Using Syslog with TLS

Hi,

I didn’t like sending clear-text syslog message over Internet. I’m using several Synology NAS to send syslog datas to Graylog server.
Collecting is working fine but I would like to encrypt with the use of TLS.

My syslog server use a Let’s Encrypt certificate for is reverse-proxy, can I use it for syslog?

Let’s Encrypt give me two files : fullchain.pem and privkey.pem. I’ve tried putting them on Inputs configuration with no luck. Then, i split fullchain to have CA and cert separately but even no luck.

My question : is it possible or is it better to use a self-signed certificate?

I will also check with Synology to see what to put in terms of format in the “certificate” field.

Thank you!

This if for any Graylog Moderator, it seems quite a few smart people are struggling to implement SSL on the Web Interface and TLS on an Input.

Two other threads:

This seems to be too difficult. I understand that we’re all probably using the Free version and that if we got support we’d have it up and running. But still…

Thank you, Zach.

Hi there,

It’s a bit hard for folks in the community to help troubleshoot in the absence a lot of information. If your LE cert isn’t a wildcard cert, then you won’t be able to use it for Graylog. LE does issue wildcard certs, which you can get using something like this:

sudo certbot certonly \                                                                                                                                                                               
--dns-cloudflare \
--dns-cloudflare-credentials /Users/yourname/.secrets/certbot/cloudflare.ini \
-d "*.example.com"

That said, things like log messages, screenshots of the UI, configuration snippets generally go a long way to helping identify the problem, or a the very least narrow down the issue.

To your point @dickinsonzach , TLS/PKI is hard–while folks struggle with it, there are folks who are also able to implement it successfully, both using our open source/free version, and the enterprise. So I wouldn’t say that paying for support is required to get SSL up and running. Heck, I’m on our support team and find working with TLS to be a bit of a challenge myself.

That said, here are a couple of other things. With regard to using a TLS syslog input to ingest Synology syslog logs, it appears that Synology won’t send syslog logs over TLS Sending logs from Synology to Graylog over TLS = "TLSV1_ALERT_UNKNOWN_CA" - #12 by SoMoney.

The other thing is that I can 100% confirm that I’m able to get syslog messages into Graylog via a TLS input:

Syslog Input Configuration:

allow_override_date: true
bind_address: 0.0.0.0
expand_structured_data: false
force_rdns: false
max_message_size: 2097152
number_worker_threads: 4
override_source: <empty>
port: 1515
recv_buffer_size: 1048576
store_full_message: false
tcp_keepalive: false
tls_cert_file: /etc/graylog/ssl/fullchain.pem
tls_client_auth: optional
tls_client_auth_cert_file: <empty>
tls_enable: true
tls_key_file: /etc/graylog/ssl/privkey.pem
tls_key_password:********
use_null_delimiter: false

Rsyslog client config:

$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/letsencrypt_ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/fullchain.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/privkey.pem
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
$ActionSendStreamDriverAuthMode anon
*.* @@logs.example.com:1515

Screenshot of TLS Syslog Input & logs

CleanShot 2021-02-12 at 14.22.37@2x4926×1980 436 KB

Since I don’t have a Synology NAS that I can readily try and reproduce this in, you might try out some of the steps in the other entry that I linked @Kptainflintt and see if you can get any further.

Hello,

It is, so I’ve my response, I will not able to use it fot syslog.

That’s not true. There is a checkbox “Enable secure connection (SSL)” and we can import a certificate. Where I’m not sure is what form or format this certificate should be in.

Nevermind, I will investigate more on syslog TLS later. The problem here is that I also have some Qnap NAS and, according to model or version, some cannot send over TCP.

So I set up an original system. I installed an OpenVPN server on the same VPS where Graylog is located (can be done on another machine but I didn’t have any on hand). Each NAS opens an SSL tunnel to my server and sends the logs then via TCP to the private address of the server.

It’s been running for two days now, it looks functional, I still have to check the behavior in case of a power or network failure but it looks good.

Thank you for your detailed response, I’me sure it will help me further.

Hi Kptainflintt,

I had issues also sending Synology NAS logs over rsyslog via TLS to graylog, I did a lot of googling and testing, and found a post response from a Synology tech support guy, saying that there TLS rsyslog implementation only works when sending the logs to another synology nas. I was not traversing the internet so I just send the traffic via a separate vlan unencrypted. I think your solution using open vpn to wrap the traffic is a better implementation for you anyway.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.