Securing GELF messages over https

Hello,
Please forgive me in advance if this question seems ignorant, but i’m trying to secure logged messages to Graylog using https and cannot find if this is supported or not. We tried sitting graylog in front of an nginx server, but since the X-Forwareded-For header isn’t supported, the source IP would always be the localhost, so I wonder, is there any native way to do this? We are logging somewhat sensative information and would prefer not to send it to graylog in clear text, but can’t seem to figure out how this can be done.

There is a similar post here which links to a openresty / lua workaround for configuring the “host” header, but we would prefer not to do that if possibe - Gl2_remote_ip always 127.0.0.1 when using nginx reverse proxy

Bump? Any one have any thoughts on how we might secure logging being sent to graylog over HTTPS?

it is supported… check the documentation… specifically

http://docs.graylog.org/en/3.0/pages/configuration/https.html
and
http://docs.graylog.org/en/3.0/pages/secure/securing.html

We have configured both UI and REST to use HTTPS successully, but it doesn’t specify anything regarding securing traffic over port 12201.

If we try logging a test message using HTTPS it fails, and if we try with HTTP it still works:

The following fails:
curl -v -XPOST https://graylog.example.com:12201/gelf -d ‘{“facility” : “test”,“message” : “sent using https on port 12201”}’

  • About to connect() to graylog.example.com port 12201 (#0)
  • Trying x.x.x.x…
  • Connected to graylog.example.com (x.x.x.x) port 12201 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • NSS error -5938 (PR_END_OF_FILE_ERROR)
  • Encountered end of file
  • Closing connection 0
    curl: (35) Encountered end of file

Whereas the same command using HTTP succeeds:

POST /gelf HTTP/1.1
User-Agent: curl/7.29.0
Host: graylog.example.com:12201
Accept: /
Content-Length: 92
Content-Type: application/x-www-form-urlencoded

  • upload completely sent off: 92 out of 92 bytes
    < HTTP/1.1 202 Accepted
    < Content-Length: 0
    < Connection: keep-alive
    <
  • Connection #0 to host graylog.example.com left intact

Any thoughts here? Looking at it now, it does appear that the HTTPS connection is being established but is failing to validate the certificate maybe? I’m not entirely sure tbh.

did you configure the input for HTTP GELF to use HTTPS?

Using openssl to check seems to to imply that no certificate is even being presented. So where have I gone wrong?

#> openssl s_client -connect graylog.example.com:12201 -msg

CONNECTED(00000003)

TLS 1.2 [length 0005]
16 03 01 01 40
TLS 1.2 Handshake [length 0140], ClientHello
01 00 01 3c 03 03 f9 8e 9b 76 60 44 8d 87 d1 95
18 1a 93 15 85 48 a7 9a 24 e5 7a df 7f ce 38 55
d2 a5 11 c8 be 8a 00 00 ac c0 30 c0 2c c0 28 c0
24 c0 14 c0 0a 00 a5 00 a3 00 a1 00 9f 00 6b 00
6a 00 69 00 68 00 39 00 38 00 37 00 36 00 88 00
87 00 86 00 85 c0 32 c0 2e c0 2a c0 26 c0 0f c0
05 00 9d 00 3d 00 35 00 84 c0 2f c0 2b c0 27 c0
23 c0 13 c0 09 00 a4 00 a2 00 a0 00 9e 00 67 00
40 00 3f 00 3e 00 33 00 32 00 31 00 30 00 9a 00
99 00 98 00 97 00 45 00 44 00 43 00 42 c0 31 c0
2d c0 29 c0 25 c0 0e c0 04 00 9c 00 3c 00 2f 00
96 00 41 c0 12 c0 08 00 16 00 13 00 10 00 0d c0
0d c0 03 00 0a 00 07 c0 11 c0 07 c0 0c c0 02 00
05 00 04 00 ff 01 00 00 67 00 00 00 20 00 1e 00
00 1b 67 72 61 79 6c 6f 67 71 61 2e 6d 6f 6e 61
64 2e 6d 6f 6e 65 72 69 73 2e 63 6f 6d 00 0b 00
04 03 00 01 02 00 0a 00 0a 00 08 00 17 00 19 00
18 00 16 00 23 00 00 00 0d 00 20 00 1e 06 01 06
02 06 03 05 01 05 02 05 03 04 01 04 02 04 03 03
01 03 02 03 03 02 01 02 02 02 03 00 0f 00 01 01
140540288694160:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:


no peer certificate available

No client certificate CA names sent

SSL handshake has read 0 bytes and written 325 bytes

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1564412647
Timeout : 300 (sec)
Verify return code: 0 (ok)

Hi Jan,
Could you be a little more specific? What do you mean by configuring the HTTP GELF input to use HTTPS? Where and how can this be done? This seems to be the missing piece of the puzzle for me.

Did you created a GELF HTTP Input in System > Inputs in your Graylog UI? Or did you try to use a GELF TCP Input via HTTP?

There it is - sorry, you’ll have to ignore my ignorance, you’ve clarified what i was looking for. As you can probably tell, i’m not a graylog administrator - i didn’t even have access to modify or create inputs. I was able to get the necessary access and can see that we can enable TLS and provide the certificate path for this. I’ll create a new input and test this - thank you for your direction!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.