How to communicate graylog and rsyslog over TLS

Hello. Newbie here. I have been looking for information about how to communicate the rsyslog client and graylog over TLS but doesn’t matter what I do or what I read, I can’t.
It is very frustrating :sleepy:
My problem is that I cannot get logs from my remote app to log to a Graylog input using TLS. The remote server was logging correctly to the configure input before I attempted to enable TLS with self-signed certs.
First, in another server I created some self-signed certs following these steps:

openssl genrsa -out CA.key 2048
openssl req -x509 -new -nodes -key CA.key -sha256 -days 3650 -out rootCA.crt
openssl genrsa -out graylog-server.key 2048
openssl req -new -key graylog-server.key -out graylog-server.csr
openssl x509 -req -in graylog-server.csr -CA rootCA.crt -CAkey CA.key -CAcreateserial -out graylog-server.crt -days 3640 -sha256

After that I do the same for every server (graylog and client) with the following steps:
openssl genrsa -out myIpAddress.key 2048
openssl req -new -key myIpAddress.key -out myIpAddress.csr

Where I put the IP as Common Name in the last line.

Then, I do the following:

openssl x509 -req -in myIpAddress.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out myIpAddress.crt -days 500 -sha256

So, after finish I got these files:
rsyslog-server.crt rsyslog-server.csr rsyslog-server.key
graylog-server.crt graylog-server.csr graylog-server.key
rootCA.crt rootCA.key

I configured rsyslog.conf in the following way:

$DefaultNetstreamDriver gtls

$DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/rootCA.crt
$DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/rsyslog-server.crt
$DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/rsyslog-server.key
$ActionSendStreamDriverAuthMode anon
$ActionSendStreamDriverMode 1
# run driver in TLS-only mode

*.* @@graylogIPaddress:5140;RSYSLOG_SyslogProtocol23Format

In graylog I configured server.conf file:

# The X.509 certificate chain file in PEM format to use for securing the HTTP interface.
http_tls_cert_file = /etc/ssl/graylog/graylog-server.csr # I tried with rootCA.crt file too

# The PKCS#8 private key file in PEM format to use for securing the HTTP interface.
http_tls_key_file = /etc/ssl/graylog/graylog-server.key

# The password to unlock the private key used for securing the HTTP interface.
http_tls_key_password = pass of certificate

and enable all tls options.

I have created a cacert.jks file like the documentation says.

In /etc/default/graylog-server I add in GRAYLOG_SERVER_JAVA_OPTS line.

My cert folder has this files:
cacerts.jks graylog-server.crt graylog-server.csr graylog-server.key rooCA.crt

And my input:
* allow_override_date: true
* bind_address:
* expand_structured_data: false
* force_rdns: false
* max_message_size: 2097152
* number_worker_threads: 2
* port: 5140
* tcp_keepalive: false
* tls_cert_file: /etc/ssl/graylog/rootCA.crt
* tls_client_auth: optional
* tls_client_auth_cert_file: /etc/ssl/graylog/
* tls_enable: true
* tls_key_file: /etc/ssl/graylog/graylog-server.key
* tls_key_password: ********
* use_null_delimiter: false

Can anyone tell me what exactly should I do with these files?

I’ve already read these articles with no luck:
Secured Graylog and Beats input — Graylog 3.0.2 documentation

I also reviewed these links to enabled TLS on rsyslog for the client. I did not apply the server config to the rsyslog config file because I did not expect it was needed (Please correct if I am wrong):

Any help or suggestions are appreciated. Thanks.

Hi there and welcome! I think the self-signed certs get folks tripped up. TLS (and for that matter, PKI) isn’t always the most straightforward thing to understand or manage. I’ve written about using TLS with Syslog in the past, and if you’re using something like Letsencrypt, it’s a fairly straightforward process to use an LE cert with your Syslog input. You might look at the post and see if that gives you any insight.

Hi aaronsachs!
I will check out. Thanks a lot!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.