Using Syslog with TLS

Hi there,

It’s a bit hard for folks in the community to help troubleshoot in the absence a lot of information. If your LE cert isn’t a wildcard cert, then you won’t be able to use it for Graylog. LE does issue wildcard certs, which you can get using something like this:

sudo certbot certonly \                                                                                                                                                                               
--dns-cloudflare \
--dns-cloudflare-credentials /Users/yourname/.secrets/certbot/cloudflare.ini \
-d "*.example.com"

That said, things like log messages, screenshots of the UI, configuration snippets generally go a long way to helping identify the problem, or a the very least narrow down the issue.

To your point @dickinsonzach , TLS/PKI is hard–while folks struggle with it, there are folks who are also able to implement it successfully, both using our open source/free version, and the enterprise. So I wouldn’t say that paying for support is required to get SSL up and running. Heck, I’m on our support team and find working with TLS to be a bit of a challenge myself.

That said, here are a couple of other things. With regard to using a TLS syslog input to ingest Synology syslog logs, it appears that Synology won’t send syslog logs over TLS Sending logs from Synology to Graylog over TLS = "TLSV1_ALERT_UNKNOWN_CA" - #12 by SoMoney.

The other thing is that I can 100% confirm that I’m able to get syslog messages into Graylog via a TLS input:

Syslog Input Configuration:

allow_override_date: true
bind_address: 0.0.0.0
expand_structured_data: false
force_rdns: false
max_message_size: 2097152
number_worker_threads: 4
override_source: <empty>
port: 1515
recv_buffer_size: 1048576
store_full_message: false
tcp_keepalive: false
tls_cert_file: /etc/graylog/ssl/fullchain.pem
tls_client_auth: optional
tls_client_auth_cert_file: <empty>
tls_enable: true
tls_key_file: /etc/graylog/ssl/privkey.pem
tls_key_password:********
use_null_delimiter: false

Rsyslog client config:

$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/letsencrypt_ca.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog.d/fullchain.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/privkey.pem
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$ActionSendStreamDriverMode 1 # run driver in TLS-only mode
$ActionSendStreamDriverAuthMode anon
*.* @@logs.example.com:1515

Screenshot of TLS Syslog Input & logs

CleanShot 2021-02-12 at 14.22.37@2x4926×1980 436 KB

Since I don’t have a Synology NAS that I can readily try and reproduce this in, you might try out some of the steps in the other entry that I linked @Kptainflintt and see if you can get any further.