Input - Raw/Plaintext UDP is not working with graylog ssl


(priyanka) #1

Hi Team,
We recently enabled SSL for graylog. Everything seems to be working fine after enabling SSL, except the Raw/Plaintext UDP input.
The same works fine without SSL. Went through the logs, but we dont see any error both in graylog nor the application which is pushing logs.
Appreciate your help!!


(Tess) #2

What do you specifically mean? Because there is no single, big on/off switch for TLS. There are many different parts of Graylog that can have TLS enabled/disabled.

  • The web interface
  • The MongoDB connection
  • The ElasticSearch connection
  • Each separate Input

Please describe in a bit more detail what you changed or adjusted.

EDIT :
I don’t have access to Graylog right now, so I can’t verify… Does the UDP/RAW receiver even have an option for TLS?! I don’t think so :smiley:


(Ben van Staveren) #3

Graylog has no TLS options for UDP inputs that I could find. There is also no TLS for UDP, instead you’d have DTLS (basically TLS for datagram protocols, seems to be rather obscure)


(Jan Doberstein) #4

Graylog has no TLS options for UDP inputs that I could find.

Show me any UDP based communication that can work with TLS …


(Ben van Staveren) #5

Anything that implements DTLS :slight_smile:


(Tess) #6

Now the big question is: will @priyanka8 return to answer our questions? :smiley:


(priyanka) #7

Hi @Totally_Not_A_Robot,

We have enabled ssl for graylog web interface and rest API.
We did not change anything for input configuration. when we have web interface and rest api without ssl, all inputs were working fine but with ssl enabled, only Input - Raw/Plaintext UDP is not working.

# Enable HTTPS support for the REST API. This secures the communication with the REST API with

TLS to prevent request forgery and eavesdropping. This is disabled by default. Uncomment the

next line to enable it.

rest_enable_tls = true

The X.509 certificate file to use for securing the REST API.

rest_tls_cert_file = /path/to/graylog/data/config/certificate.crt

The private key to use for securing the REST API.

rest_tls_key_file = /path/to/graylog/data/config/certificate.key

The password to unlock the private key used for securing the REST API.

#rest_tls_key_password = secret

The maximum size of the HTTP request headers in bytes.

#rest_max_header_size = 8192

The maximal length of the initial HTTP/1.1 line in bytes.

#rest_max_initial_line_length = 4096

The size of the thread pool used exclusively for serving the REST API.

#rest_thread_pool_size = 16

Enable the embedded Graylog web interface.

Default: true

#web_enable = false

Web interface listen URI

web_listen_uri = /path/to/graylog/data/config/certificate.crt

This is the external address of the REST API of the Graylog server.

Web interface clients need to be able to connect to this for the web interface to work.

If not set, rest_transport_uri will be used.

#web_endpoint_uri = https://localhost/

Enable CORS headers for the web interface. This is necessary for JS-clients accessing the server directly.

If these are disabled, modern browsers will not be able to retrieve resources from the server.

#web_enable_cors = true
web_enable_cors = false

Enable/disable GZIP support for the web interface. This compresses HTTP responses and therefore helps to reduce

overall round trip times. This is enabled by default. Uncomment the next line to disable it.

#web_enable_gzip = false

Enable HTTPS support for the web interface. This secures the communication of the web browser with the web interface

using TLS to prevent request forgery and eavesdropping.

This is disabled by default. Uncomment the next line to enable it and see the other related configuration settings.

web_enable_tls = true

The X.509 certificate file to use for securing the web interface.

web_tls_cert_file = /path/to/graylog/data/config/certificate.crt

The private key to use for securing the web interface.

web_tls_key_file = /path/to/graylog/data/config/certificate.key

The password to unlock the private key used for securing the web interface.

#web_tls_key_password = secret

The maximum size of the HTTP request headers in bytes.

#web_max_header_size = 8192

The maximal length of the initial HTTP/1.1 line in bytes.

#web_max_initial_line_length = 4096

The size of the thread pool used exclusively for serving the web interface.

#web_thread_pool_size = 16


(Ben van Staveren) #8

That’s because UDP inputs do not support TLS. If you want to use TLS, either use a TCP input, or do UDP across a VPN/private network. Or have very, very good firewall rules in place.


(Tess) #9

Actually, what @priyanka8 did is unrelated… They write:

We have enabled ssl for graylog web interface and rest API.
We did not change anything for input configuration. when we have web interface and rest api without ssl, all inputs were working fine but with ssl enabled, only Input - Raw/Plaintext UDP is not working.

So they only enabled TLS for the GUI etc. That does not affect the UDP inputs. So there would be absolutely no reason for the UDP input to break.


(Ben van Staveren) #10

The statement is a bit ambiguous :wink:

But, it would’ve been nice if @priyanka8 would’ve actually said what isn’t working, because either the input isn’t starting, or it’s starting but not receiving, which could be due to a misconfiguration, or firewall configuration, or … etc. etc.

:smiley:

Just to be anally retentive.


(Tess) #11

I have a feeling you and I are gonna get along just fine :slight_smile:


(Ben van Staveren) #12

It’s a Dutch people thing >.>


(priyanka) #13

Hi @benvanstaveren,

Actually input-Raw/plaintext udp is starting and running but it is not receiving/showing any incoming messages in the “show received messages”.

Also attched the configuration of input-Raw/plaintext udp. I am not sure where I am wrong.


(Tess) #14

Well, we’re back to basic networking troubleshooting then.

  • Which hosts are you expecting to connect to this Syslog receiver?
  • On those sending hosts, can you Netcat to the port you specified?
  • When you dump in some data through Netcat, does the Input in Graylog show any activity?

Here’s a nice example of faking syslog messages by using Netcat.


(Ben van Staveren) #15

@Totally_Not_A_Robot beat me to it but if the input is running but not receiving, ensure that you don’t have any firewall rules blocking the port, and that you can indeed netcat something, like so:

echo "this is a test message" | nc -u ip-address-of-graylog-server 9500

Then see if received messages show anything. If netcat doesn’t connect, you have a firewall issue, if netcat does connect and sends the message but it doesn’t show in received messages you have another problem :slight_smile:


(system) closed #16

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.