Nxlog for Windows in SSL/TLS not working

Graylog Central (peer support)
, ,
1

Heelo,

I tried to send the log of Windows in SSL/TLS, but it doesn’t works.

It’s my configuration of the nxlog.conf on Windows :

define ROOT     C:\Program Files (x86)\nxlog
define CERTDIR  %ROOT%\cert
define CONFDIR  %ROOT%\conf
define LOGDIR   %ROOT%\data
define LOGFILE  %LOGDIR%\nxlog.log
LogFile %LOGFILE%

Moduledir %ROOT%\modules
CacheDir  %ROOT%\data
Pidfile   %ROOT%\data\nxlog.pid
SpoolDir  %ROOT%\data

<Extension _syslog>
    Module      xm_syslog
</Extension>

<Extension _charconv>
    Module      xm_charconv
    #AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>

<Extension _exec>
    Module      xm_exec
</Extension>

<Input in>
    Module      im_msvistalog
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog
<QueryXML> 
<QueryList>
  <Query Id="0">
    <Select Path="Security">*[System[(EventID=4624 or EventID=4634)]]</Select>
    <Select Path="System">*[System[(Level=1  or Level=2 or Level=3)]]</Select>
</Query>
</QueryList>
</QueryXML> 
</Input>

<Extension gelf>
    Module xm_gelf
</Extension>

<Output out>
    Module      om_ssl
    Host IP_address
    Port 12201
    Exec to_syslog_snare();
    CertFile %CERTDIR%\cert.pem
    CertKeyFile %CERTDIR%\pkcs8-encrypted.pem
    AllowUntrusted TRUE
    KeyPass password
    OutputType GELF_TCP
</Output>

<Route 1>
    Path        in => out
</Route>

and on my graylog input, I have this :

Port 12201
TLS cert file /etc/graylog/server/certificats/cert.pem
TLS private key file /etc/graylog/server/certificats/pkcs8-encrypted.pem
Enable TLS
TLS key password password

And I have this error message :

ERROR SSL certificate verification failed: unable to get local issuer certificate (err: 20)
Thanks

2

You have to add your self-signed certificates to the local machine’s/runtime environment’s trust store.

The Graylog documentation includes a section about adding self-signed certificates to the JVM trust store:
http://docs.graylog.org/en/2.4/pages/configuration/https.html#adding-a-self-signed-certificate-to-the-jvm-trust-store

3

Yes, I’ve add the certificat, in the JVM trust store. The certificate is already present in the JVM trust store

4

I already have the certificate present in the JVM trust store.

I try to import the jvm store in windows, but it’s not works

5

Do you have an idea for solve the problem ?

Thanks

6

I found a solve of problem put I’m not sure about the configuration. In fact, I change the nxlog configuration file :

Module om_ssl Host IP_address Port 12201 CertFile %CERTDIR%\cert.pem #CertKeyFile %CERTDIR%\pkcs8-encrypted.pem AllowUntrusted TRUE #KeyPass password OutputType GELF_TCP

And in graylogs, I configured my input with that :

Port 12201
TLS cert file /etc/graylog/server/certificats/cert.pem
Enable TLS

And now, I see that the traffic between windows server and Graylog is encrypted. It’s the good method ?

7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.