We have set up a client with rsyslog to send data over TLS to the graylog server. We see incoming data on the right port with tcpdump and we have no errors in our logs (both client and graylog), but we can't see any messages in the input stream.
We have configured the input stream on the webinterface like this:
graylog server log messages:
2018-08-21_10:34:01.95319 INFO [AbstractTcpTransport] Enabled TLS for input [Syslog TCP/5b7bde773500d103c0a38504]. key-file="/etc/graylog/rsyslog-tls.key.pem" cert-file="/etc/graylog/graylog-pubkey.pem"
2018-08-21_10:34:01.95445 INFO [InputStateListener] Input [Syslog TCP/5b7bde773500d103c0a38504] is now STARTING
2018-08-21_10:34:01.97969 WARN [NettyTransport] receiveBufferSize (SO_RCVBUF) for input SyslogTCPInput{title=Syslog-over-TLS, type=org.graylog2.inputs.syslog.tcp.SyslogTCPInput, nodeId=82767910-b4b4-4997-aa8e-b2b62f0805e1} should be 1048576 but is 212992.
2018-08-21_10:34:01.98067 INFO [InputStateListener] Input [Syslog TCP/5b7bde773500d103c0a38504] is now RUNNING
rsyslog client configuration looks like this:
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
*.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg :omusrmsg:*
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
$DefaultNetstreamDriverCAFile /etc/ssl/graylog-pubkey.pem
$ActionSendStreamDriver gtls # use gtls netstream driver
$ActionSendStreamDriverMode 1 # require TLS
$ActionSendStreamDriverAuthMode x509/name # authenticate by hostname
$ActionSendStreamDriverPermittedPeer graylog.<censored>
*.* @@<censored>:514
rsyslog log messages:
Aug 21 10:38:11 cloud-168.<censored> systemd[1]: Starting System Logging Service...
Aug 21 10:38:11 cloud-168.<censored> rsyslogd[1063]: [origin software="rsyslogd" swVersion="8.24.0" x-pid="1063" x-info="http://www.rsyslog.com"] start
Aug 21 10:38:11 cloud-168.<censored> systemd[1]: Started System Logging Service.
Expected Behavior
We should be able to see incoming messages in the graylog instance.
Current Behavior
We see incoming messages on the port via tcpdump, but we don't see any messages in the webinterface
Possible Solution
no idea
Steps to Reproduce (for bugs)
Setup rsyslog over tls with the configuration above
configure syslog tcp input with tls like above
restart rsyslog on client
watch incoming messages with tcpdump
Context
My goal is secure log forwarding via rsyslog on clients to graylog
We have set up a client with rsyslog to send data over TLS to the graylog server. We see incoming data on the right port with tcpdump and we have no errors in our logs (both client and graylog), but we can't see any messages in the input stream.
We have configured the input stream on the webinterface like this:
graylog server log messages:
rsyslog client configuration looks like this:
rsyslog log messages:
Expected Behavior
We should be able to see incoming messages in the graylog instance.
Current Behavior
We see incoming messages on the port via tcpdump, but we don't see any messages in the webinterface
Possible Solution
no idea
Steps to Reproduce (for bugs)
Context
My goal is secure log forwarding via rsyslog on clients to graylog
Your Environment