How to configure an syslog TLS input in Graylog2


(Pohu) #1

Hello,

I have two servers, a production server and a monitoring server. On the monitoring server I have Graylog2 installed (version 2.3.2). Before I passed the logs between the two servers in UDP. With this config:

Production server side

/etc/rsyslog.d/60-graylog.conf:
*.* @monitoring.logMonitoringdomainName:514;RSYSLOG_SyslogProtocol23Format

Monitoring server side:

ufw allow 514/udp

systemctl restart rsyslog

And Graylog was running well. But now I would like to pass the logs between the two servers using TLS. My certificates are generated with letsencrypt. With this config:

Production server side

apt-get -y install rsyslog-gnutls
/etc/rsyslog.d/60-graylog.conf:
$ModLoad imuxsock # local messages
$ModLoad imtcp # TCP listener

# make gtls driver the default
$DefaultNetstreamDriver gtls

# certificate files
$DefaultNetstreamDriverCAFile /etc/letsencrypt/live/domainName/fullchain.pem
$DefaultNetstreamDriverCertFile /etc/letsencrypt/live/domainName/cert.pem
$DefaultNetstreamDriverKeyFile /etc/letsencrypt/live/domainName/privkey.pem

$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer *.$logMonitoring
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
$InputTCPServerRun 10514 # start up listener at port 10514

*.* @@monitoring.logMonitoringdomainName:514;RSYSLOG_SyslogProtocol23Format

ufw allow 514/tcp
systemctl restart rsyslog

Monitoring server side:

ufw allow 514/tcp

systemctl restart rsyslog

Graylog TCP input :

allow_override_date:
 true
bind_address:
 0.0.0.0
expand_structured_data:
 false
force_rdns:
 false
max_message_size:
 2097152
override_source:
 <empty>
port:
 514
recv_buffer_size:
 1048576
store_full_message:
 false
tcp_keepalive:
 false
tls_cert_file:
 /home/gspohu/TLS_LOG/cert.pem
tls_client_auth:
 disabled
tls_client_auth_cert_file:
 <empty>
tls_enable:
 true
tls_key_file:
 /home/gspohu/TLS_LOG/privkey.pem
tls_key_password:
 ********
use_null_delimiter:
 false

But I don’t understand how to set the graylog input, watever I try in input config, graylog can’t read the logs, besides I’m not sure of my TLS configuration. Could you guide me through the configuration ?

Thank you to take time to read me,


(system) #2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.