Securing Communication Between Sidecar and Graylog

I have a couple of questions regarding securing communication between Sidecars and Graylog, if someone has a moment. I ran in to an issue with the documentation and am looking for clarification and a possible workaround.

Background on my environment. I have one Graylog node that has been configured for SSL/TLS using a self-signed certificate(configured for HTTPS when accessing the web interface). As of now, I only have a Sidecar installed and configured on one client(a Windows DC).

The documentation says specifically “The Communication between Sidecar and Graylog will be secured if your API uses SSL”. The section following that details how to secure communication between the Collector and Graylog. Does this mean that if you have configured your Graylog server for encryption, in terms of accessing the web interface and API, that the traffic between the Sidecar(client) and Graylog will automatically be encrypted?

Second question/issue is with the following instructions in the documentation:
To secure the communication between the Collector and Graylog you just need to mark Enable TLS in your Beats Input. Without giving additional Information, Graylog will now create a self-signed certificate for this Input. Now in the Sidecar Beats Output Configuration you just mark Enable TLS Support and Insecure TLS connection . After this is saved, the communication between Beats and Graylog will use TLS.

I have attempted to make these changes in my configuration. I checked “Enable TLS” in my Beats Input’s config and did not enter any further information. However, I was unable to find any section or configuration file that covers “Sidecar Beats Output Configuration” to “Enable TLS Support” or check “Insecure TLS connection”. Looking through previous posts in the forum, others have encountered this issue as well, and the general response has been “Yeah, the documentation is referring to config for an older version”. That’s been about it. I haven’t been able to find any further information about this topic. When I check “Enable TLS” in my Beats Input, my sidecar is no longer able to communicate with Graylog, leading me to conclude that I’m missing configuration somewhere else that’s required. I have been unable to find information on the process I need to follow to complete secure setup.

In summary, I’m trying to get as simple and compact a configuration as I can. I’ve used a self-signed cert to configure my Graylog node with SSL/TLS, and would like to secure communication between Sidecars and Graylog, preferably without the need to create any further certificates. Trying to get more information that isn’t covered in documentation.

Any help or suggestions are greatly appreciated. Thanks!

If you have configured your graylog api (web interface) for https access then sidecar will connect via that if you set the below settings in your sidecar yml file

server_url: "https://your-graylog-server-URL:9000/api/"

tls_skip_verify: true. # (assuming you are using a self signed cert)

If you want to set “tls_skip_verify: false” and assuming you are using a self signed cert, in windows you will need to add your CA cert to the windows trusted CA store.

In Linux (ubuntu at least) It never seems to connect even if you add the CA to the trusted CA store, so you would probably have to use “tls_skip_verify: true”

As for your beats log traffic over tls (again assuming you are using self-signed certs) you need to specify the location of your certificates in both your beats input configuration and your beats collector yml file

Beats input in graylog - example (obviously change the locations to suit your setup, note the certs must be pem format in my experience)

CERT

/etc/graylog/server/cert/company.local/cert.pem

KEY

/etc/graylog/server/cert/company.local/key.pem

Set “TLS enabled”

Set “Authentication required”

(if you want the sidecar client to authenticate with the server)

CA KEY (if you want the sidecar client to authenticate with the server)

/etc/graylog/server/cert/CA/companyCA.pem

You need to add the the CA cert to the java key store on your Graylog server with a command like the below

sudo keytool -import -trustcacerts -file /etc/graylog/server/cert/CA/companyCA.pem -alias companyCA -keystore /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts -storepass changeit

Note that if you have changed your java keystore password insert that instead of “changeit” at the end

Beats Collector example – Change the cert locations to suit your setup

(note you do not have to put https in the URL)

output.logstash.hosts: [" your-graylog-server-URL : your-graylog-input-port-number "]

output.logstash.ssl.certificate_authorities: ‘C:/Program Files/Graylog/sidecar/Certs/companyCA.pem’

output.logstash.ssl.certificate: ‘C:/Program Files/Graylog/sidecar/Certs/company.local.crt’

output.logstash.ssl.key: ‘C:/Program Files/Graylog/sidecar/Certs/company.local.key’

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.