1. Describe your incident:
- I installed graylog 4.2 with a domain
http://graylog.example.com
- I added GELF TCP input and started sending logs from kubernetes cluster via Fluent-bit.
- No issues. Worth mentioning here that I have purchased wildcard certificate and I use it on other websites without issues. This is not the case of using self signed certificates.
- I added crt and key files for the domain under:
/etc/ssl
and enabled below options in/etc/graylog/server/server.conf
http_bind_address = 0.0.0.0:9000
http_external_uri = https://graylog.example.com:9000/
http_enable_tls = true
http_tls_cert_file = /etc/ssl/cert.crt
http_tls_key_file = /etc/ssl/key.key
- After restarting graylog service I can now access
http://graylog.example.com
using https. - At this point GELF TCP will not start with those lines in the log
/var/log/graylog-server/server.log
:
2021-11-29T15:51:19.906Z ERROR [AuditLogger] Unable to write audit log entry because there is no valid license.
2021-11-29T15:51:19.906Z WARN [ProxiedResource] Unable to call https://xxx.xxx.xxx.xxx:9000/api/system/inputstates on node <xxxx-xxxx-xxxx-xxxx-xxxx>: Hostname xxx.xxx.xxx.xxx not verified:
certificate: sha256/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
DN: CN=*.example.com
subjectAltNames: [*.example.com, example.com]
2021-11-29T15:51:20.407Z WARN [ProxiedResource] Unable to call https://xxx.xxx.xxx.xxx:9000/api/system/metrics/multiple on node <xxxx-xxxx-xxxx-xxxx-xxxx>: Hostname xxx.xxx.xxx.xxx not verified:
certificate: sha256/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
DN: CN=*.example.com
subjectAltNames: [*.example.com, example.com]
https://graylog.example.com
works perfectly fine.
12. When clicking on Start Input
I get bellow message:
Input 'xxx' could not be started
Request to start input 'xxx' failed. Check your Graylog logs for more information.
13. Weirdly the xxx input is not running
but I do see messages coming in.
2. Describe your environment:
- OS Information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.04
DISTRIB_CODENAME=focal
DISTRIB_DESCRIPTION="Ubuntu 20.04.3 LTS"
-
Package Version:
graylog-4.2-repository_latest.deb
-
Service logs, configurations, and environment variables:
Which?
3. What steps have you already taken to try and solve the problem?
Googled a lot.
4. How can the community help?
-
What does this error mean?
-
Any other options I need to specify in the config file?
-
My goals:
- Have graylog accessible with https. This is done.
- Fix the above issue.
- Have gelf tcp be only accessible with TLS certificate. Can I use the same crt and key as I used for https?
More Logs:
curl -i 'https://xxx.xxx.xxx.xxx:9000/api/?pretty=true'
curl: (60) SSL: no alternative certificate subject name matches target host name 'xxx.xxx.xxx.xxx'
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
2021-11-29T17:11:50.233Z INFO [NetworkListener] Started listener bound to [0.0.0.0:9000]
2021-11-29T17:11:50.235Z INFO [HttpServer] [HttpServer] Started.
2021-11-29T17:11:50.236Z INFO [JerseyService] Started REST API at <0.0.0.0:9000>
2021-11-29T17:11:50.237Z INFO [ServerBootstrap] Services started, startup times in ms: {FailureHandlingService [RUNNING]=28, DevelopmentDirectoryObserverService [RUNNING]=44, GracefulShutdownService [RUNNING]=45, JobSchedulerService [RUNNING]=45, PrometheusExporter [RUNNING]=45, OutputSetupService [RUNNING]=45, BufferSynchronizerService [RUNNING]=46, UrlWhitelistService [RUNNING]=47, LocalKafkaMessageQueueReader [RUNNING]=47, LocalKafkaMessageQueueWriter [RUNNING]=47, LocalKafkaJournal [RUNNING]=48, InputSetupService [RUNNING]=53, ProcessingConfigurationManager [RUNNING]=55, MongoDBProcessingStatusRecorderService [RUNNING]=59, EtagService [RUNNING]=97, ConfigurationEtagService [RUNNING]=97, UserSessionTerminationService [RUNNING]=106, StreamCacheService [RUNNING]=220, PeriodicalsService [RUNNING]=261, LookupTableService [RUNNING]=414, JerseyService [RUNNING]=5808}
2021-11-29T17:11:50.246Z INFO [ServerBootstrap] Graylog server up and running.
2021-11-29T17:11:50.247Z ERROR [AuditLogger] Unable to write audit log entry because there is no valid license.
2021-11-29T17:11:50.249Z INFO [ServiceManagerListener] Services are healthy
2021-11-29T17:11:50.252Z INFO [InputSetupService] Triggering launching persisted inputs, node transitioned from Uninitialized [LB:DEAD] to Running [LB:ALIVE]
2021-11-29T17:11:50.314Z INFO [InputStateListener] Input [GELF TCP/xxxxxxxxxxxxxxx] is now STARTING
2021-11-29T17:11:50.321Z INFO [InputStateListener] Input [GELF TCP/xxxxxxxxxxxxxxx] is now STARTING
2021-11-29T17:11:50.458Z INFO [InputStateListener] Input [GELF TCP/xxxxxxxxxxxxxxx] is now RUNNING
2021-11-29T17:11:50.463Z INFO [InputStateListener] Input [GELF TCP/xxxxxxxxxxxxxxx] is now RUNNING
2021-11-29T17:11:50.493Z WARN [AbstractTcpTransport] receiveBufferSize (SO_RCVBUF) for input GELFTCPInput{title=xxxxxx, type=org.graylog2.inputs.gelf.tcp.GELFTCPInput, nodeId=12a89a38-ed6d-4424-b915-eeb69cd651d6} (channel [id: 0x36e8e642, L:/0:0:0:0:0:0:0:0%0:12201]) should be >= 1048576 but is 425984.
2021-11-29T17:11:50.493Z WARN [AbstractTcpTransport] receiveBufferSize (SO_RCVBUF) for input GELFTCPInput{title=xxxxxx, type=org.graylog2.inputs.gelf.tcp.GELFTCPInput, nodeId=null} (channel [id: 0x83dfb851, L:/0:0:0:0:0:0:0:0%0:12202]) should be >= 1048576 but is 425984.
2021-11-29T17:11:53.319Z WARN [ProxiedResource] Unable to call https://xxx.xxx.xxx.xxx:9000/api/system/metrics/multiple on node <12a89a38-ed6d-4424-b915-eeb69cd651d6>: Hostname xxx.xxx.xxx.xxx not verified:
certificate: sha256/xxxxxxxxxxxxxxxxxxxx
DN: CN=*.example.com
subjectAltNames: [*.example.com, example.com]
2021-11-29T17:11:53.358Z WARN [ProxiedResource] Unable to call https://xxx.xxx.xxx.xxx:9000/api/system/metrics/multiple on node <12a89a38-ed6d-4424-b915-eeb69cd651d6>: Hostname xxx.xxx.xxx.xxx not verified:
certificate: sha256/xxxxxxxxxxxxxxxxxxxx
DN: CN=*.example.com
subjectAltNames: [*.example.com, example.com]
2021-11-29T17:11:54.839Z WARN [ProxiedResource] Unable to call https://xxx.xxx.xxx.xxx:9000/api/system/metrics/multiple on node <12a89a38-ed6d-4424-b915-eeb69cd651d6>: Hostname xxx.xxx.xxx.xxx not verified:
certificate: sha256/xxxxxxxxxxxxxxxxxxxx
DN: CN=*.example.com
subjectAltNames: [*.example.com, example.com]