How to relay from DMZ?

[tmoraiseic]

What is the best way to relay from a DMZ? Internally we have Windows using NXlog agents and Linux using rsyslog talking directly to Nagios Log Server. Since we can't have the same setup for DMZ servers, we would like to have some sort of relay server in the DMZ that will pass to NLS. Not an expert with Logstash and Elasticsearch, so trying to piece together the best way to make this happen.

[cdienger]

I'm not sure what people have done for NXLog, but it looks like the enterprise edition does have some relay abilities: https://nxlog.co/products/additional-fe ... se-edition

Messages from rsyslog can be forwarded to another rsyslog server which then in turn forwards messages on to NLS: https://support.nagios.com/forum/viewto ... 37&t=41560

[mcapra]

You could also have an intermediate Nagios Log Server instance between your DMZ and the "production" Nagios Log Server cluster. This intermediate instance could exclusively be responsible for forwarding logs via an output rule then discarding them. It's a setup I've done before on older NLS versions (1.4 ish).

Or if you're interested in learning more about Logstash, you could have a single stand-alone Logstash (or Beats) instance be responsible for this. If it starts getting overloaded, spin up another and put them behind a load-balancer.

If it were my problem to solve, I'd do so with a standalone Logstash instance. There's really no wrong answer.

[cdienger]

Thanks for the input, @mcapra!

[tmoraiseic]

Thanks for the input. I got an ELK server up and running, and now trying to forward logs on to Nagios Log Server instance. Where is the right location to tweak output to send there? I tried adding output.conf to /etc/Logstash/conf.d, but that only seems to break communication within ELK and nothing being passed to NLS.

[cdienger]

There could easily be a typo in the output that prevents logstash from working properly. Check the logs found in LS_HOME/logs or /var/log/logstash for errors or warnings when Logstash is started up.

[nozlaf]

If it were my problem to solve, I'd do so with a standalone Logstash instance. There's really no wrong answer.

agreed
I'd just bring the log data in and out using the logstash instance in the dmz and do the filtering etc.. on the NLS server this would be more reliable than running an elk stack because less moving parts = less crashes

[npolovenko]

@tmoraiseic, Let me know if you have any other questions for us.

[mgarrity10]

Hello. We have decided to use a second Nagios Log Server instance instead of an elk stack, and we have successfully installed it. The idea is that we'll have one NLS living in our DMZ and collecting logs from all of our client DMZ servers, and it will forward those clients' logs down to our other Nagios Log Server instance outside of the DMZ. Any ideas on how to do this?

[tmcdonald]

Hello. We have decided to use a second Nagios Log Server instance instead of an elk stack, and we have successfully installed it. The idea is that we'll have one NLS living in our DMZ and collecting logs from all of our client DMZ servers, and it will forward those clients' logs down to our other Nagios Log Server instance outside of the DMZ. Any ideas on how to do this?

Are you from the same company or are you just experiencing the same thing and looking for assistance?