Hello, I'm running v2.0.8 NLS on a 64-bit VM CentOS 7 server.
I have set up SSL/TLS input for a Windows server, it works fine.
I have set up SSL/TLS input from a Linux server.
On the NLS server, using the recommended tcpdump command, I see what looks like encrypted data coming in from the host.
When I look at the events for the host, there are no new events.
On the NLS server, after moving certificate and key files to /etc/pki/tls/[certs,private], does any task need to be restarted?
Earl
Help needed with syslog SSL input
Re: Help needed with syslog SSL input
It sounds like you followed the steps in https://assets.nagios.com/downloads/nag ... th-SSL.pdf, correct?
Restarting the service shouldn't be necessary but try this:
and while that is running, restart the service:
and see if any errors are getting logged when the restart happens or as logs come in.
Restarting the service shouldn't be necessary but try this:
Code: Select all
tail -f /var/log/logstash/logstash.log
Code: Select all
service logstash restart
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
-
- Posts: 226
- Joined: Mon Oct 16, 2017 9:24 am
Re: Help needed with syslog SSL input
Hello,
Yes, that is the document I used.
The firewalls were set up by my tech staff, I have no reason to suspect any problem there.
logstash.log was empty until I did the restart, then 3 lines came in from the restart.
I see data come in from the Linux client. I'm sure I have the port right on both sides.
I am not seeing any events in the query, after about 9:40 AM when I made the change. I went through the steps to configure it twice.
I see no more entries in logstash.log.
Earl
Yes, that is the document I used.
The firewalls were set up by my tech staff, I have no reason to suspect any problem there.
logstash.log was empty until I did the restart, then 3 lines came in from the restart.
I see data come in from the Linux client. I'm sure I have the port right on both sides.
I am not seeing any events in the query, after about 9:40 AM when I made the change. I went through the steps to configure it twice.
I see no more entries in logstash.log.
Earl
Re: Help needed with syslog SSL input
Please provide the tcpdump if possible. You can PM me it to me if there is any sensitive info.
We can enable debug logging for logstash by editing /etc/init.d/logstash and changing line 64 from:
DAEMON_OPTS="agent -f ${LS_CONF_DIR} -l ${LS_LOG_FILE} ${LS_OPTS}"
to:
DAEMON_OPTS="agent -f ${LS_CONF_DIR} -l ${LS_LOG_FILE} ${LS_OPTS} --debug"
Then restart it with:
systemctl daemon-reload
service logstash restart
Let it run long enough to capture data from the sending device and then disable debug logging and PM me the logstash.log as well as the sending device's IP address.
We can enable debug logging for logstash by editing /etc/init.d/logstash and changing line 64 from:
DAEMON_OPTS="agent -f ${LS_CONF_DIR} -l ${LS_LOG_FILE} ${LS_OPTS}"
to:
DAEMON_OPTS="agent -f ${LS_CONF_DIR} -l ${LS_LOG_FILE} ${LS_OPTS} --debug"
Then restart it with:
systemctl daemon-reload
service logstash restart
Let it run long enough to capture data from the sending device and then disable debug logging and PM me the logstash.log as well as the sending device's IP address.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Re: Help needed with syslog SSL input
Is the input listen on port 7778 like the document suggests? The tcpdump provided doesn't show anything on this port. A better command to see if it is coming in on this port would be:
Code: Select all
tcpdump -i eth0 -nnvXSs 0 host 10.25.13.37 and port 7778
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
-
- Posts: 226
- Joined: Mon Oct 16, 2017 9:24 am
Re: Help needed with syslog SSL input
Hello,
I still have files backing up on the source CentOS 7 server, in /var/lib/rsyslog, which should be going to my NLS server.
I tried the signing step again, sending the syslog-ca.pem file over and restarting rsyslog.
I know this works when I set it up for non-secure transmission.
I can access the 7778 port on the NLS server using TCP from the client server.
What can I check to resolve this?
Earl
I still have files backing up on the source CentOS 7 server, in /var/lib/rsyslog, which should be going to my NLS server.
I tried the signing step again, sending the syslog-ca.pem file over and restarting rsyslog.
I know this works when I set it up for non-secure transmission.
I can access the 7778 port on the NLS server using TCP from the client server.
What can I check to resolve this?
Earl
-
- Posts: 226
- Joined: Mon Oct 16, 2017 9:24 am
Re: Help needed with syslog SSL input
Hello,
Installing rsyslog-gnutls on the client server corrected the problem.
Thanks for your time!
Please lock the case.
Earl
Installing rsyslog-gnutls on the client server corrected the problem.
Thanks for your time!
Please lock the case.
Earl
-
- DevOps Engineer
- Posts: 19396
- Joined: Tue Nov 15, 2011 3:11 pm
- Location: Nagios Enterprises
- Contact:
Re: Help needed with syslog SSL input
Great!Bitflogger wrote:Hello,
Installing rsyslog-gnutls on the client server corrected the problem.
Thanks for your time!
Please lock the case.
Earl
Locking