Sending messages from one Graylog server to another Graylog server over internet using gelf output(the messages should be encrypted)


(Mariusgeonea) #1

Hello,

i want to send logs collected by one of my servers in the cloud to another graylog servers on the premises.
the output type should be gelf and for protocol TCP+TLS to encrypt the data.

now the problem lies with the output config and the input config.
I haven’t found any specific documentation on how to set it up.

on the sending node most probably i need to check the TLS verification box and after that i should specify the path to the certificate, but i dunno with what kind of parameters to create that certificate and in which format should be like
on the receiving node most probably i need to check enable tls box and the tls client should be set to required, than on the TLS Client Auth Trusted Cets i should specify the path to the certificate(that is identical to the sending node.)

please correct me if my idea is wrong and please help with the creation of the TLS certificate regarding the parameters.

Thanks,
Marius.


Client cert for GELF Output
(Tess) #2

Certificates

Right! That’s my kind of ball game :slight_smile: Let me see what I can help you with…

  • When you’re building a TLS connection, the client side (the “output”) should be able to verify the server side’s (the “input”) certificate.
  • The server side will need a proper, valid certificate. Please don’t muck around on the Internet with self-signed certificates!
  • The server side’s certificate will issued by a CA (certificate authority). This can be your company’s own CA, both to save on money and to provide an extra hurdle for a MitM-attack.
  • The client side will need to have a “trust store”, which will tell it which CA’s it can trust. In this case, that trust store will only contain the cert of the CA that issued the server’s certificate.
  • Yes, on the client side you must specify TLS validation.
  • For added security, you can also enable TLS validation on the server’s side. This means that the sending side will need a certificate of its own, which is also issued by a trusted CA.

The config that’s required outside of Graylog is something I’ve documented in the following thread:


(Mariusgeonea) #3

ok sir. i’ll try it and let you know if it works.

many thanks.


(system) closed #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.