net.ssl.trustStorePassword=changeit"
Then restart the graylog service and able to login with this URL,
https://104.154.130.117:9000/gettingstarted
and below is the error i am getting in the logs,
2017-11-07T08:33:59.867Z INFO [JerseyService] Started REST API at <https://graylogssl:9000/api/>
2017-11-07T08:33:59.867Z INFO [JerseyService] Started Web Interface at <https://graylogssl:9000/>
2017-11-07T08:33:59.872Z INFO [ServerBootstrap] Services started, startup times in ms: {OutputSetupService [RUNNING]=23, KafkaJournal [RUNNING]=24, BufferSynchronizerService [RUNNING]=36, JournalReader [RUNNING]=49, ConfigurationEtagService [RUNNING]=91, StreamCacheService [RUNNING]=91, LookupTableService [RUNNING]=92, InputSetupService [RUNNING]=97, PeriodicalsService [RUNNING]=347, JerseyService [RUNNING]=21246}
2017-11-07T08:33:59.877Z INFO [ServiceManagerListener] Services are healthy
2017-11-07T08:33:59.883Z INFO [ServerBootstrap] Graylog server up and running.
2017-11-07T08:33:59.883Z INFO [InputSetupService] Triggering launching persisted inputs, node transitioned from Uninitialized [LB:DEAD] to Running [LB:ALIVE]
2017-11-07T08:35:53.637Z WARN [ProxiedResource] Unable to call https://104.154.130.117:9000/api/system/metrics/multiple on node <12bd94c6-bd85-4640-a0ea-22d439d08c7b>
javax.net.ssl.SSLPeerUnverifiedException: Hostname 104.154.130.117 not verified:
certificate: sha256/DlYoisBaPAFbS9cN4DWUttDOpDdKj0rsAqwThgnLqnU=
DN: CN=graylogssl, OU=graylogssl, O=graylogssl, L=mumbai, ST=maharastra, C=IN
subjectAltNames: []
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:290) ~[graylog.jar:?]
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:251) ~[graylog.jar:?][graylog.jar:?]
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93) ~[graylog.jar:?]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92) ~[graylog.jar:?]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67) ~[graylog.jar:?]
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:185) ~[graylog.jar:?]
at okhttp3.RealCall.execute(RealCall.java:69) ~[graylog.jar:?]
at retrofit2.OkHttpCall.execute(OkHttpCall.java:180) ~[graylog.jar:?]
at org.graylog2.shared.rest.resources.ProxiedResource.lambda$getForAllNodes$0(ProxiedResource.java:76) ~[graylog.jar:?]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_151]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_151]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_151]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_151]