Supported TLS ciphers

[mfur]

We are running Nagios Log Server 1.4.4 and not receiving any logs from Bluemix for the past weeks. Reponse from Bluemix support about issue is that supported TLS ciphers in loggregator have changed to the following:

• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Nagios input configuration:

Code: Select all

tcp {
    type => 'bluemix'
    port => 5545
    ssl_cacert => "/etc/pki/tls/certs/rootCA.pem"
    ssl_cert => "/etc/pki/tls/certs/device-nls.crt"
    ssl_key => "/etc/pki/tls/private/device-nls.key"
    ssl_enable => true
}

How to resolve the issue? Thank you.

[mcapra]

This appears to be a known issue with the logstash-input-tcp plugin:
https://github.com/logstash-plugins/log ... /issues/72

You could pass the (unencrypted) Bluemix traffic off to a local rsyslog or Beats instance, then have those intermediaries use a compatible cipher suite and be responsible for the encryption and shipping to Nagios Log Server. However, if those specific cipher suites are a business requirement, that is a non-starter.

[tacolover101]

to add on to what @mcapra mentioned. I imagine you could also accomplish this using a load balancer / reverse proxy to preserve the SSL connection, and pass on to NLS from there. (could allow you to meet the potential business requirement)

[cdienger]

Hi mfur,

Did mcapra's and taco's suggestion help?

[mfur]

Thank you for your insights. Unfortunately that means that there is no easy solution for us. Local rsyslog instance is not an option at the source at Bluemix. I am looking at ways to terminate TLS connection at destination server and pass it on to NLS as @tacolover101 suggested. Any practical ideas? Could OpenSSH (tunnel) accomplish that?

[cdienger]

Configuring rsyslog to accept inbound secure connections should be doable but would require some custom config and possibly upgrading the existing version and other components. This could lead to other problems on the box so I'd suggest testing this on a lab machine first possible. Bluemix appears to also be able to push logs via https so the same could be said for the local Apache install.

Once the machine is able to get the logs from Bluemix, you could use the syslog(https://www.elastic.co/guide/en/logstas ... yslog.html) or file(https://www.elastic.co/guide/en/logstas ... -file.html) inputs to import logs to the local NLS.

[mfur]

To anyone facing the same issue: installing HAProxy on same server that runs Nagios Log Server and configuring it to terminate TLS connection and forward data to Nagios solved issue for us. Setting up HAProxy is simple.

haproxy.cfg example configuration:

Code: Select all

global
        maxconn         10000
        stats socket    /var/run/haproxy.stat mode 600 level admin
        log             127.0.0.1 local2
        chroot          /var/empty
        daemon

frontend public
        bind           *:5545 ssl crt /etc/pki/tls/private/device-nls-combined.pem
        mode            tcp
        log             global
        option          dontlognull
        maxconn         8000
        timeout client  30s

        default_backend nagioslogserver

backend nagioslogserver
        server          localnagios localhost:6545 check
        timeout connect 5s
        timeout server  30s
        timeout queue   30s

[kyang]

Glad you were able to solve this and post the answer! We will be closing this topic as resolved!

If you have more questions, feel free to create another thread!

Thank you for using the Nagios Support Forums!