Hi,
I’ve try to secure an input with TLS, but still get an error:
2024-12-19T10:15:02.137+01:00 ERROR [AbstractTcpTransport] Error in Input [Syslog TCP/SYSLOG IN TCP/675c2639fd79c51de84f7153] (channel [id: 0xc7db35f0, L:/192.168.1.10:5140 ! R:/192.168.1.12:51066]) (cause io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem)
What have I done:
- We’ve an own PKI working
- Generate an certificate and key for server and client signed with the same CA
- Setup HTTPS with an apache proxy for access to the graylog server → works
- Setup an Input to use TLS:
* allow_override_date: true
* bind_address: 0.0.0.0
* charset_name: UTF-8
* expand_structured_data: false
* force_rdns: false
* max_message_size: 2097152
* number_worker_threads: 4
* override_source: *<empty>*
* port: 5140
* recv_buffer_size: 1048576
* store_full_message: false
* tcp_keepalive: false
* timezone: NotSet
* tls_cert_file: /etc/ssl/certs/meddv-log001.mdv.local.crt
* tls_client_auth: disabled
* tls_client_auth_cert_file: /etc/ssl/certs/meddv_internal_root_certification_authory.pem
* tls_enable: true
* tls_key_file: /etc/ssl/private/meddv-log001.mdv.local.key
* tls_key_password: ********
* use_null_delimiter: false
It works so far with following rsyslog settings:
root@meddv-cmdb:~# cat /etc/rsyslog.d/tls.conf
$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/ssl/certs/meddv_internal_root_certification_authority.pem
$DefaultNetstreamDriverCertFile /etc/ssl/certs/meddv-cmdb.mdv.local_fullchain.crt
$DefaultNetstreamDriverKeyFile /etc/ssl/private/meddv-cmdb.mdv.local.pem
#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
#$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
#$ActionSendStreamDriverAuthMode anon
root@meddv-cmdb:~# cat /etc/rsyslog.d/meddv-log001.conf
#*.* @@meddv-log001.mdv.local:5140;RSYSLOG_SyslogProtocol23Format
*.* action(
type="omfwd"
target="meddv-log001.mdv.local"
port="5140"
protocol="tcp"
KeepAlive="on"
KeepAlive.Interval="30"
StreamDriver="gtls"
StreamDriverMode="1"
StreamDriverAuthMode="x509/name"
ResendLastMSGOnReconnect="on"
queue.filename="fwdRule1" # unique name prefix for spool files
queue.type="LinkedList"
queue.maxDiskSpace="256m"
queue.saveOnShutdown="on"
action.resumeRetryCount="-1"
action.resumeInterval="30"
)
- I import the CA to an new keystore:
/usr/share/graylog-server/jvm/bin/keytool -importcert -keystore /etc/graylog/server/keystore.jks -storepass changeit -alias cachain -file /etc/ssl/certs/meddv_internal_root_certification_authory.pem
- I added following to the /etc/default/graylog-server
GRAYLOG_SERVER_JAVA_OPTS="-Xms1g -Xmx1g -server -XX:+UseG1GC -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/etc/graylog/server/keystore.jks -Djavax.net.ssl.trustStorePassword=changeit"
Without the Password I got an other error.
8. I enable the client auth
* tls_client_auth: required
Then, after an rsyslog restart I got the given error in the graylog logfile,…
I think I’m near to an solution but doesn’t see it,…
Many thanks for help!
Gregor