The steps outlined below will demonstrate how to securely transmit logs from the DMZ to an internal Graylog server. This method uses TLS to encrypt all communication and does not require any new inbound rules on the firewall. In my examples I will be using Windows based servers and clients.
- NXLog collects windows eventlogs from clients in the DMZ
- NXLog coverts log data to JSON
- NXLog sends log data to Logstash via encrypted TLS connection
- Logstash send data to RabbitMQ
- Graylog retrieves data from RabbitMQ
- Graylog extracts data from JSON
We will be using the following servers in this example:
- dmzserver - existing server you wish to collect logs from
- dmzlogserver - new server you will build to host Logstash and RabbitMQ in the DMZ
- graylogserver - existing Graylog server you wish to deliver the logs to
Minimum Hardware Requirements:
- 1 Ghz CPU
- 2 GB RAM
- 40 GB Drive
Standard Windows Server install.
This computer does not need to be joined to the domain.