Help needed with syslog SSL input

This support forum board is for support questions relating to Nagios Log Server, our solution for managing and monitoring critical log data.
Locked
Bitflogger
Posts: 226
Joined: Mon Oct 16, 2017 9:24 am

Help needed with syslog SSL input

Post by Bitflogger »

Hello, I'm running v2.0.8 NLS on a 64-bit VM CentOS 7 server.

I have set up SSL/TLS input for a Windows server, it works fine.

I have set up SSL/TLS input from a Linux server.

On the NLS server, using the recommended tcpdump command, I see what looks like encrypted data coming in from the host.

When I look at the events for the host, there are no new events.

On the NLS server, after moving certificate and key files to /etc/pki/tls/[certs,private], does any task need to be restarted?

Earl
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Help needed with syslog SSL input

Post by cdienger »

It sounds like you followed the steps in https://assets.nagios.com/downloads/nag ... th-SSL.pdf, correct?

Restarting the service shouldn't be necessary but try this:

Code: Select all

tail -f /var/log/logstash/logstash.log
and while that is running, restart the service:

Code: Select all

service logstash restart
and see if any errors are getting logged when the restart happens or as logs come in.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Bitflogger
Posts: 226
Joined: Mon Oct 16, 2017 9:24 am

Re: Help needed with syslog SSL input

Post by Bitflogger »

Hello,

Yes, that is the document I used.

The firewalls were set up by my tech staff, I have no reason to suspect any problem there.

logstash.log was empty until I did the restart, then 3 lines came in from the restart.

I see data come in from the Linux client. I'm sure I have the port right on both sides.

I am not seeing any events in the query, after about 9:40 AM when I made the change. I went through the steps to configure it twice.

I see no more entries in logstash.log.

Earl
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Help needed with syslog SSL input

Post by cdienger »

Please provide the tcpdump if possible. You can PM me it to me if there is any sensitive info.

We can enable debug logging for logstash by editing /etc/init.d/logstash and changing line 64 from:

DAEMON_OPTS="agent -f ${LS_CONF_DIR} -l ${LS_LOG_FILE} ${LS_OPTS}"

to:

DAEMON_OPTS="agent -f ${LS_CONF_DIR} -l ${LS_LOG_FILE} ${LS_OPTS} --debug"

Then restart it with:

systemctl daemon-reload
service logstash restart


Let it run long enough to capture data from the sending device and then disable debug logging and PM me the logstash.log as well as the sending device's IP address.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
User avatar
cdienger
Support Tech
Posts: 5045
Joined: Tue Feb 07, 2017 11:26 am

Re: Help needed with syslog SSL input

Post by cdienger »

Is the input listen on port 7778 like the document suggests? The tcpdump provided doesn't show anything on this port. A better command to see if it is coming in on this port would be:

Code: Select all

tcpdump -i eth0 -nnvXSs 0 host 10.25.13.37 and port 7778
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Bitflogger
Posts: 226
Joined: Mon Oct 16, 2017 9:24 am

Re: Help needed with syslog SSL input

Post by Bitflogger »

Hello,

I still have files backing up on the source CentOS 7 server, in /var/lib/rsyslog, which should be going to my NLS server.

I tried the signing step again, sending the syslog-ca.pem file over and restarting rsyslog.

I know this works when I set it up for non-secure transmission.

I can access the 7778 port on the NLS server using TCP from the client server.

What can I check to resolve this?

Earl
Bitflogger
Posts: 226
Joined: Mon Oct 16, 2017 9:24 am

Re: Help needed with syslog SSL input

Post by Bitflogger »

Hello,

Installing rsyslog-gnutls on the client server corrected the problem.

Thanks for your time!

Please lock the case.

Earl
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Help needed with syslog SSL input

Post by scottwilkerson »

Bitflogger wrote:Hello,

Installing rsyslog-gnutls on the client server corrected the problem.

Thanks for your time!

Please lock the case.

Earl
Great!

Locking
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Locked