Secure log collection from DMZ

Secure log collection from DMZ


View on Github
Open Issues

Secure log collection from DMZ

The steps outlined below will demonstrate how to securely transmit logs from the DMZ to an internal Graylog server. This method uses TLS to encrypt all communication and does not require any new inbound rules on the firewall. In my examples I will be using Windows based servers and clients.


  • NXLog collects windows eventlogs from clients in the DMZ
  • NXLog coverts log data to JSON
  • NXLog sends log data to Logstash via encrypted TLS connection
  • Logstash send data to RabbitMQ
  • Graylog retrieves data from RabbitMQ
  • Graylog extracts data from JSON

We will be using the following servers in this example:

  • dmzserver - existing server you wish to collect logs from
  • dmzlogserver - new server you will build to host Logstash and RabbitMQ in the DMZ
  • graylogserver - existing Graylog server you wish to deliver the logs to

Build new windows log server

Minimum Hardware Requirements:

  • 1 Ghz CPU
  • 2 GB RAM
  • 40 GB Drive

Standard Windows Server install.

This computer does not need to be joined to the domain.