Hello. Newbie here. I have been looking for information about how to communicate the rsyslog client and graylog over TLS but doesn’t matter what I do or what I read, I can’t.
It is very frustrating …
My problem is that I cannot get logs from my remote app to log to a Graylog input using TLS. The remote server was logging correctly to the configure input before I attempted to enable TLS with self-signed certs.
First, in another server I created some self-signed certs following these steps:
openssl genrsa -out CA.key 2048 openssl req -x509 -new -nodes -key CA.key -sha256 -days 3650 -out rootCA.crt openssl genrsa -out graylog-server.key 2048 openssl req -new -key graylog-server.key -out graylog-server.csr openssl x509 -req -in graylog-server.csr -CA rootCA.crt -CAkey CA.key -CAcreateserial -out graylog-server.crt -days 3640 -sha256
After that I do the same for every server (graylog and client) with the following steps:
openssl genrsa -out myIpAddress.key 2048
openssl req -new -key myIpAddress.key -out myIpAddress.csr
Where I put the IP as Common Name in the last line.
Then, I do the following:
openssl x509 -req -in myIpAddress.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out myIpAddress.crt -days 500 -sha256
So, after finish I got these files:
rsyslog-server.crt rsyslog-server.csr rsyslog-server.key
graylog-server.crt graylog-server.csr graylog-server.key
rootCA.crt rootCA.key rootCA.srl
I configured rsyslog.conf in the following way:
$DefaultNetstreamDriver gtls $DefaultNetstreamDriverCAFile /etc/ssl/rsyslog/rootCA.crt $DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/rsyslog-server.crt $DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/rsyslog-server.key $ActionSendStreamDriverAuthMode anon $ActionSendStreamDriverMode 1 # run driver in TLS-only mode #$ActionSendStreamDriverPermittedPeer graylog.name.com *.* @@graylogIPaddress:5140;RSYSLOG_SyslogProtocol23Format
In graylog I configured server.conf file:
# The X.509 certificate chain file in PEM format to use for securing the HTTP interface. http_tls_cert_file = /etc/ssl/graylog/graylog-server.csr # I tried with rootCA.crt file too # The PKCS#8 private key file in PEM format to use for securing the HTTP interface. http_tls_key_file = /etc/ssl/graylog/graylog-server.key # The password to unlock the private key used for securing the HTTP interface. http_tls_key_password = pass of certificate
and enable all tls options.
I have created a cacert.jks file like the documentation says.
In /etc/default/graylog-server I add -Djavax.net.ssl.trustStore=/etc/ssl/graylog/cacerts.jks in GRAYLOG_SERVER_JAVA_OPTS line.
My cert folder has this files:
cacerts.jks graylog-server.crt graylog-server.csr graylog-server.key rooCA.crt
And my input:
* allow_override_date: true
* bind_address: 0.0.0.0
* expand_structured_data: false
* force_rdns: false
* max_message_size: 2097152
* number_worker_threads: 2
* port: 5140
* tcp_keepalive: false
* tls_cert_file: /etc/ssl/graylog/rootCA.crt
* tls_client_auth: optional
* tls_client_auth_cert_file: /etc/ssl/graylog/
* tls_enable: true
* tls_key_file: /etc/ssl/graylog/graylog-server.key
* tls_key_password: ********
* use_null_delimiter: false
Can anyone tell me what exactly should I do with these files?
I’ve already read these articles with no luck:
Secured Graylog and Beats input — Graylog 3.0.2 documentation
I also reviewed these links to enabled TLS on rsyslog for the client. I did not apply the server config to the rsyslog config file because I did not expect it was needed (Please correct if I am wrong):
Any help or suggestions are appreciated. Thanks.