Multiple problems with Graylog

The result of that command in test was:

curl: (35) Encountered end of file

The result in production was

curl: (35) TCP connection reset by peer

Here is what a non-https call to that curl would look like:

curl -XGET http://seerver_name:9000/api
{"cluster_id":"<cluster ID number>","node_id":"<Node ID Number>","version":"4.2.5+59802bf","tagline":"Manage your logs in the dark and have lasers going and make it look like you're from space!"}

Verify all certificates and settings.

The result of:

curl -XGET http://server_name:9000/api

is:

2022.03.02.curl.result723×54 5.6 KB

I am reasonably sure your errors are with certificates.

In the example Graylog cluster given here: Generating Graylog certificates and keys with Microsoft AD CS - Securing Graylog , is the “three graylog data receiver hosts” referring to hosts supporting the server function, or is that talking about the hosts where sidecar resides? It seems that the 3 clustered hosts and the graylog front end are all performing the server function? Do I have that wrong? So in my setup, where there is one vm doing the server function, we would just need to have certificates for MongoDB, graylog, searchguard, and elastic search so 4 .INF files?

@gsmith may be able to help better with certificate specific questions.

Hello @fffhurst

What do you mean by server function? If you referring to TLS connection then yes.

In order to provide your full cluster with all required certificates, we’ll need to make all of the following keypairs and certificates. For each certificate you’ll need to gather the relevant hostnames, DNS aliases and IP addresses, because we want the certificates to work for all of these.

Do you have a cluster of servers?

If you don’t have a cluster of servers and only one node, you will need to create certificates for graylog then send them over to be singed by you’re MS AD CS. Once the certificates are signed make sure you put the correct ones in your keystore on Graylog. I’m not sure about your environment but you can also just create self-signed certs or use Let’s Encrypt . Its possible and easy just to use JAVA default keystore called “cacerts”. As for your INPUT’s using certificates, you will need two
graylog.pem && graylog-key.pem then those two would also be on your remote device. When you do that make sure there secure since these are certificate keys.

I believe the easiest way to accomplish this is to create your certificates on Graylog.
Here are a couple examples that I used not only for HTTPS but also for INPUT connections.

• Graylog3 with https (easy tutorial)

• https://docs.graylog.org/en/3.0/pages/configuration/https.html#creating-a-self-signed-private-key-certificate

For example of what I did.

1.Create a file named openssl-graylog.cnf with the following content

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
# Details about the issuer of the certificate
[req_distinguished_name]
C = US
ST = some_state
L = some_city
O = domain
OU = admin
CN = graylog.enseva-labs.net
[v3_req]
keyUsage = keyEncipherment, dataEncipherment,nonRepudiation
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
# IP addresses and DNS names the certificate should include
# Use IP.### for IP addresses and DNS.### for DNS names,
# with "###" being a consecutive number.
[alt_names]
IP.1 = 10.10.10.10
DNS.1 = graylog.domain-labs.net

2.I execute the following commands to create the certs for Graylog TLS.

mkdir /etc/ssl/certs/graylog/ && cd /etc/ssl/certs/graylog/
openssl req -x509 -days 365 -nodes -newkey rsa:2048 -config openssl-graylog.cnf -keyout pkcs5-plain.pem -out cert.pem
openssl pkcs8 -in pkcs5-plain.pem -topk8 -nocrypt -out pkcs8-plain.pem
openssl pkcs8 -in pkcs5-plain.pem -topk8 -out pkcs8-encrypted.pem -passout pass:secret
openssl pkcs12 -in keystore.pfx -nokeys -out graylog-certificate.pem
$openssl pkcs12 -in keystore.pfx -nocerts -out graylog-pkcs5.pem
penssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem
keytool -list -v -keystore keystore.jks -alias graylog.example.com
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12
openssl pkcs12 -in keystore.p12 -nokeys -out graylog-certificate.pem
openssl pkcs12 -in keystore.p12 -nocerts -out graylog-pkcs5.pem
openssl pkcs8 -in graylog-pkcs5.pem -topk8 -out graylog-key.pem
cp -a “/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.171-7.b10.el7.x86_64/jre/lib/security/cacerts” /etc/ssl/certs/graylog/graylog-key.jks
keytool -importcert -keystore graylog.jks -storepass changeit (secret) -alias graylog.domain-labs.net -file cert.pem

Make sure Graylog is aware of the new keystore.

-Djavax.net.ssl.trustStore=/path/to/keystore.jks
-Djavax.net.ssl.trustStorePassword=secret

If you receive a error stating “no keystore found” or something similar to that. You can use the default JAVA store and place those certificates there. Make sure comment out the lines above so Graylog doesn’t get confused which keystore to use.

3.Default java key store with following commands. Java path may very on OS and version of JAVA.

keytool -import -trustcacerts -file cert.pem -alias graylog.domain-labs.net -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.282.b08-1.el7_9.x86_64/jre/lib/security/cacerts

5.Copy certificates into Graylog directory , Since Graylog owns it this would make it easy for Graylog to access them when using TCP/TLS INPUT’s

cp  cert.pem graylog-certificate.pem  graylog-key.pem  /etc/graylog/

6.Configure Graylog config file

http_publish_uri = https://graylog.domain-labs.net:9000/
http_enable_tls = true 
http_tls_key_password = secret 
## I used the directory where i create the certs and chown graylog:graylog -R.
http_tls_key_file = /etc/ssl/certs/graylog/graylog-key.pem 
http_tls_cert_file = /etc/ssl/certs/graylog/graylog-certificate.pem

As for my INPUTs…

image610×853 46.7 KB

For elasticsearch, Its been awhile but something like this.

cp  admin-key.pem  admin.pem root-ca-key.pem  root-ca.pem  /etc/elasticsearch/

Elasticsearch YAML file.

opendistro_security.ssl.transport.pemcert_filepath: /etc/elasticsearch/admin.pem
opendistro_security.ssl.transport.pemkey_filepath: /etc/elasticsearch/admin-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: /etc/elasticsearch/root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: /etc/elasticsearch/admin.pem
opendistro_security.ssl.http.pemkey_filepath: /etc/elasticsearch/admin-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: /etc/elasticsearch/root-ca.pem
opendistro_security.allow_unsafe_democertificates: false
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:
- 'CN=elastic-stack.domain-labs.net,OU=admin,O=google,L=some_city,ST=some_state,C=us'

For MongoDb, I haven’t done it yet, but if you get it working I would like to know.

• https://docs.mongodb.com/manual/tutorial/configure-x509-client-authentication/

Hope that helps

wow! That is some serious work right there @gsmith!

When you do it once every three months I don’t even realize it any more, just copy -n- paste from my personal doc’s.

EDIT: I forgot to mention, depending on which environment I’m in ,I have used Let’s Encrypt, and MKCert,

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.