search

wizecore / graylog2-output-syslog

Customizable, production ready syslog and ArcSight output plugin for Graylog
Apache License 2.0
38 stars 19 forks source link

Please implement TLS #13

Closed ralfbergs closed 6 years ago

ralfbergs commented 7 years ago

Hi,

I would appreciate very much if you could implement TLS so that logs can be safely sent across the internet, without the need to have a VPN below to provide a secure network.

Thanks for considering this wishlist item. :-)

Kind regards,

Ralf

huksley commented 7 years ago

Hi Ralf! Is there any cloud provider which accepts TLS protected syslog protocol?

ralfbergs commented 7 years ago

Ruslan (@huksley), I don't understand the question?

My usecase is that we need to send logs from our AWS environment (Graylog is our central logging facility there and collects logs from all tiers in all VPCs) to our datacenter. Obviously we don't want to send the logs in plaintext.

Does that help?

zahnd commented 7 years ago

We did a workaround by installing Logstash on every graylog-server and send the logs with GELF to localhost (logstash) which forward the messages using TLS-Syslog to other destinations. I really would apprechiate to see TLS functionality in the syslog output plugin.

huksley commented 7 years ago

Hello! I`ve added TLS to plugin. However it is initial release. When I am testing it using vagrant box with rsyslogd and graylog omnibus I get following in /var/log/syslog

drinfo: Name or service not known
Dec 29 20:27:59 graylog #026#003#003#000▒#001#000#000▒#003#003Xeqϊ9▒
Dec 29 20:27:59 graylog #013▒?#025▒u▒Q#013▒ʝ#011c#mޙ▒▒h#▒▒#000#000: ▒#▒'#000<▒%
)#000g#000@▒#011▒#023#000/▒#004▒#016#0003#0002▒+▒/#000▒▒-▒1#000▒#000▒▒#010▒#022
Dec 29 20:27:59 graylog ▒#003▒#015#000#026#000#023#000▒#001#000#000Z
Dec 29 20:27:59 graylog #0004#0002#000#027#000#001#000#003#000#023#000#025#000#
06#000#007#000#011
ralfbergs commented 7 years ago

Hi Ruslan, @huksley

Thanks a lot for your efforts.

I'm not a Graylog expert, and I couldn't find a quick answer to my question on Google, so could you please briefly explain what "Omnibus" is? Is it just some pre-packaged Graylog distribution?

Anyway, I can't really "decrypt" what the above log snippet means. Is it some binary characters that actually appear like this in your logfile? Meaning that there is an issue with decoding/decrypting?

Any way I could help to progress this?

Kind regards,

Ralf

ralfbergs commented 7 years ago

Hi Ruslan, @huksley

May I kindly ask to respond to my above question?

I would like to test the modification you made. How would I do it? Where to get the code, how to install it?

Any guidance would be very much appreciated. Thanks in advance for your help.

Kind regards,

Ralf

ralfbergs commented 7 years ago

@zahnd: What is the overhead of installing a local Logstash just for forwarding? Is it a simple "small" package that doesn't need any other infrastructure, like a database for example? In that case it might be an option for us as well... (I don't want to install a "huge" extra service that it just a work-around for a seemingly simple issue...)

zahnd commented 7 years ago

@ralfbergs Thank you for your hint. You're absolutely right, there is almost no overhead. I just realised that solution and it works very well.

ralfbergs commented 7 years ago

@zahnd Thanks, we might well go the same route...

huksley commented 7 years ago

Hello @ralfbergs, @zahnd. Sorry for delay.

I`ve rechecked my latest SSL addition. It is actually working ok with plain output. Can you verify it?

If you already have graylog installed, you need to copy plugin (either build yourself or take it from releases) to graylog plugins directory and skip to step 8. in following instruction:

Here is the steps needed:

  1. Clone project
  2. Build it using >mvn package
  3. Go to vagrant folder
  4. Issue >vagrant up (you must have vagrant and virtualbox installed)
  5. Wait for it to warm up
  6. Go to http://localhost:8080 in browser
  7. Login as admin:admin
  8. Create global output with following settings: Syslog, SSL over TCP, plain and specify Java truststore + password) (You can use pregenerated one /opt/graylog/conf/server.jks + 123456)
  9. Create stream
  10. Assign global syslog output to stream
  11. Add rule to filter messages
  12. Enable stream
  13. Send message to graylog conforming to stream rules
  14. Check /var/log/syslog in vagrant vm for messages from graylog
huksley commented 7 years ago

P.S. Just checked, message formats plain or structured work fine with rsyslogd. cef and full is not working.

ralfbergs commented 7 years ago

@huksley Ruslan, thanks.

I will try it in the next couple of days...

A question re. the truststore:

I don't want to establish "explicit" trust, i. e. import the receiving syslog server's certificate into Graylog, but I would rather use "implicit" trust by letting Graylog check the server's certificate against a set of well-known root CAs.

Would that work by simply not using a keystore? Or do I have to import this set of well-known root CAs into a keystore and assign this to the output plugin?

huksley commented 7 years ago

I believe you must use both keystore (to establish identity of the graylog) and truststore (so that receiving side will be verified).

I haven`t verified this setup personally.

ralfbergs commented 7 years ago

Ok, so I have to try it out... I will do so and let you know...

huksley commented 6 years ago

Closed due to inactivity. If TLS issues still exists, please open new issue.

ralfbergs commented 6 years ago

Apologies that I didn't submit any feedback. We had to redesign our integration towards the sink of all our messages, which is why we didn't pursue this approach any longer. We now have LogStash in between, and LogStash sends the messages to the final destination using HTTPS.

Thank you.