TLS for an Input

Graylog Central (peer support)
1

Hello,

I have a very simple GrayLog config. I use Syslog TCP and get the logs from 3 other Debian VMs. All I did is created the input and edited the rsyslog.conf on the VMs. Now I want to use TLS.

NOTE: I just need this for some kind of university project and not practical use or personal interest. It really just have to work and not be pretty.

There is not a single good guide on how to implement tls. I dont use beats, apis, sidecars or whatever these things are. I just created an input and already get log input. I create the cert file and key, but when I update the input, GrayLog stop getting in logs.

I also edited this to the bottum of my server.conf:

syslog_tcp_tls_enable = true
syslog_tcp_tls_client_auth_enabled = false
syslog_tcp_tls_key_file = /etc/graylog/server/ssl/private.key
syslog_tcp_tls_cert_file = /etc/graylog/server/ssl/graylog.p12
syslog_tcp_tls_key_password = ****

2

Hey @yardtheyard

Those keys also have to be on your remote device that matches you Input certificates. As for Rsyslog I’m not sure what configuration you need. Haven’t used Rsyslog in a while.

3

I’m going to give you an answer-non-answer.
I don’t know if Syslog supports TLS … maybe it does? But I think the far easier approach to this is to use Sidecars even for Linux.

For instance:
Set up a Beats Input similar to this:

image
image607×1272 73.8 KB

Note that the TLS cert file and key file are for the Graylog Server NOT the endpoint.
Also note that - at least for my set up - the Graylog Server Cert and the Endpoint certs MUST be signed by the same Root CA/Intermediate CA.

Now, install Graylog Sidecar and Filebeat on the endpoint and make sure the following certs are on the endpoint:
Endpoint.pem
Endpoint.key
RootCA.crt

Here is my sidecar config in relevant part:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

filebeat.inputs:
- input_type: log
  paths:
    - /var/log/*.log
    - /var/log/syslog
    - /var/log/**/*log
  type: log
output.logstash:
   hosts: ["graylogsvr-0.<redacted>.local:6160"]
   ssl_certificate_authorities: '/etc/certs/<redacted>_ca.crt'
   ssl.certificate: '/etc/certs/pve.<redacted>.local.pem'
   ssl.key: '/etc/certs/pve.<redacted>.local.key'
path:
  data: ${sidecar.spoolDir!"/var/lib/graylog-sidecar/collectors/filebeat"}/data
  logs: ${sidecar.spoolDir!"/var/lib/graylog-sidecar/collectors/filebeat"}/log

Note that it doesn’t matter where you put the certs and keys on the endpoint just so long as you:
a) know the absolute path
b) have, at minimum, read permissions.

Additional steps I took that may or may not be necessary:

  1. the RootCA (*_ca.crt, above) must be trusted by both the Graylog Server and the endpoint. Different flavors of Linux have different methods of doing this so I’ll leave that to your personal google-foo.
  2. The RootCA MUST be trusted by the Java Key Store (or whatever its called) on the Graylog Server. I forget the process for this but I believe its covered in the Graylog docs.

Hope that helps!

1 Like
4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.