SSL from windows

[jonapich]

Hi,

Is it possible to transfer logs to this plugin from Windows?

Use case: I have a fluent server setup with secure-forward as the input and I'm trying to hook up my windows machines to it.

The official documentation mentions using nxlogs instead since v10 "doesn't support windows anymore", but its om_ssl module doesn't look like it supports any way of providing a shared key.

Are there any workarounds possible here? I haven't looked at the plugin's code, but it there a way to get rid of the shared key entirely? Would that let 3rd parties such as nxlogs to send logs to fluentd's SSL input?

Not entirely related but; I just stumbled across a few locations where it mentions fluent v0.14 supports windows again, but i can't find any download links?

EDIT: Also, i guess I wouldn't mind installing an old version of fluent that supports windows if it can handle this plugin... but again, I can't find any download links anywhere.

[tagomoris]

You can install Fluentd v0.14 by gem install fluentd after installing ruby + devkit. Binary package (td-agent) including v0.14.x are not released yet. This plugin's protocol is originally invented for this plugin itself, and not compatible with any others (except for Fluentd v0.14 auth protocol... but it still have no support for SSL/TLS). As far as i know, it's the only way to use Fluentd v0.14 and this plugin on Windows.

[jonapich]

Just making sure I get this straight: it's impossible to send windows logs to fluentd/td-agent in a secure manner using fluent v14 windows, and because this plugin doesn't follow the standard SSL/TLS mechanics, there are no workarounds possible with 3rd party windows log forwarders.

Hopefully v14 will open up to the world and use standard mechanisms?

Thanks for the input!

[tagomoris]

Sorry, what's the "standard mechanisms" you mean?

The only SSL/TLS doesn't work because SSL/TLS just assure the transportation security, but it doesn't assure the safety of destination, because the AWS EC2 IP address might be another host of you're using. So, we need application layer requirements to assure the node is which we want to communicate. The secure-foward protocol (auth protocol in Fluentd v0.14) provides it.

[jonapich]

I appreciate your input, but I don't agree with the shared key adding any assurance; it gives a little more trouble to the hacker of course, but the key probably appears in the configuration database in clear, whereas for certificates, you typically just configure the path to the cert. In order to access and steal the path, you need some additional permissions. But that's just my grain of salt.

Docker's driver was another use case made complex because of this. We used the fluentd log driver to shoot to our fluentd server directly over TCP. Moving to SSL, we were forced to eat extra resources and spawn a fluentd client on our hosts just for the sake of enabling the secure-forward plugin. All those dockers that were perfectly independent now rely on a side-car or host-dependencies, it's quite a mess :(

It wouldn't be so bad if it was optional / if it didn't prevent 3rd party software to fill in the gaps. Fluent being such a flexible tool with so many input/output possibilities, it's a shame to lose all that flexibility when trying to operate over SSL.

I hope v14 will see some improvements to this and let standard SSL libraries speak to fluentd using OOTB technologies.

[himmatb]

@jonapich Did you get any solution for this. if yes please help me.

I am trying to send securely logs from windows application logs to Fluentd Aggregator(mux) which is present on openshift EFK stack which is using secure-forward as the input using fluentd.

Is it really require to Nxlog to florward logs to fluentd aggregator? can we send log directly by install msi version of td-agent latest version ?

Please suggest me with exact secure way to send windows logs to aggregator.