Securing graylog


(Nav) #1

Hi everyone,

I have quick question, if i enable https for graylog web and restapi, would it secure the log data (by means of https/tls) sent by clients to the server.
or
would it only secure graylog web front end.

Thanks,
Navdeep


(Jan Doberstein) #2

He,

when you add certificates for the web and api, this will only secure the communication of all nodes and your browser with graylog.

each input, or internal cluster configuration (elasticsearch, mongodb) would be needed to secure by themself/their configuration.


(Nav) #3

so the log data that is being sent by nodes won’t be secured, untill input is secured.

Thanks,

Navdeep


(Nav) #4

I am trying to configure the https for graylog web.
I have followed pretty much all the document on enabling https and i am struggling with below

In order for the JVM to pick up the new trust store, it has to be started with the JVM parameter -Djavax.net.ssl.trustStore=/path/to/cacerts.jks

where to configure the settings above, path and filename. would it be JVM settings under
/etc/sysconfig/graylog-server
and GRAYLOG_SERVER_JAVA_OPTS ?

What would be the syntax

and same info for http://docs.graylog.org/en/2.3/pages/configuration/https.html#disabling-specific-tls-ciphers-and-algorithms

where can i find graylog.security file?


(Jan Doberstein) #5

where to configure the settings above, path and filename. would it be JVM settings under
/etc/sysconfig/graylog-server
and GRAYLOG_SERVER_JAVA_OPTS ?

If you use RPM based OS yes - see http://docs.graylog.org/en/2.3/pages/configuration/file_location.html#rpm-package

How did you think this should be more clear in the documentation? What is missing in your eyes?


(Nav) #6

Thanks Jan,
an example file would help those who don’t have much linux background.

Default Java options for heap and garbage collection.

GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -XX: -Djavax.net.ssl.trustStore=/path/to/cacerts.jks"

Does this look ok?

and where can i find security.properties file


(Jan Doberstein) #7

He,

that looks OK’ish - you just need to add your real path to the Java Key store …

If you jump to the latest/stable documentation you get the example for the ciphers here:

http://docs.graylog.org/en/stable/pages/configuration/https.html#disable-ciphers-java

That should help.


(Nav) #8

Thanks Jan,
i will update the keystore.jks path.

For ciphers, i create a new file called security.properties with the cipher and protocol info as per the link and save it under /etc/graylog/server/ and restart the service or server? Is that correct?


(Jan Doberstein) #9

you would also need to add -Djava.security.properties=/path/to/security.propertie to your startup / java arguments.


(Nav) #10

Hi Jan,

I have added -XX: -Djavax.net.ssl.trustStore=/etc/graylog/server/keystore.jks and restarted the graylog-server, however, the graylog-server service is failing to start

indent preformatted text by 4 spaces

[root@graylog ~]# service graylog-server start
Starting graylog-server (via systemctl): [ OK ]
[root@graylog ~]# service graylog-server status
● graylog-server.service - Graylog server
Loaded: loaded (/usr/lib/systemd/system/graylog-server.service; enabled; vendor preset: disabled)
Active: activating (auto-restart) (Result: exit-code) since Tue 2018-08-28 02:31:38 EDT; 7s ago
Docs: http://docs.graylog.org/
Process: 6035 ExecStart=/usr/share/graylog-server/bin/graylog-server (code=exited, status=1/FAILURE)
Main PID: 6035 (code=exited, status=1/FAILURE)

Aug 28 02:31:38 graylog.domain.com systemd[1]: Unit graylog-server.service entered failed state.
Aug 28 02:31:38 graylog.domain.com systemd[1]: graylog-server.service failed.


(Jan Doberstein) #11

So what is your complete Java arguments line? What is the complete Graylog server.log when you try to start Graylog?


(Nav) #12

java argument line

Default Java options for heap and garbage collection.

GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -XX:-Djavax.net.ssl.trustStore=/etc/graylog/server/keystore.jks"

#server.log, doesn’t log anything
when i issue a command service graylog-server restart, the service stops but never restarts and the logs are only upto the point when service is terminated. and when i try to start the service, nothing is logged.

2018-08-28T02:18:28.974-04:00 INFO [LogManager] Shutdown complete.
2018-08-28T02:18:28.995-04:00 INFO [NetworkListener] Stopped listener bound to [graylog.domain.com:9000]
2018-08-28T02:18:28.997-04:00 INFO [ServiceManagerListener] Services are now stopped.


(Jan Doberstein) #13

what if you remove the -XX: leading the -Djavax.net.ssl.trustStore=/etc/graylog/server/keystore.jks ?


(Nav) #14

that worked, i am able to start the graylog server and also specified the security.properties which disable the weak ciphers.

Thanks Jan.


(Nav) #15

another issue… though the service has started, but i getting the following error with self signed cert on firefox browser.

Secure connection failed.
An error occurred during a connection to graylog.domain.com:9000. SSL received a malformed Handshake record. Error code: SSL_ERROR_RX_MALFORMED_HANDSHAKE

i have tried with IE and chrome all latest version and they all report similar error.


(Jan Doberstein) #16

did you add the self signed certificate to your browser?

did you checked if https://github.com/graylog-labs/shadowCA might help you?


(Nav) #17

usually, the cert would show up as untrusted and at time, i add it to the local certificate store. but in this case, the site isn’t loading at all.

I will try the ShadowCA and let you know how it goes.


(Nav) #18

Hi Jan,

i managed to fix the ssl error. I used a self signed CA cert using this command

keytool -genkey -alias dns.name.of.server -keyalg RSA -validity 365 -keystore keystore.jks

followed by rest of the enabling https graylog documentation.

Thanks for all your help in getting this issue fixed.


(system) #19

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.