Local Input Not Running on TLS Configuration

Graylog Central (peer support)
1

Hello All,
I have read multiple Post to this Topic but didn’t really understand anything.
When I create an input i can’t start it, I dont know if its the config or something else like the firewall or anything.
My Current input config looks like this:

image
image404×516 6.56 KB

All ports on the local Firewall are open

Im Running graylog-server on debian 12
single-node setup
graylog server 6.1
opensearch 2.15
mongodb 7.0.17

Im not sure what to do from here and would like some advice since im also pretty new to all of this. If futher info is needed please let me know.

2

Ports below 1024 are often protected by the OS and you cannot use them without extra config.

If your firewall lets you specify the port the easiest thing to do is just make the port 1514 or something.

3

Hi Thanks for the quick info, but i did an extra config with this Command line:
sudo sed -i ‘/^LimitNOFILE=64000.*/a AmbientCapabilities=CAP_NET_BIND_SERVICE’ /usr/lib/systemd/system/graylog-server.service
But i will try Port 1514
I have also looked at my Graylog logs and it says this:

image
image1345×123 36.6 KB

So I guess it has to do something with the Certificates i use.

4

Can you post more of that error so that i can see what its trying to do when it complains abiut the cert.

5

I really would love to do that but that is all im getting, over and over again

6

If you mean you setup the web interface to go over HTTPS there is likely a problem with Graylog accessing itself (sometimes the graylog server talks to the graylog API). What is your bind address, publish URI and external URI in your server.conf file?

It looks from the error like it’s trying to access Graylog via an IP address, but the TLS cert only lists the FQDN not the IP address, which would cause it to not trust the cert and fail.

7

Thats sounds like this would be the issue
The Bind Address is 10.28.6.108:443 and the other URIs are not set (default)

If it helps i secured the web interface connection with tls using this documentation:
How-To Guide: Securing Graylog with TLS

8

I have now tried to change the external URI to bpdehamlogcon01.mydomain.de and now getting a slightly different error. It seems to still cant call the API on the node but this time the reason is an unexprected end of stream on 10.28.6.108:443
Im still not sure why the server can’t reach itself

I also found an artical that might help SSL Issues ProxiedResource Unable to call Hostname not verified - Graylog Central (peer support) - Graylog Community

The User states to
6. Make sure you have the following. NOTE: IP Address is preferred in the certs that point to your Graylog server etc…

which sound like it might help, since my certs only know the Server name and not the IP. But i dont know how to do that

9

So you actually will want to set the publish uri to be the fqdn used in your cert (as long as that points to your IP abviously) publish uri is the address of that specific node, external uri would be the address of the cluster if you were behind a load balancer lets say, in a single node cluster with no load balancer publish will get used as external if external is left blank.

10

Sorry for the late reply, Sadly nothing changed, i will check if it has to do something with our Firewall on monday

11

I managed to get the input running, it was a simple misconfig on the publish uri. It was http:// and i changed it to https:// which solved the issue.

1 Like
12

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.