Hi Team,
We recently enabled SSL for graylog. Everything seems to be working fine after enabling SSL, except the Raw/Plaintext UDP input.
The same works fine without SSL. Went through the logs, but we dont see any error both in graylog nor the application which is pushing logs.
Appreciate your help!!
What do you specifically mean? Because there is no single, big on/off switch for TLS. There are many different parts of Graylog that can have TLS enabled/disabled.
- The web interface
- The MongoDB connection
- The ElasticSearch connection
- Each separate Input
Please describe in a bit more detail what you changed or adjusted.
EDIT :
I donât have access to Graylog right now, so I canât verify⊠Does the UDP/RAW receiver even have an option for TLS?! I donât think so
Graylog has no TLS options for UDP inputs that I could find. There is also no TLS for UDP, instead youâd have DTLS (basically TLS for datagram protocols, seems to be rather obscure)
Graylog has no TLS options for UDP inputs that I could find.
Show me any UDP based communication that can work with TLS âŠ
Anything that implements DTLS
Now the big question is: will @priyanka8 return to answer our questions?
We have enabled ssl for graylog web interface and rest API.
We did not change anything for input configuration. when we have web interface and rest api without ssl, all inputs were working fine but with ssl enabled, only Input - Raw/Plaintext UDP is not working.
# Enable HTTPS support for the REST API. This secures the communication with the REST API with
TLS to prevent request forgery and eavesdropping. This is disabled by default. Uncomment the
next line to enable it.
rest_enable_tls = true
The X.509 certificate file to use for securing the REST API.
rest_tls_cert_file = /path/to/graylog/data/config/certificate.crt
The private key to use for securing the REST API.
rest_tls_key_file = /path/to/graylog/data/config/certificate.key
The password to unlock the private key used for securing the REST API.
#rest_tls_key_password = secret
The maximum size of the HTTP request headers in bytes.
#rest_max_header_size = 8192
The maximal length of the initial HTTP/1.1 line in bytes.
#rest_max_initial_line_length = 4096
The size of the thread pool used exclusively for serving the REST API.
#rest_thread_pool_size = 16
Enable the embedded Graylog web interface.
Default: true
#web_enable = false
Web interface listen URI
web_listen_uri = /path/to/graylog/data/config/certificate.crt
This is the external address of the REST API of the Graylog server.
Web interface clients need to be able to connect to this for the web interface to work.
If not set, rest_transport_uri will be used.
#web_endpoint_uri = https://localhost/
Enable CORS headers for the web interface. This is necessary for JS-clients accessing the server directly.
If these are disabled, modern browsers will not be able to retrieve resources from the server.
#web_enable_cors = true
web_enable_cors = false
Enable/disable GZIP support for the web interface. This compresses HTTP responses and therefore helps to reduce
overall round trip times. This is enabled by default. Uncomment the next line to disable it.
#web_enable_gzip = false
Enable HTTPS support for the web interface. This secures the communication of the web browser with the web interface
using TLS to prevent request forgery and eavesdropping.
This is disabled by default. Uncomment the next line to enable it and see the other related configuration settings.
web_enable_tls = true
The X.509 certificate file to use for securing the web interface.
web_tls_cert_file = /path/to/graylog/data/config/certificate.crt
The private key to use for securing the web interface.
web_tls_key_file = /path/to/graylog/data/config/certificate.key
The password to unlock the private key used for securing the web interface.
#web_tls_key_password = secret
The maximum size of the HTTP request headers in bytes.
#web_max_header_size = 8192
The maximal length of the initial HTTP/1.1 line in bytes.
#web_max_initial_line_length = 4096
The size of the thread pool used exclusively for serving the web interface.
#web_thread_pool_size = 16
Thatâs because UDP inputs do not support TLS. If you want to use TLS, either use a TCP input, or do UDP across a VPN/private network. Or have very, very good firewall rules in place.
Actually, what @priyanka8 did is unrelated⊠They write:
We have enabled ssl for graylog web interface and rest API.
We did not change anything for input configuration. when we have web interface and rest api without ssl, all inputs were working fine but with ssl enabled, only Input - Raw/Plaintext UDP is not working.
So they only enabled TLS for the GUI etc. That does not affect the UDP inputs. So there would be absolutely no reason for the UDP input to break.
The statement is a bit ambiguous
But, it wouldâve been nice if @priyanka8 wouldâve actually said what isnât working, because either the input isnât starting, or itâs starting but not receiving, which could be due to a misconfiguration, or firewall configuration, or ⊠etc. etc.
Just to be anally retentive.
I have a feeling you and I are gonna get along just fine
Itâs a Dutch people thing >.>
Hi @benvanstaveren,
Actually input-Raw/plaintext udp is starting and running but it is not receiving/showing any incoming messages in the âshow received messagesâ.
Also attched the configuration of input-Raw/plaintext udp. I am not sure where I am wrong.
Well, weâre back to basic networking troubleshooting then.
- Which hosts are you expecting to connect to this Syslog receiver?
- On those sending hosts, can you Netcat to the port you specified?
- When you dump in some data through Netcat, does the Input in Graylog show any activity?
Hereâs a nice example of faking syslog messages by using Netcat.
@Totally_Not_A_Robot beat me to it but if the input is running but not receiving, ensure that you donât have any firewall rules blocking the port, and that you can indeed netcat something, like so:
echo "this is a test message" | nc -u ip-address-of-graylog-server 9500
Then see if received messages show anything. If netcat doesnât connect, you have a firewall issue, if netcat does connect and sends the message but it doesnât show in received messages you have another problem
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.