Rsyslog Linux encrypted


(alexis) #1

Hello,

I am trying to recover the logs from a Linux server with rsyslog. When the exchanges are not encrypted it works, but when I try to encrypt it does not work.

At the level of the logs on the Graylog server, I have this error message:

2018-07-06T09:28:30.929+02:00 ERROR [NettyTransport] Error in Input [Syslog TCP/5b3a124909908a03e1e70bb5] (channel [id: 0xca9ca86a, /ip_client:36470 => /ip_graylog_server:5514])
org.jboss.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 3c33303e4a756c2020362030393a32383a3239207372632d63656e746f732d746573742d677261796c6f67206468636c69656e745b3836315d3a204448435052455155455354206f6e20656e7331363020746f203137322e32322e312e3120706f727420363720287869643d307864353134313062290a3c32373e4a756c2020362030393a32383a3239207372632d63656e746f732d746573742d677261796c6f67206468636c69656e745b3836315d3a2073656e645f7061636b65743a204f7065726174696f6e206e6f74207065726d69747465640a3c32373e4a756c2020362030393a32383a3239207372632d63656e746f732d746573742d677261796c6f67206468636c69656e745b3836315d3a206468636c69656e742e633a323638383a204661696c656420746f2073656e64203330302062797465206c6f6e67207061636b6574206f7665722066616c6c6261636b20696e746572666163652e0a
at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:857) ~[graylog.jar:?]
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425) ~[graylog.jar:?]
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) ~[graylog.jar:?]
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) ~[graylog.jar:?]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) [graylog.jar:?]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) [graylog.jar:?]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) [graylog.jar:?]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) [graylog.jar:?]
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) [graylog.jar:?]
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) [graylog.jar:?]
at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176) [graylog.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_161]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_161]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]

Do you have an idea ?


(Jochen) #2

Are you sure that rsyslog is sending messages over TCP+TLS and not only plaintext TCP?



(alexis) #3

I ticked the box to allow input TLS in the graylog server.


(alexis) #4

here is my configuration on the client :

$DefaultNetstreamDriverCertFile /home/admin/linux_ssl.cert.pem
#$DefaultNetstreamDriverKeyFile /home/admin/linux_ssl.pkcs8-plain.key
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode anon

remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional

#. @@remote-host:514
. @@ip_graylog_server:5514

But it’s possible to dell the last comment because there is an ip address in your image ? please


(Jochen) #5

172.22.1.1 is a private IP address (see RFC 1918), so you’re safe. :wink:

That doesn’t help if rsyslog isn’t using TLS.

I won’t start debugging your rsyslog configuration, but are you sure that the “gtls” module is available on your system?


(alexis) #6

Thank you for the information.
I’m going to look for the gtls module


(alexis) #7

When I doing journactl -x on the client, I have this return :

juil. 11 08:52:22 graylog-client rsyslogd[26654]: not permitted to talk to peer, certificate invalid: signer not found [v8.24.0]
juil. 11 08:52:22 graylog-client rsyslogd[26654]: invalid cert info: peer provided 1 certificate(s). Certificate 1 info: certificate valid from Mon Jul 10 10:56:54 2017 to Sat Jan 1 00:59:59 1000;
juil. 11 08:52:22 graylog-client rsyslogd[26654]: not permitted to talk to peer, certificate invalid: signer not found [v8.24.0]
juil. 11 08:52:22 graylog-client rsyslogd[26654]: invalid cert info: peer provided 1 certificate(s). Certificate 1 info: certificate valid from Mon Jul 10 10:56:54 2017 to Sat Jan 1 00:59:59 1000;
juil. 11 08:52:22 graylog-client rsyslogd[26654]: not permitted to talk to peer, certificate invalid: signer not found [v8.24.0]
juil. 11 08:52:22 graylog-client rsyslogd[26654]: invalid cert info: peer provided 1 certificate(s). Certificate 1 info: certificate valid from Mon Jul 10 10:56:54 2017 to Sat Jan 1 00:59:59 1000;
juil. 11 08:52:22 graylog-client rsyslogd[26654]: not permitted to talk to peer, certificate invalid: signer not found [v8.24.0]
juil. 11 08:52:22 graylog-client rsyslogd[26654]: invalid cert info: peer provided 1 certificate(s). Certificate 1 info: certificate valid from Mon Jul 10 10:56:54 2017 to Sat Jan 1 00:59:59 1000;

I try to use the certificat for https (http://docs.graylog.org/en/2.4/pages/configuration/https.html)

I have to use an other certificat ?

Thanks for information


(Jochen) #8

With your configuration, rsyslog has to be able to verify the certificate of the Syslog input in Graylog.
If you’re using a self-signed certificate or a custom CA, you have to add these to the local certificate trust store.

See https://www.rsyslog.com/doc/v8-stable/tutorials/tls.html#certificates for details.

Additionally, it looks like the validity period of the certificate you’re using in Graylog in invalid (“Sat, Jan 1 00:59:59 1000”).


(alexis) #9

Thanks for informations