Closed ralfbergs closed 6 years ago
Hi Ralf! Is there any cloud provider which accepts TLS protected syslog protocol?
Ruslan (@huksley), I don't understand the question?
My usecase is that we need to send logs from our AWS environment (Graylog is our central logging facility there and collects logs from all tiers in all VPCs) to our datacenter. Obviously we don't want to send the logs in plaintext.
Does that help?
We did a workaround by installing Logstash on every graylog-server and send the logs with GELF to localhost (logstash) which forward the messages using TLS-Syslog to other destinations. I really would apprechiate to see TLS functionality in the syslog output plugin.
Hello! I`ve added TLS to plugin. However it is initial release. When I am testing it using vagrant box with rsyslogd and graylog omnibus I get following in /var/log/syslog
drinfo: Name or service not known
Dec 29 20:27:59 graylog #026#003#003#000▒#001#000#000▒#003#003Xeqϊ9▒
Dec 29 20:27:59 graylog #013▒?#025▒u▒Q#013▒ʝ#011c#mޙ▒▒h#▒▒#000#000: ▒#▒'#000<▒%
)#000g#000@▒#011▒#023#000/▒#004▒#016#0003#0002▒+▒/#000▒▒-▒1#000▒#000▒▒#010▒#022
Dec 29 20:27:59 graylog ▒#003▒#015#000#026#000#023#000▒#001#000#000Z
Dec 29 20:27:59 graylog #0004#0002#000#027#000#001#000#003#000#023#000#025#000#
06#000#007#000#011
Hi Ruslan, @huksley
Thanks a lot for your efforts.
I'm not a Graylog expert, and I couldn't find a quick answer to my question on Google, so could you please briefly explain what "Omnibus" is? Is it just some pre-packaged Graylog distribution?
Anyway, I can't really "decrypt" what the above log snippet means. Is it some binary characters that actually appear like this in your logfile? Meaning that there is an issue with decoding/decrypting?
Any way I could help to progress this?
Kind regards,
Ralf
Hi Ruslan, @huksley
May I kindly ask to respond to my above question?
I would like to test the modification you made. How would I do it? Where to get the code, how to install it?
Any guidance would be very much appreciated. Thanks in advance for your help.
Kind regards,
Ralf
@zahnd: What is the overhead of installing a local Logstash just for forwarding? Is it a simple "small" package that doesn't need any other infrastructure, like a database for example? In that case it might be an option for us as well... (I don't want to install a "huge" extra service that it just a work-around for a seemingly simple issue...)
@ralfbergs Thank you for your hint. You're absolutely right, there is almost no overhead. I just realised that solution and it works very well.
@zahnd Thanks, we might well go the same route...
Hello @ralfbergs, @zahnd. Sorry for delay.
I`ve rechecked my latest SSL addition. It is actually working ok with plain output. Can you verify it?
If you already have graylog installed, you need to copy plugin (either build yourself or take it from releases) to graylog plugins directory and skip to step 8. in following instruction:
Here is the steps needed:
P.S. Just checked, message formats plain or structured work fine with rsyslogd. cef and full is not working.
@huksley Ruslan, thanks.
I will try it in the next couple of days...
A question re. the truststore:
I don't want to establish "explicit" trust, i. e. import the receiving syslog server's certificate into Graylog, but I would rather use "implicit" trust by letting Graylog check the server's certificate against a set of well-known root CAs.
Would that work by simply not using a keystore? Or do I have to import this set of well-known root CAs into a keystore and assign this to the output plugin?
I believe you must use both keystore (to establish identity of the graylog) and truststore (so that receiving side will be verified).
I haven`t verified this setup personally.
Ok, so I have to try it out... I will do so and let you know...
Closed due to inactivity. If TLS issues still exists, please open new issue.
Apologies that I didn't submit any feedback. We had to redesign our integration towards the sink of all our messages, which is why we didn't pursue this approach any longer. We now have LogStash in between, and LogStash sends the messages to the final destination using HTTPS.
Thank you.
Hi,
I would appreciate very much if you could implement TLS so that logs can be safely sent across the internet, without the need to have a VPN below to provide a secure network.
Thanks for considering this wishlist item. :-)
Kind regards,
Ralf