Secure log collection from DMZ

dscryber · March 24, 2022, 8:32pm

Secure log collection from DMZ

The steps outlined below will demonstrate how to securely transmit logs from the DMZ to an internal Graylog server. This method uses TLS to encrypt all communication and does not require any new inbound rules on the firewall. In my examples I will be using Windows based servers and clients.

Dataflow

NXLog collects windows eventlogs from clients in the DMZ
NXLog coverts log data to JSON
NXLog sends log data to Logstash via encrypted TLS connection
Logstash send data to RabbitMQ
Graylog retrieves data from RabbitMQ
Graylog extracts data from JSON

We will be using the following servers in this example:

dmzserver - existing server you wish to collect logs from
dmzlogserver - new server you will build to host Logstash and RabbitMQ in the DMZ
graylogserver - existing Graylog server you wish to deliver the logs to

Build new windows log server

Minimum Hardware Requirements:

1 Ghz CPU
2 GB RAM
40 GB Drive

Standard Windows Server install.

This computer does not need to be joined to the domain.

Topic		Replies	Views
Syslog Input Problem with other Clients and Questions Graylog Central (peer support)	2	268	January 25, 2021
Issue receive data from NXlog on TCP Graylog Central (peer support) sidecar , nxlog , winlogbeat , nodatanx	3	3733	May 3, 2018
Graylog 2 Relay/Proxy Graylog Central (peer support)	7	2088	May 20, 2017
best way to set up to stream logs securely from multiple networks to a single graylog server? Graylog Central (peer support)	3	571	June 28, 2022
Sending syslog via AMQP into Graylog Other Solutions other_solutions	0	806	March 24, 2022

Secure log collection from DMZ

Secure log collection from DMZ

Secure log collection from DMZ

Dataflow

Build new windows log server

Related Topics