Syslog TCP SSL input with NGINX reverse proxy

Graylog Central (peer support)
1

Hi

I would like to check with you my conf, because I am not sure of the differents options.

I have :

  • a Syslog input with TLS disabled
  • a NGINX reverse proxy
  • a linux server with rsyslog

Everything seems to work fine, but when I first tried some logs were not recieved by graylog. After deactivated and reactivated the option * ssl_session_cache* in NGINX, all the logs are in graylog. So I am asking if my reverse proxy is good.

Here are my conf of NGINX and syslog client
NGINX reverse proxy 10.10.10.1
Graylog nodes 10.10.10.2 10.10.10.3

NGINX

  upstream linux_servers {
        server 10.10.10.2:10516;
        server 10.10.10.3:10516;
    }

server {
        listen 10.10.10.1:10516 ssl;

        proxy_pass linux_servers;

        ssl_certificate       /etc/nginx/ssl/nginx_crt.pem;
        ssl_certificate_key   /etc/nginx/ssl/nginx_key.pem;
        ssl_protocols         TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_ciphers           HIGH:!aNULL:!MD5;
        ssl_session_cache     shared:SSL:20m;
        # ssl_session_cache     off;                                                                                                                                                            
        ssl_session_timeout   4h;
        ssl_handshake_timeout 30s;
    }

GRAYLOG Input

allow_override_date: true
bind_address: 0.0.0.0
charset_name: UTF-8
expand_structured_data: false
force_rdns: false
max_message_size: 2097152
number_worker_threads: 16
override_source: <empty>
port: 10516
recv_buffer_size: 1048576
store_full_message: true
tcp_keepalive: false
timezone: Europe/Paris
tls_cert_file: <empty>
tls_client_auth: disabled
tls_client_auth_cert_file: <empty>
tls_enable: false
tls_key_file: <empty>
tls_key_password:********
use_null_delimiter: false

RSYSLOG client
/etc/rsyslog.d/70-graylog.conf

## GTLS driver
$DefaultNetstreamDriver gtls
# Certificates
$DefaultNetstreamDriverCAFile /etc/ssl/certs/ChainedCA.pem
$DefaultNetstreamDriverCertFile /etc/ssl/rsyslog/wildcard_cert.pem
$DefaultNetstreamDriverKeyFile /etc/ssl/rsyslog/wildcard_key.pem

$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.domain
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode

*.*          @@172.16.5.35:10516;RSYSLOG_SyslogProtocol23Format
  • OS Information: Debian 11
  • Package Version: 5.2.2

Have I missed something important to improve performance and fiability ?

Thanks
Marc

2

@sinjiku

What Type of input are you using? It looks like your using TCP connection.

3

Hi

Yes it’s a input Syslog TCP

4

Did you try TCPDUMP on graylog server see if you can see the remote client?

tcpdump_info

Your are send syslog TCP with Nginx proxy using certificates for port 10516 with listen 10.10.10.1:10516 ssl. this would be TCP/TLS.
If this is correct then the INPUT should reflect with those certs I do believe. Troubleshooting would be is to disable your SSL and tried it with just

listen 10.10.10.1:10516;

Also one of our cummunity members posted this,

5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.