Windows Sidecar TLS setup

Graylog Central (peer support)
1

So, i managed to make it work without TLS - Graylog Sidecar Windows beats.
I receive the messages and all is good.

Now, i try to make it work with TLS and i have some questions, as, i am getting this error on the windows side when i am running the sidecar.exe

image
image968×123 72.6 KB

so, the certificate i am using on GL server i installed it on the windows machine under this path
image

the setup i found for the GL part is for a linux machine though:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["10.204.68.39:5144"]
   ssl.verification_mode: full
   ssl.certificate_authorities: ["/etc/ssl/certs/iptor/ca.pem"]
    ssl.certificate: "/path/to/certs/client.crt"
    ssl.key: "/path/to/certs/client.key"
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Application
   - name: System
   - name: Security

now, my question is here:

   ssl.certificate_authorities: ["/etc/ssl/certs/iptor/ca.pem"]
    ssl.certificate: "/path/to/certs/client.crt"
    ssl.key: "/path/to/certs/client.key"

Which path shall i include it from Graylog server and which for the windows server ?
As will be a totally different thing.

then the INPUT beats, i check the TLS part
image

and in the TLS cert file i actually copy pasted the whole thing and not gave it a path, because it works like that for linux and i presumed the same for windows.

So, any idea? Thanks

2

Hello @adrianrus

I read your post up until this point.

The reason I stopped was the title of this post. Windows Sidecar TLS setup

The configuration you have looks like Linux and not Windows.

"/etc/ssl/certs/iptor/ca.pem"

Here is my Windows Server Winlogbeat TCP/TLS.

# ---------------------------- Elasticsearch Output ----------------------------
# Array of hosts to connect to.
output.elasticsearch:
  hosts: ["https://graylog_servert:9200"] 
  server.ssl.enabled: true
  ssl.certificate_authorities: 'C:\Program Files\winlogbeat\root-ca.pem'
  server.ssl.certificate: 'C:\Program Files\winlogbeat\graylog3-certificate.pem'
  server.ssl.key: 'C:\Program Files\winlogbeat\graylog3-key.pem'

EDIT:
So that is for the log shipper, Now on the INPUT those same Certificates should be on Graylog Server and accessable to Graylog,
Example:

image
image623×817 48.3 KB

3

Great, this was actually my question, because i did not understood if in that config is about the windows client or the graylog server.

 ssl.certificate_authorities: 'C:\Program Files\winlogbeat\root-ca.pem'
  server.ssl.certificate: 'C:\Program Files\winlogbeat\graylog3-certificate.pem'
  server.ssl.key: 'C:\Program Files\winlogbeat\graylog3-key.pem'

great, i will test and come back.

thanks a lot

4

damn thing still i am missing something.

So, my graylog.conf

http_enable_tls = true

# The X.509 certificate chain file in PEM format to use for securing the HTTP interface.
http_tls_cert_file = /etc/ssl/certs/iptor/wildcard........pem

# The PKCS#8 private key file in PEM format to use for securing the HTTP interface.
http_tls_key_file = /etc/ssl/certs/iptor/pkcs8-encrypted.pem

# The password to unlock the private key used for securing the HTTP interface.
http_tls_key_password = Secret123!

the collector

image
image874×148 8.13 KB

the input

image
image819×516 27.8 KB

under windows cert MMC i imported the certs in both these locations:

image

i ran out of ideas and i am sure is something very easy, but i am missing it at this pont.

Do i need to alter the rsyslog.cong on GL server as well in any way?
Still, i doubt, as this is a sidecar…

Hm, some sidecar config file on graylog maybe… ?

5

The logs show the certs are invalid. So that would be my first suggestion.

Second, ensure the Graylog -Sidecar can access those certs. Not sure that path will work in this instance, for testing try putting your certs in Graylog-sidecar directory because if that does not work then for sure you have an issue with your certs.

EDIT: Oh I just seen something in the log file from your first post, and yes I’m blind :laughing:
This part here…

image
Meaning if you follow the doc’s it would have been this part here

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

# Details about the issuer of the certificate
[req_distinguished_name]
C = US
ST = Some-State
L = Some-City
O = My Company
OU = My Division
CN = graylog.example.com

[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names <------------------------ HERE

# IP addresses and DNS names the certificate should include
# Use IP.### for IP addresses and DNS.### for DNS names,
# with "###" being a consecutive number.
[alt_names]
IP.1 = 203.0.113.42                    <--------------HERE
DNS.1 = graylog.example.com   <-------------HERE

I believe that is your issue

6

problem is that i didn’t used this file format for the cert, as i needed to use my own ones.
I think i need to find a way…

7

Hello,

You could test out using the file , but the certificates you have need IP SAN in them.

8

found the issue, was acutally the DNS i had to input not the IP, in the YML file

image

1 Like
9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.