Hello,

I am trying to recover the logs from a Linux server with rsyslog. When the exchanges are not encrypted it works, but when I try to encrypt it does not work.

At the level of the logs on the Graylog server, I have this error message:

2018-07-06T09:28:30.929+02:00 ERROR [NettyTransport] Error in Input [Syslog TCP/5b3a124909908a03e1e70bb5] (channel [id: 0xca9ca86a, /ip_client:36470 => /ip_graylog_server:5514])
org.jboss.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 3c33303e4a756c2020362030393a32383a3239207372632d63656e746f732d746573742d677261796c6f67206468636c69656e745b3836315d3a204448435052455155455354206f6e20656e7331363020746f203137322e32322e312e3120706f727420363720287869643d307864353134313062290a3c32373e4a756c2020362030393a32383a3239207372632d63656e746f732d746573742d677261796c6f67206468636c69656e745b3836315d3a2073656e645f7061636b65743a204f7065726174696f6e206e6f74207065726d69747465640a3c32373e4a756c2020362030393a32383a3239207372632d63656e746f732d746573742d677261796c6f67206468636c69656e745b3836315d3a206468636c69656e742e633a323638383a204661696c656420746f2073656e64203330302062797465206c6f6e67207061636b6574206f7665722066616c6c6261636b20696e746572666163652e0a
at org.jboss.netty.handler.ssl.SslHandler.decode(SslHandler.java:857) ~[graylog.jar:?]
at org.jboss.netty.handler.codec.frame.FrameDecoder.callDecode(FrameDecoder.java:425) ~[graylog.jar:?]
at org.jboss.netty.handler.codec.frame.FrameDecoder.messageReceived(FrameDecoder.java:303) ~[graylog.jar:?]
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70) ~[graylog.jar:?]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564) [graylog.jar:?]
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:559) [graylog.jar:?]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:268) [graylog.jar:?]
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:255) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.NioWorker.read(NioWorker.java:88) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.process(AbstractNioWorker.java:108) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.AbstractNioSelector.run(AbstractNioSelector.java:337) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.AbstractNioWorker.run(AbstractNioWorker.java:89) [graylog.jar:?]
at org.jboss.netty.channel.socket.nio.NioWorker.run(NioWorker.java:178) [graylog.jar:?]
at org.jboss.netty.util.ThreadRenamingRunnable.run(ThreadRenamingRunnable.java:108) [graylog.jar:?]
at org.jboss.netty.util.internal.DeadLockProofWorker$1.run(DeadLockProofWorker.java:42) [graylog.jar:?]
at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:176) [graylog.jar:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_161]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_161]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_161]

Do you have an idea ?

Are you sure that rsyslog is sending messages over TCP+TLS and not only plaintext TCP?

35741×674 77.7 KB

I ticked the box to allow input TLS in the graylog server.

here is my configuration on the client :

$DefaultNetstreamDriverCertFile /home/admin/linux_ssl.cert.pem
#$DefaultNetstreamDriverKeyFile /home/admin/linux_ssl.pkcs8-plain.key
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode anon

remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional

#. @@remote-host:514
. @@ip_graylog_server:5514

But it’s possible to dell the last comment because there is an ip address in your image ? please

172.22.1.1 is a private IP address (see RFC 1918), so you’re safe.

That doesn’t help if rsyslog isn’t using TLS.

I won’t start debugging your rsyslog configuration, but are you sure that the “gtls” module is available on your system?

Thank you for the information.
I’m going to look for the gtls module

When I doing journactl -x on the client, I have this return :

juil. 11 08:52:22 graylog-client rsyslogd[26654]: not permitted to talk to peer, certificate invalid: signer not found [v8.24.0]
juil. 11 08:52:22 graylog-client rsyslogd[26654]: invalid cert info: peer provided 1 certificate(s). Certificate 1 info: certificate valid from Mon Jul 10 10:56:54 2017 to Sat Jan 1 00:59:59 1000;
juil. 11 08:52:22 graylog-client rsyslogd[26654]: not permitted to talk to peer, certificate invalid: signer not found [v8.24.0]
juil. 11 08:52:22 graylog-client rsyslogd[26654]: invalid cert info: peer provided 1 certificate(s). Certificate 1 info: certificate valid from Mon Jul 10 10:56:54 2017 to Sat Jan 1 00:59:59 1000;
juil. 11 08:52:22 graylog-client rsyslogd[26654]: not permitted to talk to peer, certificate invalid: signer not found [v8.24.0]
juil. 11 08:52:22 graylog-client rsyslogd[26654]: invalid cert info: peer provided 1 certificate(s). Certificate 1 info: certificate valid from Mon Jul 10 10:56:54 2017 to Sat Jan 1 00:59:59 1000;
juil. 11 08:52:22 graylog-client rsyslogd[26654]: not permitted to talk to peer, certificate invalid: signer not found [v8.24.0]
juil. 11 08:52:22 graylog-client rsyslogd[26654]: invalid cert info: peer provided 1 certificate(s). Certificate 1 info: certificate valid from Mon Jul 10 10:56:54 2017 to Sat Jan 1 00:59:59 1000;

I try to use the certificat for https (http://docs.graylog.org/en/2.4/pages/configuration/https.html)

I have to use an other certificat ?

Thanks for information

With your configuration, rsyslog has to be able to verify the certificate of the Syslog input in Graylog.
If you’re using a self-signed certificate or a custom CA, you have to add these to the local certificate trust store.

See RSyslog Documentation - rsyslog for details.

Additionally, it looks like the validity period of the certificate you’re using in Graylog in invalid (“Sat, Jan 1 00:59:59 1000”).

Thanks for informations

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.